SlideShare a Scribd company logo

IPv6 Security - Hacker Halted 2013

Zivaro Inc
Zivaro Inc

GTRI's Scott Hogg discusses IPv6 security threats and solutions at the Hacker Halted 2013 conference held in Atlanta.

Technology
1 of 26
IPv6 Security Scott Hogg Global Technology Resources, Inc. Director of Technology Solutions CCIE #5133, CISSP #4610
IPv6 Security – Latent Threat • Even if you haven’t started using IPv6 yet, you probably have some IPv6 running on your networks already and didn’t know it. • Do you use Linux, Mac OS X, BSD, or Microsoft Windows 7/8/Win2K8/Win2012 systems in your environment? • They all come with IPv6 capability enabled by default and prefer IPv6 connectivity • They may try to use IPv6 first and then fall-back to IPv4 (+|- Happy Eyeballs, RFC 6555) • Or they may create IPv6-in-IPv4 tunnels to Internet resources to reach IPv6 content • Some of these techniques take place regardless of user input or configuration • If you are not protecting your IPv6 nodes then you have just allowed a huge back-door to exist
IPv6 Security Tools • THC IPv6 Attack Toolkit • SI6 Networks IPv6 Toolkit • Evil FOCA • Metasploit • Nmap • halfscan6, Scan6, CHScanner • Scapy, SendIP, ISIC6, Packit, Spak6 • 6tunneldos, 4to6ddos, imps6-tools
Reconnaissance • Ping sweeps, port scans, application vulnerability scans are problematic given the large IPv6 address space. • Brute-force scanning even a single /64 is not practical. • There are methods of speeding up reconnaissance on LAN. • ping6 -I eth0 ff02::1 • [root@hat ~]# ./alive6 eth0 ff02::1 • Node Information Queries (RFC 4620) in BSD • Scanning for specific EUI-64 addresses using specific OUIs • Scanning IPv4 and getting IPv6 info • Metasploit Framework “ipv6_neighbor" auxiliary module can leverage IPv4 to find IPv6 hosts • Scanning 6to4, ISATAP, Teredo with embedded IPv4 addresses • Find one node and leverage the neighbor cache to find other nodes • DHCPv6 logs, DNS servers, server logs, NMSs, Google Hacking
LAN Threats • IPv6 uses ICMPv6 for many LAN operations • Stateless auto-configuration (SLAAC) • Neighbor Discovery Protocol (NDP) • IPv6 equivalent of IPv4 ARP – same attack types • Spoofed RAs can renumber hosts or launch a MITM attack • Forged NA/NS messages to confuse NDP • Redirects – same as ICMPv4 redirects • Forcing nodes to believe all addresses are on-link • These attacks presume the attacker is on-net or has compromised a local computer (Big Requirement!)
IPv6 MITM Example • Evil FOCA is a weaponized Win .EXE that can perform dual-protocol MITM and DOS attacks and DNS Hijacking (Released at DEFCON21) • Sends ICMPv6 RA on LAN (SLAAC) • Activates IPv6 on local dual-protocol nodes • Evil FOCA becomes active default gateway • Sends ICMPv6 NA to spoof local nodes • Sets up rogue DHCPv6 server • Performs WPAD attack and sets up proxy • Performs DNS Hijack • Can perform RA flood resulting in DOS Internet Download at: http://www.informatica64.com/evilfoca/download.aspx Demo on YouTube: http://www.youtube.com/watch?v=syLoQ4CNfSc
Evil FOCA IPv6 MITM Attack
Evil FOCA IPv6 RA DOS C:UsersMe>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : 15c2:8297:e614:f45:bc4a:58b9:e948:33c6 . . . (100 of these in Windows 7) IPv6 Address. . . . . . . . . . . : fcae:a581:9bcb:e6bc:bc4a:58b9:e948:33c6 Temporary IPv6 Address. . . . . . : 15c2:8297:e614:f1f:1ce1:d49d:2ec8:e924 . . . (100 of these in Windows 7) Temporary IPv6 Address. . . . . . : fcae:a581:9bcb:e6bc:1ce1:d49d:2ec8:e924 Link-local IPv6 Address . . . . . : fe80::bc4a:58b9:e948:33c6%10 IPv4 Address. . . . . . . . . . . : 192.168.11.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::7888:860e:5352:5fec%10 fe80::8d99:1bc3:6f7a:5cf9%10 . . . fe80::a0cf:f7ad:821b:3343%10 192.168.11.1 C:UsersMe>
THC IPv6 Attack Toolkit • THC IPv6 Attack Toolkit contains fake_router6 • Generates rogue RA to become default router • Option –H adds a hop-by-hop header • fake_router6 –H eth0 2001:db8:11:11::/64 • Option –F adds a one-shot-fragmentation header • fake_router6 –F eth0 2001:db8:11:11::/64 • Flood_router26 floods RAs to create DOS • flood_router26 eth0 • fake_router26 -E H -A 2001:db8:1:1::/64 eth0 • fake_router26 -E 1 -A 2001:db8:1:1::/64 eth0 Download at: http://thc.org/download.php?t=r&f=thc-ipv6-2.3.tar.gz
Methods of Preventing Rogue RAs • Prevent unauthorized LAN access (armed guards, malware defenses) • Disable unused switch ports • Network Access Control (NAC), Network Admission Control (NAC) • IEEE 802.1AE (MACsec), Cisco TrustSec • IEEE 802.1X • RA Guard (RFC 6105) • NDPMon • Ramond • Kame rafixd • ipv6mon • 6Guard • addrwatch • Port Security • Cisco Port-based ACL (PACL) Allow Incoming RA Message Block Incoming RA Message Allow Sending RAs
IPv6 First Hop Security • Cisco C3750X switch running IOS version 15.2(1)S ipv6 nd cache interface-limit 3 log 15 ipv6 nd raguard policy HOST ! ipv6 snooping logging packet drop ipv6 snooping logging resolution-veto ipv6 snooping policy ND limit address-count 10 data-glean log-only destination-glean log-only ! ipv6 dhcp guard policy HOST ipv6 destination-guard policy destination ipv6 mld snooping
IPv6 First Hop Security (Cont.) • Cisco C3750X switch running IOS version 15.2(1)S interface GigabitEthernet2/0/1 switchport access vlan 1200 switchport mode access ipv6 nd raguard attach-policy HOST ipv6 dhcp guard attach-policy HOST ! interface Vlan1200 ip address 192.168.12.100 255.255.255.0 ipv6 enable ipv6 nd cache interface-limit 3 log 15 ! ipv6 neighbor binding logging ipv6 neighbor binding max-entries 100 ipv6 neighbor binding vlan 1200 2001:DB8:12::/64
IPv6 First Hop Security Results • Switch successfully blocked RAs and rogue DHCPv6 Mar 30 06:37:31.743: %SISF-4-PAK_DROP: Message dropped A=FE80::AC7F:B2F8:DCB8:F739 G=- V=1200 I=Gi2/0/2 P=NDP::RA Reason=Packet not authorized on port Mar 30 06:38:06.572: %SISF-4-PAK_DROP: Message dropped A=FE80::1EDF:FFF:FEBB:8944 G=- V=1200 I=Gi2/0/2 P=NDP::NA Reason=Packet accepted but not forwarded Mar 30 06:23:35.902: %SISF-4-PAK_DROP: Message dropped A=2001:DB8:1:3::1 G=- V=1200 I=Gi2/0/1 P=NDP::NA Reason=Address limit per policy reached Mar 30 06:38:06.572: %SISF-6-ENTRY_CREATED: Entry created A=FE80::1EDF:FFF:FEBB:8944 V=1200 I=Gi2/0/2 P=0005 M=5CFF.340A.F93D Mar 30 06:19:38.370: %SISF-6-ENTRY_MAX_ORANGE: Reaching 80% of max adr allowed per policy (10) V=1200 I=Gi2/0/1 M=3C97.0E86.74AD ! Mar 30 06:38:42.201: %SISF-4-PAK_DROP: Message dropped A=FE80::45B4:32FF:FE67:53 G=- V=100 I=Et0/0 P=NDP::NA Reason=Advertise while TENTATIVE Mar 30 06:38:45.923: %SISF-6-ENTRY_CREATED: Entry created A=FE80::45B4:32FF:FE67:53 V=100 I=Et0/0 P=0005 M= Mar 30 06:38:52.523: %SISF-6-ENTRY_CHANGED: Entry changed A=FE80::45B4:32FF:FE67:53 V=100 I=Et0/0 P=0005 M= Mar 30 06:38:58.471: %SISF-6-ENTRY_CHANGED: Entry changed A=FE80::45B4:32FF:FE67:53 V=100 I=Et0/3 P=0005 M=45B4.3267.0053
IPv6 First Hop Security Results • Switch successfully blocked RAs and rogue DHCPv6 Switch-1# show ipv6 snoop counter interface gigabitethernet 2/0/2 Received messages on Gi2/0/2: Protocol Protocol message NDP RA[14734] DHCPv6 SOL[191] ADV[1] Bridged messages from Gi2/0/2: Protocol Protocol message NDP DHCPv6 SOL[191] Dropped messages on Gi2/0/2: Feature Protocol Msg [Total dropped] DHCP Guard DHCPv6 ADV [1] reason: Message type is not authorized by the policy on this port, device-role mismatch [1] RA guard NDP RA [14734] reason: Message unauthorized on port [14734] Switch-1#
IPv6 First Hop Security Results • Switch successfully blocked RAs and rogue DHCPv6 Switch-1# show ipv6 snoop counter interface gigabitethernet 2/0/1 Received messages on Gi2/0/1: Protocol Protocol message NDP RS[11] RA[2794] NS[51] NA[7031] DHCPv6 SOL[142] Bridged messages from Gi2/0/1: Protocol Protocol message NDP RS[11] NS[50] NA[15] DHCPv6 SOL[142] Dropped messages on Gi2/0/1: Feature Protocol Msg [Total dropped] RA guard NDP RA [2794] reason: Message unauthorized on port [2794] Snooping NDP NS [1] reason: Packet accepted but not forwarded [1] NA [7016] reason: Address limit per policy reached [7007] reason: Packet accepted but not forwarded [9] Switch-1#
IPv6 FHS with IPv6 ACL • If you don’t have RA Guard on your switch you might be able to configure a Cisco IPv6 Port-based ACL (PACL) • ipv6 access-list IPV6_PACL • remark Deny Rogue DHCPv6 • deny udp any eq 547 any eq 546 • remark Deny Rogue RA • deny icmp any any router-advertisement • permit ipv6 any any • ! • interface GigabitEthernet 1/2 • ipv6 traffic-filter IPV6_PACL in
Extension Headers • There are rules for the frequency and order of various extension headers • Hop-by-Hop and Destination Options • Header Manipulation – Crafted Packets • Large chains of extension headers • Separate payload into second fragment • Consume resources - DoS • Invalid Extension Headers – DoS • Routing Headers Type 0 – source routing • Routers can be configured to block RH0 • This is now the default on newer routers • Firewalls, Windows, Linux and MacOS all block RH0 by default
Layer-3/4 Spoofing • Spoofing of IPv6 packets is easy • IPv6 BOGON (Martians) Filtering is required • Filter traffic from unallocated space and filter router advertisements of bogus prefixes • Permit Legitimate Global Unicast Addresses • Unicast Reverse Path Forwarding (Unicast-RPF) • Don’t block FF00::/8 and FE80::/10 – these will block NDP (NS/NA) • Hierarchical addressing and ingress/egress filtering can catch packets with forged source addresses • Tracebacks may prove to be easier with IPv6
Transition Mechanism Threats • Dual Stack is the preferred transition method. • You are only as strong as the weakest of the two stacks. • Running dual stack will give you at least twice the number of vulnerabilities and require almost twice the work to secure. IPv4 IPv6
Threats Against Translation • Manual Tunnels • Preferred over dynamic tunnels • Filter tunnel source/destination and use IPsec • If spoofing, return traffic is not sent to attacker • Dynamic Tunnels • 6to4 Relay routers are “open relays” • Attackers can guess 6to4 addresses easily • ISATAP can have potential MITM attacks • Attackers can spoof source/dest IPv4/v6 addresses • Translation techniques are susceptible to DoS attacks • NAT prevents IPsec, DNSSEC, Geolocation and other applications from working • Consuming connection state (CPU resource consumption attack on ALG) • Consuming public IPv4 pool and port numbers (pool depletion attack)
IPv6 Firewalls • Don’t just use your IPv4 policy for your IPv6 policy. • Don’t blindly allow IPsec or IPv4 Protocol 41 (6in4 tunneled traffic) through the firewall unless you know the tunnel endpoints • Firewalls have improved their IPv6 capabilities, IPv6 addresses in the GUI, some logs, ability to filter on Extension Headers, Fragmentation, PMTUD, and granular filtering of ICMPv6 and multicast. • IPv6 firewalls may not have all the same full features as IPv4 firewalls • UTM/DPI/IPS/WAF/content filtering features may only work for IPv4.
IPv6 Intrusion Prevention • Few signatures exist for IPv6 packets or you have to build your own using cryptic regular expressions or byte-offset values. • IPSs should send out notifications when non-conforming IPv6 packets are observed having faulty parameters, bad extension headers, source address is a multicast address. • Many IPSs don’t inspect packets that are encapsulated (6in4, 6to4, 6in6, ISATAP, Teredo, 6rd, DS-Lite). • IPv6 support varies greatly in modern IPS systems. • Talk with your vendor about what you need.
Summary of BCPs • Perform IPv6 filtering at the perimeter (RFC2827 filtering and Unicast RPF checks). • Use manual tunnels (with IPsec whenever possible) instead of dynamic tunnels and deny packets for transition techniques not used. • Use common access-network security measures (IPv6 FHS techniques, RA-Guard, 802.1X, disable unused switch ports, Ethernet port security, MACSec/TrustSec) . • Strive to achieve equal protections for IPv6 as with IPv4. • Continue to let vendors know what you expect in terms of IPv6 security features.
RTFM – Read This Fine Manuscript • IPv6 Security, By Scott Hogg and Eric Vyncke, Cisco Press, 2009. ISBN-10: 1-58705-594-5 ISBN-13: 978-1-58705-594-2
Questions and Answers • Scott Hogg • shogg@gtri.com • www.hoggnet.com • Twitter: @scotthogg • Network World Blog • http://www.networkworld.com/community/hogg • Rocky Mountain IPv6 Task Force • www.rmv6tf.org

Recommended

Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaBangladesh Network Operators Group
 
APRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationAPRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationTom Paseka
 
Automating Network Infrastructure : Ansible
Automating Network Infrastructure : AnsibleAutomating Network Infrastructure : Ansible
Automating Network Infrastructure : AnsibleBangladesh Network Operators Group
 
DEF CON 23 - Yuwei Zheng and Haoqi Shan - build a free cellular traffic captu...
DEF CON 23 - Yuwei Zheng and Haoqi Shan - build a free cellular traffic captu...DEF CON 23 - Yuwei Zheng and Haoqi Shan - build a free cellular traffic captu...
DEF CON 23 - Yuwei Zheng and Haoqi Shan - build a free cellular traffic captu...Felipe Prado
 
Network Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseNetwork Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseEvans Ye
 
portfolio2
portfolio2portfolio2
portfolio2Joseph Alcantara
 
PCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingPCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingAPNIC
 
VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeFaelix Ltd
 

Recommended

Routing Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaRouting Security - its importance and status in South Asia
Routing Security - its importance and status in South AsiaBangladesh Network Operators Group
 
APRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationAPRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationTom Paseka
 
Automating Network Infrastructure : Ansible
Automating Network Infrastructure : AnsibleAutomating Network Infrastructure : Ansible
Automating Network Infrastructure : AnsibleBangladesh Network Operators Group
 
DEF CON 23 - Yuwei Zheng and Haoqi Shan - build a free cellular traffic captu...
DEF CON 23 - Yuwei Zheng and Haoqi Shan - build a free cellular traffic captu...DEF CON 23 - Yuwei Zheng and Haoqi Shan - build a free cellular traffic captu...
DEF CON 23 - Yuwei Zheng and Haoqi Shan - build a free cellular traffic captu...Felipe Prado
 
Network Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseNetwork Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseEvans Ye
 
portfolio2
portfolio2portfolio2
portfolio2Joseph Alcantara
 
PCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingPCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingAPNIC
 
VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeFaelix Ltd
 
ACI MultiPod 구성
ACI MultiPod 구성ACI MultiPod 구성
ACI MultiPod 구성Woo Hyung Choi
 
SF Kubernetes Meetup Lightning Talk
SF Kubernetes Meetup Lightning TalkSF Kubernetes Meetup Lightning Talk
SF Kubernetes Meetup Lightning TalkRomana Project
 
ACI MultiFabric 소개
ACI MultiFabric 소개ACI MultiFabric 소개
ACI MultiFabric 소개Woo Hyung Choi
 
Ccna 2 chapter 11 2014 v5
Ccna 2 chapter 11 2014 v5Ccna 2 chapter 11 2014 v5
Ccna 2 chapter 11 2014 v5Đồng Quốc Vương
 
ACI MultiPod Config Guide
ACI MultiPod Config GuideACI MultiPod Config Guide
ACI MultiPod Config GuideWoo Hyung Choi
 
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNICIndonesia Network Operators Group
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?APNIC
 
ACI DHCP 구성 가이드
ACI DHCP 구성 가이드ACI DHCP 구성 가이드
ACI DHCP 구성 가이드Woo Hyung Choi
 
Swiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router FlagsSwiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router FlagsDigicomp Academy AG
 
ACI DHCP Config Guide
ACI DHCP Config GuideACI DHCP Config Guide
ACI DHCP Config GuideWoo Hyung Choi
 
Stu t17 a
Stu t17 aStu t17 a
Stu t17 aSelectedPresentations
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseThierry Zoller
 
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing SecurityNetmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing SecurityFaelix Ltd
 
Tech f42
Tech f42Tech f42
Tech f42SelectedPresentations
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
ACI Multicast 구성 가이드
ACI Multicast 구성 가이드ACI Multicast 구성 가이드
ACI Multicast 구성 가이드Woo Hyung Choi
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesterscamsec
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6Private
 
IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesDon Anto
 
Deploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack EnvironmentsDeploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack EnvironmentsShannon McFarland
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTBangladesh Network Operators Group
 
The End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersThe End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersCarlos Martinez Cagnazzo
 

More Related Content

What's hot

SF Kubernetes Meetup Lightning Talk
SF Kubernetes Meetup Lightning TalkSF Kubernetes Meetup Lightning Talk
SF Kubernetes Meetup Lightning TalkRomana Project
 
ACI MultiFabric 소개
ACI MultiFabric 소개ACI MultiFabric 소개
ACI MultiFabric 소개Woo Hyung Choi
 
ACI MultiPod Config Guide
ACI MultiPod Config GuideACI MultiPod Config Guide
ACI MultiPod Config GuideWoo Hyung Choi
 
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNICIndonesia Network Operators Group
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?APNIC
 
ACI DHCP 구성 가이드
ACI DHCP 구성 가이드ACI DHCP 구성 가이드
ACI DHCP 구성 가이드Woo Hyung Choi
 
Swiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router FlagsSwiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router FlagsDigicomp Academy AG
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseThierry Zoller
 
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing SecurityNetmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing SecurityFaelix Ltd
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
ACI Multicast 구성 가이드
ACI Multicast 구성 가이드ACI Multicast 구성 가이드
ACI Multicast 구성 가이드Woo Hyung Choi
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesterscamsec
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6Private
 

What's hot (18)

ACI MultiPod 구성
ACI MultiPod 구성ACI MultiPod 구성
ACI MultiPod 구성
 
SF Kubernetes Meetup Lightning Talk
SF Kubernetes Meetup Lightning TalkSF Kubernetes Meetup Lightning Talk
SF Kubernetes Meetup Lightning Talk
 
ACI MultiFabric 소개
ACI MultiFabric 소개ACI MultiFabric 소개
ACI MultiFabric 소개
 
Ccna 2 chapter 11 2014 v5
Ccna 2 chapter 11 2014 v5Ccna 2 chapter 11 2014 v5
Ccna 2 chapter 11 2014 v5
 
ACI MultiPod Config Guide
ACI MultiPod Config GuideACI MultiPod Config Guide
ACI MultiPod Config Guide
 
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
ACI DHCP 구성 가이드
ACI DHCP 구성 가이드ACI DHCP 구성 가이드
ACI DHCP 구성 가이드
 
Swiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router FlagsSwiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router Flags
 
ACI DHCP Config Guide
ACI DHCP Config GuideACI DHCP Config Guide
ACI DHCP Config Guide
 
Stu t17 a
Stu t17 aStu t17 a
Stu t17 a
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash Course
 
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing SecurityNetmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
 
Tech f42
Tech f42Tech f42
Tech f42
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 
ACI Multicast 구성 가이드
ACI Multicast 구성 가이드ACI Multicast 구성 가이드
ACI Multicast 구성 가이드
 
IPv6 for Pentesters
IPv6 for PentestersIPv6 for Pentesters
IPv6 for Pentesters
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 

Similar to IPv6 Security - Hacker Halted 2013

IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesDon Anto
 
Deploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack EnvironmentsDeploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack EnvironmentsShannon McFarland
 
The End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersThe End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersCarlos Martinez Cagnazzo
 
IPv6 networking training sduffy v3
IPv6 networking training sduffy v3IPv6 networking training sduffy v3
IPv6 networking training sduffy v3Shane Duffy
 
Fedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsFedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsTim Martin
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and RealitySwiss IPv6 Council
 
NZNOG 2020 - Getting IPv6 Private Addressing Right
NZNOG 2020 - Getting IPv6 Private Addressing RightNZNOG 2020 - Getting IPv6 Private Addressing Right
NZNOG 2020 - Getting IPv6 Private Addressing RightMark Smith
 
2012 11-09 facex - i pv6 transition planning-
2012 11-09 facex - i pv6 transition planning-2012 11-09 facex - i pv6 transition planning-
2012 11-09 facex - i pv6 transition planning-Eduardo Coelho
 
AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...
AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...
AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...APNIC
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesSagi Brody
 
fgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdffgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdfFernandoGont
 
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSECMAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSECShumon Huque
 
IPv6 Basics - pfSense Hangout July 2015
IPv6 Basics - pfSense Hangout July 2015IPv6 Basics - pfSense Hangout July 2015
IPv6 Basics - pfSense Hangout July 2015Netgate
 

Similar to IPv6 Security - Hacker Halted 2013 (20)

IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & Securities
 
Deploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack EnvironmentsDeploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack Environments
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
The End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident RespondersThe End of IPv4: What It Means for Incident Responders
The End of IPv4: What It Means for Incident Responders
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
 
IPv6 networking training sduffy v3
IPv6 networking training sduffy v3IPv6 networking training sduffy v3
IPv6 networking training sduffy v3
 
Fedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsFedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friends
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
7 slaac-rick graziani
7 slaac-rick graziani7 slaac-rick graziani
7 slaac-rick graziani
 
NZNOG 2020 - Getting IPv6 Private Addressing Right
NZNOG 2020 - Getting IPv6 Private Addressing RightNZNOG 2020 - Getting IPv6 Private Addressing Right
NZNOG 2020 - Getting IPv6 Private Addressing Right
 
Ipv6
Ipv6Ipv6
Ipv6
 
2012 11-09 facex - i pv6 transition planning-
2012 11-09 facex - i pv6 transition planning-2012 11-09 facex - i pv6 transition planning-
2012 11-09 facex - i pv6 transition planning-
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
 
AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...
AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...
AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
fgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdffgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdf
 
Linux network tools (Maarten Blomme)
Linux network tools (Maarten Blomme)Linux network tools (Maarten Blomme)
Linux network tools (Maarten Blomme)
 
IPv6 Security und Hacking
IPv6 Security und HackingIPv6 Security und Hacking
IPv6 Security und Hacking
 
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSECMAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
 
IPv6 Basics - pfSense Hangout July 2015
IPv6 Basics - pfSense Hangout July 2015IPv6 Basics - pfSense Hangout July 2015
IPv6 Basics - pfSense Hangout July 2015
 

More from Zivaro Inc

How to Rightsize Your Citrix Investment
How to Rightsize Your Citrix InvestmentHow to Rightsize Your Citrix Investment
How to Rightsize Your Citrix InvestmentZivaro Inc
 
On-Prem vs. Cloud Collaboration Showdown
On-Prem vs. Cloud Collaboration ShowdownOn-Prem vs. Cloud Collaboration Showdown
On-Prem vs. Cloud Collaboration ShowdownZivaro Inc
 
Beyond the Phish with GTRI and Wombat Security Technologies
Beyond the Phish with GTRI and Wombat Security TechnologiesBeyond the Phish with GTRI and Wombat Security Technologies
Beyond the Phish with GTRI and Wombat Security TechnologiesZivaro Inc
 
Big Data Workshop: Splunk and Dell EMC...Better Together
Big Data Workshop: Splunk and Dell EMC...Better TogetherBig Data Workshop: Splunk and Dell EMC...Better Together
Big Data Workshop: Splunk and Dell EMC...Better TogetherZivaro Inc
 
Organizational Change Management
Organizational Change ManagementOrganizational Change Management
Organizational Change ManagementZivaro Inc
 
Software-Defined WAN 101
Software-Defined WAN 101Software-Defined WAN 101
Software-Defined WAN 101Zivaro Inc
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRIZivaro Inc
 
SDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same CoinSDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same CoinZivaro Inc
 
Denver Big Data Analytics Day
Denver Big Data Analytics DayDenver Big Data Analytics Day
Denver Big Data Analytics DayZivaro Inc
 
Support Software Defined Networking with Dynamic Network Architecture
Support Software Defined Networking with Dynamic Network ArchitectureSupport Software Defined Networking with Dynamic Network Architecture
Support Software Defined Networking with Dynamic Network ArchitectureZivaro Inc
 
Cisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined NetworkingCisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined NetworkingZivaro Inc
 
Software Defined Networking (SDN) Technology Brief
Software Defined Networking (SDN) Technology BriefSoftware Defined Networking (SDN) Technology Brief
Software Defined Networking (SDN) Technology BriefZivaro Inc
 
Software Defined Networking (SDN) with VMware NSX
Software Defined Networking (SDN) with VMware NSXSoftware Defined Networking (SDN) with VMware NSX
Software Defined Networking (SDN) with VMware NSXZivaro Inc
 
Splunk Enterprise 6.3 - Splunk Tech Day
Splunk Enterprise 6.3 - Splunk Tech DaySplunk Enterprise 6.3 - Splunk Tech Day
Splunk Enterprise 6.3 - Splunk Tech DayZivaro Inc
 
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech DaySplunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech DayZivaro Inc
 
GTRI Splunk Case Studies - Splunk Tech Day
GTRI Splunk Case Studies - Splunk Tech DayGTRI Splunk Case Studies - Splunk Tech Day
GTRI Splunk Case Studies - Splunk Tech DayZivaro Inc
 
GTRI Splunk Overview - Splunk Tech Day
GTRI Splunk Overview - Splunk Tech DayGTRI Splunk Overview - Splunk Tech Day
GTRI Splunk Overview - Splunk Tech DayZivaro Inc
 
Successfully Deploying IPv6
Successfully Deploying IPv6Successfully Deploying IPv6
Successfully Deploying IPv6Zivaro Inc
 
Single Glass of Pain: See Your World, Maybe You Wish You Hadn't
Single Glass of Pain: See Your World, Maybe You Wish You Hadn'tSingle Glass of Pain: See Your World, Maybe You Wish You Hadn't
Single Glass of Pain: See Your World, Maybe You Wish You Hadn'tZivaro Inc
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsZivaro Inc
 

More from Zivaro Inc (20)

How to Rightsize Your Citrix Investment
How to Rightsize Your Citrix InvestmentHow to Rightsize Your Citrix Investment
How to Rightsize Your Citrix Investment
 
On-Prem vs. Cloud Collaboration Showdown
On-Prem vs. Cloud Collaboration ShowdownOn-Prem vs. Cloud Collaboration Showdown
On-Prem vs. Cloud Collaboration Showdown
 
Beyond the Phish with GTRI and Wombat Security Technologies
Beyond the Phish with GTRI and Wombat Security TechnologiesBeyond the Phish with GTRI and Wombat Security Technologies
Beyond the Phish with GTRI and Wombat Security Technologies
 
Big Data Workshop: Splunk and Dell EMC...Better Together
Big Data Workshop: Splunk and Dell EMC...Better TogetherBig Data Workshop: Splunk and Dell EMC...Better Together
Big Data Workshop: Splunk and Dell EMC...Better Together
 
Organizational Change Management
Organizational Change ManagementOrganizational Change Management
Organizational Change Management
 
Software-Defined WAN 101
Software-Defined WAN 101Software-Defined WAN 101
Software-Defined WAN 101
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
 
SDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same CoinSDN Security: Two Sides of the Same Coin
SDN Security: Two Sides of the Same Coin
 
Denver Big Data Analytics Day
Denver Big Data Analytics DayDenver Big Data Analytics Day
Denver Big Data Analytics Day
 
Support Software Defined Networking with Dynamic Network Architecture
Support Software Defined Networking with Dynamic Network ArchitectureSupport Software Defined Networking with Dynamic Network Architecture
Support Software Defined Networking with Dynamic Network Architecture
 
Cisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined NetworkingCisco ACI: A New Approach to Software Defined Networking
Cisco ACI: A New Approach to Software Defined Networking
 
Software Defined Networking (SDN) Technology Brief
Software Defined Networking (SDN) Technology BriefSoftware Defined Networking (SDN) Technology Brief
Software Defined Networking (SDN) Technology Brief
 
Software Defined Networking (SDN) with VMware NSX
Software Defined Networking (SDN) with VMware NSXSoftware Defined Networking (SDN) with VMware NSX
Software Defined Networking (SDN) with VMware NSX
 
Splunk Enterprise 6.3 - Splunk Tech Day
Splunk Enterprise 6.3 - Splunk Tech DaySplunk Enterprise 6.3 - Splunk Tech Day
Splunk Enterprise 6.3 - Splunk Tech Day
 
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech DaySplunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
 
GTRI Splunk Case Studies - Splunk Tech Day
GTRI Splunk Case Studies - Splunk Tech DayGTRI Splunk Case Studies - Splunk Tech Day
GTRI Splunk Case Studies - Splunk Tech Day
 
GTRI Splunk Overview - Splunk Tech Day
GTRI Splunk Overview - Splunk Tech DayGTRI Splunk Overview - Splunk Tech Day
GTRI Splunk Overview - Splunk Tech Day
 
Successfully Deploying IPv6
Successfully Deploying IPv6Successfully Deploying IPv6
Successfully Deploying IPv6
 
Single Glass of Pain: See Your World, Maybe You Wish You Hadn't
Single Glass of Pain: See Your World, Maybe You Wish You Hadn'tSingle Glass of Pain: See Your World, Maybe You Wish You Hadn't
Single Glass of Pain: See Your World, Maybe You Wish You Hadn't
 
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced ThreatsGood Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
Good Guys vs Bad Guys: Using Big Data to Counteract Advanced Threats
 

Recently uploaded

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Recently uploaded (20)

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

IPv6 Security - Hacker Halted 2013

  • 1.
  • 2. IPv6 Security Scott Hogg Global Technology Resources, Inc. Director of Technology Solutions CCIE #5133, CISSP #4610
  • 3. IPv6 Security – Latent Threat • Even if you haven’t started using IPv6 yet, you probably have some IPv6 running on your networks already and didn’t know it. • Do you use Linux, Mac OS X, BSD, or Microsoft Windows 7/8/Win2K8/Win2012 systems in your environment? • They all come with IPv6 capability enabled by default and prefer IPv6 connectivity • They may try to use IPv6 first and then fall-back to IPv4 (+|- Happy Eyeballs, RFC 6555) • Or they may create IPv6-in-IPv4 tunnels to Internet resources to reach IPv6 content • Some of these techniques take place regardless of user input or configuration • If you are not protecting your IPv6 nodes then you have just allowed a huge back-door to exist
  • 4. IPv6 Security Tools • THC IPv6 Attack Toolkit • SI6 Networks IPv6 Toolkit • Evil FOCA • Metasploit • Nmap • halfscan6, Scan6, CHScanner • Scapy, SendIP, ISIC6, Packit, Spak6 • 6tunneldos, 4to6ddos, imps6-tools
  • 5. Reconnaissance • Ping sweeps, port scans, application vulnerability scans are problematic given the large IPv6 address space. • Brute-force scanning even a single /64 is not practical. • There are methods of speeding up reconnaissance on LAN. • ping6 -I eth0 ff02::1 • [root@hat ~]# ./alive6 eth0 ff02::1 • Node Information Queries (RFC 4620) in BSD • Scanning for specific EUI-64 addresses using specific OUIs • Scanning IPv4 and getting IPv6 info • Metasploit Framework “ipv6_neighbor" auxiliary module can leverage IPv4 to find IPv6 hosts • Scanning 6to4, ISATAP, Teredo with embedded IPv4 addresses • Find one node and leverage the neighbor cache to find other nodes • DHCPv6 logs, DNS servers, server logs, NMSs, Google Hacking
  • 6. LAN Threats • IPv6 uses ICMPv6 for many LAN operations • Stateless auto-configuration (SLAAC) • Neighbor Discovery Protocol (NDP) • IPv6 equivalent of IPv4 ARP – same attack types • Spoofed RAs can renumber hosts or launch a MITM attack • Forged NA/NS messages to confuse NDP • Redirects – same as ICMPv4 redirects • Forcing nodes to believe all addresses are on-link • These attacks presume the attacker is on-net or has compromised a local computer (Big Requirement!)
  • 7. IPv6 MITM Example • Evil FOCA is a weaponized Win .EXE that can perform dual-protocol MITM and DOS attacks and DNS Hijacking (Released at DEFCON21) • Sends ICMPv6 RA on LAN (SLAAC) • Activates IPv6 on local dual-protocol nodes • Evil FOCA becomes active default gateway • Sends ICMPv6 NA to spoof local nodes • Sets up rogue DHCPv6 server • Performs WPAD attack and sets up proxy • Performs DNS Hijack • Can perform RA flood resulting in DOS Internet Download at: http://www.informatica64.com/evilfoca/download.aspx Demo on YouTube: http://www.youtube.com/watch?v=syLoQ4CNfSc
  • 8. Evil FOCA IPv6 MITM Attack
  • 9. Evil FOCA IPv6 RA DOS C:UsersMe>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : 15c2:8297:e614:f45:bc4a:58b9:e948:33c6 . . . (100 of these in Windows 7) IPv6 Address. . . . . . . . . . . : fcae:a581:9bcb:e6bc:bc4a:58b9:e948:33c6 Temporary IPv6 Address. . . . . . : 15c2:8297:e614:f1f:1ce1:d49d:2ec8:e924 . . . (100 of these in Windows 7) Temporary IPv6 Address. . . . . . : fcae:a581:9bcb:e6bc:1ce1:d49d:2ec8:e924 Link-local IPv6 Address . . . . . : fe80::bc4a:58b9:e948:33c6%10 IPv4 Address. . . . . . . . . . . : 192.168.11.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::7888:860e:5352:5fec%10 fe80::8d99:1bc3:6f7a:5cf9%10 . . . fe80::a0cf:f7ad:821b:3343%10 192.168.11.1 C:UsersMe>
  • 10. THC IPv6 Attack Toolkit • THC IPv6 Attack Toolkit contains fake_router6 • Generates rogue RA to become default router • Option –H adds a hop-by-hop header • fake_router6 –H eth0 2001:db8:11:11::/64 • Option –F adds a one-shot-fragmentation header • fake_router6 –F eth0 2001:db8:11:11::/64 • Flood_router26 floods RAs to create DOS • flood_router26 eth0 • fake_router26 -E H -A 2001:db8:1:1::/64 eth0 • fake_router26 -E 1 -A 2001:db8:1:1::/64 eth0 Download at: http://thc.org/download.php?t=r&f=thc-ipv6-2.3.tar.gz
  • 11. Methods of Preventing Rogue RAs • Prevent unauthorized LAN access (armed guards, malware defenses) • Disable unused switch ports • Network Access Control (NAC), Network Admission Control (NAC) • IEEE 802.1AE (MACsec), Cisco TrustSec • IEEE 802.1X • RA Guard (RFC 6105) • NDPMon • Ramond • Kame rafixd • ipv6mon • 6Guard • addrwatch • Port Security • Cisco Port-based ACL (PACL) Allow Incoming RA Message Block Incoming RA Message Allow Sending RAs
  • 12. IPv6 First Hop Security • Cisco C3750X switch running IOS version 15.2(1)S ipv6 nd cache interface-limit 3 log 15 ipv6 nd raguard policy HOST ! ipv6 snooping logging packet drop ipv6 snooping logging resolution-veto ipv6 snooping policy ND limit address-count 10 data-glean log-only destination-glean log-only ! ipv6 dhcp guard policy HOST ipv6 destination-guard policy destination ipv6 mld snooping
  • 13. IPv6 First Hop Security (Cont.) • Cisco C3750X switch running IOS version 15.2(1)S interface GigabitEthernet2/0/1 switchport access vlan 1200 switchport mode access ipv6 nd raguard attach-policy HOST ipv6 dhcp guard attach-policy HOST ! interface Vlan1200 ip address 192.168.12.100 255.255.255.0 ipv6 enable ipv6 nd cache interface-limit 3 log 15 ! ipv6 neighbor binding logging ipv6 neighbor binding max-entries 100 ipv6 neighbor binding vlan 1200 2001:DB8:12::/64
  • 14. IPv6 First Hop Security Results • Switch successfully blocked RAs and rogue DHCPv6 Mar 30 06:37:31.743: %SISF-4-PAK_DROP: Message dropped A=FE80::AC7F:B2F8:DCB8:F739 G=- V=1200 I=Gi2/0/2 P=NDP::RA Reason=Packet not authorized on port Mar 30 06:38:06.572: %SISF-4-PAK_DROP: Message dropped A=FE80::1EDF:FFF:FEBB:8944 G=- V=1200 I=Gi2/0/2 P=NDP::NA Reason=Packet accepted but not forwarded Mar 30 06:23:35.902: %SISF-4-PAK_DROP: Message dropped A=2001:DB8:1:3::1 G=- V=1200 I=Gi2/0/1 P=NDP::NA Reason=Address limit per policy reached Mar 30 06:38:06.572: %SISF-6-ENTRY_CREATED: Entry created A=FE80::1EDF:FFF:FEBB:8944 V=1200 I=Gi2/0/2 P=0005 M=5CFF.340A.F93D Mar 30 06:19:38.370: %SISF-6-ENTRY_MAX_ORANGE: Reaching 80% of max adr allowed per policy (10) V=1200 I=Gi2/0/1 M=3C97.0E86.74AD ! Mar 30 06:38:42.201: %SISF-4-PAK_DROP: Message dropped A=FE80::45B4:32FF:FE67:53 G=- V=100 I=Et0/0 P=NDP::NA Reason=Advertise while TENTATIVE Mar 30 06:38:45.923: %SISF-6-ENTRY_CREATED: Entry created A=FE80::45B4:32FF:FE67:53 V=100 I=Et0/0 P=0005 M= Mar 30 06:38:52.523: %SISF-6-ENTRY_CHANGED: Entry changed A=FE80::45B4:32FF:FE67:53 V=100 I=Et0/0 P=0005 M= Mar 30 06:38:58.471: %SISF-6-ENTRY_CHANGED: Entry changed A=FE80::45B4:32FF:FE67:53 V=100 I=Et0/3 P=0005 M=45B4.3267.0053
  • 15. IPv6 First Hop Security Results • Switch successfully blocked RAs and rogue DHCPv6 Switch-1# show ipv6 snoop counter interface gigabitethernet 2/0/2 Received messages on Gi2/0/2: Protocol Protocol message NDP RA[14734] DHCPv6 SOL[191] ADV[1] Bridged messages from Gi2/0/2: Protocol Protocol message NDP DHCPv6 SOL[191] Dropped messages on Gi2/0/2: Feature Protocol Msg [Total dropped] DHCP Guard DHCPv6 ADV [1] reason: Message type is not authorized by the policy on this port, device-role mismatch [1] RA guard NDP RA [14734] reason: Message unauthorized on port [14734] Switch-1#
  • 16. IPv6 First Hop Security Results • Switch successfully blocked RAs and rogue DHCPv6 Switch-1# show ipv6 snoop counter interface gigabitethernet 2/0/1 Received messages on Gi2/0/1: Protocol Protocol message NDP RS[11] RA[2794] NS[51] NA[7031] DHCPv6 SOL[142] Bridged messages from Gi2/0/1: Protocol Protocol message NDP RS[11] NS[50] NA[15] DHCPv6 SOL[142] Dropped messages on Gi2/0/1: Feature Protocol Msg [Total dropped] RA guard NDP RA [2794] reason: Message unauthorized on port [2794] Snooping NDP NS [1] reason: Packet accepted but not forwarded [1] NA [7016] reason: Address limit per policy reached [7007] reason: Packet accepted but not forwarded [9] Switch-1#
  • 17. IPv6 FHS with IPv6 ACL • If you don’t have RA Guard on your switch you might be able to configure a Cisco IPv6 Port-based ACL (PACL) • ipv6 access-list IPV6_PACL • remark Deny Rogue DHCPv6 • deny udp any eq 547 any eq 546 • remark Deny Rogue RA • deny icmp any any router-advertisement • permit ipv6 any any • ! • interface GigabitEthernet 1/2 • ipv6 traffic-filter IPV6_PACL in
  • 18. Extension Headers • There are rules for the frequency and order of various extension headers • Hop-by-Hop and Destination Options • Header Manipulation – Crafted Packets • Large chains of extension headers • Separate payload into second fragment • Consume resources - DoS • Invalid Extension Headers – DoS • Routing Headers Type 0 – source routing • Routers can be configured to block RH0 • This is now the default on newer routers • Firewalls, Windows, Linux and MacOS all block RH0 by default
  • 19. Layer-3/4 Spoofing • Spoofing of IPv6 packets is easy • IPv6 BOGON (Martians) Filtering is required • Filter traffic from unallocated space and filter router advertisements of bogus prefixes • Permit Legitimate Global Unicast Addresses • Unicast Reverse Path Forwarding (Unicast-RPF) • Don’t block FF00::/8 and FE80::/10 – these will block NDP (NS/NA) • Hierarchical addressing and ingress/egress filtering can catch packets with forged source addresses • Tracebacks may prove to be easier with IPv6
  • 20. Transition Mechanism Threats • Dual Stack is the preferred transition method. • You are only as strong as the weakest of the two stacks. • Running dual stack will give you at least twice the number of vulnerabilities and require almost twice the work to secure. IPv4 IPv6
  • 21. Threats Against Translation • Manual Tunnels • Preferred over dynamic tunnels • Filter tunnel source/destination and use IPsec • If spoofing, return traffic is not sent to attacker • Dynamic Tunnels • 6to4 Relay routers are “open relays” • Attackers can guess 6to4 addresses easily • ISATAP can have potential MITM attacks • Attackers can spoof source/dest IPv4/v6 addresses • Translation techniques are susceptible to DoS attacks • NAT prevents IPsec, DNSSEC, Geolocation and other applications from working • Consuming connection state (CPU resource consumption attack on ALG) • Consuming public IPv4 pool and port numbers (pool depletion attack)
  • 22. IPv6 Firewalls • Don’t just use your IPv4 policy for your IPv6 policy. • Don’t blindly allow IPsec or IPv4 Protocol 41 (6in4 tunneled traffic) through the firewall unless you know the tunnel endpoints • Firewalls have improved their IPv6 capabilities, IPv6 addresses in the GUI, some logs, ability to filter on Extension Headers, Fragmentation, PMTUD, and granular filtering of ICMPv6 and multicast. • IPv6 firewalls may not have all the same full features as IPv4 firewalls • UTM/DPI/IPS/WAF/content filtering features may only work for IPv4.
  • 23. IPv6 Intrusion Prevention • Few signatures exist for IPv6 packets or you have to build your own using cryptic regular expressions or byte-offset values. • IPSs should send out notifications when non-conforming IPv6 packets are observed having faulty parameters, bad extension headers, source address is a multicast address. • Many IPSs don’t inspect packets that are encapsulated (6in4, 6to4, 6in6, ISATAP, Teredo, 6rd, DS-Lite). • IPv6 support varies greatly in modern IPS systems. • Talk with your vendor about what you need.
  • 24. Summary of BCPs • Perform IPv6 filtering at the perimeter (RFC2827 filtering and Unicast RPF checks). • Use manual tunnels (with IPsec whenever possible) instead of dynamic tunnels and deny packets for transition techniques not used. • Use common access-network security measures (IPv6 FHS techniques, RA-Guard, 802.1X, disable unused switch ports, Ethernet port security, MACSec/TrustSec) . • Strive to achieve equal protections for IPv6 as with IPv4. • Continue to let vendors know what you expect in terms of IPv6 security features.
  • 25. RTFM – Read This Fine Manuscript • IPv6 Security, By Scott Hogg and Eric Vyncke, Cisco Press, 2009. ISBN-10: 1-58705-594-5 ISBN-13: 978-1-58705-594-2
  • 26. Questions and Answers • Scott Hogg • shogg@gtri.com • www.hoggnet.com • Twitter: @scotthogg • Network World Blog • http://www.networkworld.com/community/hogg • Rocky Mountain IPv6 Task Force • www.rmv6tf.org