IPv6 Security: Getting Bored @ BRU Airport
Yesterday’s 6th Slovenian IPv6 Summit was (as always) full of awesome presentations, this time coming straight from some of the IPv6 legends: check the ones from Eric Vyncke (and make sure you read his IPv6 Security book), Randy Bush and Mark Townsley. The epic moment, however, was the “I was getting bored” part of Eric’s presentation (starts around 0:50:00). This is (in a nutshell) what he did:
He was connected to a public WiFi hotspot and started an equivalent of radvd. In seconds, he had more than 50 IPv6 neighbors – everyone in the airport using the same public WiFi started using IPv6 after hearing an RA message from Eric.
By itself, that’s nothing new. We know a rogue IPv6 “router” can wreak havoc in your network (that’s why you should always enable RA guard in your switches) – that was one of the major concerns some people had before World IPv6 Day. However, at that moment Eric could easily do man-in-the-middle attack on any IPv6 traffic – anything going to any dual-stack web server would be intercepted by his workstation.
To make matters worse, he could use DHCPv6 to advertise DNS server address, start a fake DNS server (some hosts prefer IPv6 DNS over IPv4 DNS) and create fake dual-stack DNS replies attract even more traffic. DNSsec would prevent that (yeah, everyone is using that) as would SSL (you’re using Facebook and Twitter over SSL, aren’t you?), but he would still be able to do significant damage.
As I said, the man-in-the-middle attack using fake RA messages should be well known, but there are a few other security implications:
- Some IPsec clients don’t enforce split tunnel policy on both protocols. Even though your company’s policy requires your VPN client to send all Internet traffic to the central firewall/IDS, IPv6 traffic can bypass that (making you a perfect entry point into your company’s network);
- Unix-based operating systems usually have two different firewalls – iptables for IPv4 and ip6tables for IPv6. If someone gives you unexpected IPv6 connectivity, you might become wide open to the Internet at large unless you’ve configured ip6tables.
You might argue the situation is no better in the IPv4 world – a lot of hotspots are totally unprotected against ARP spoofing attack, but at least some access points give you the option to configure DHCP guard and DHCP/ARP inspection. Having no wireless experience, here’s a question for the experts: how many access points support RA guard (assuming they even know what IPv6 is)? Please share your experience in the comments.
Simplest solution I can think of isn't an IPv6 solution at all - wireless client isolation. A lot of APs/controllers support it and it simply prevents traffic from one wireless client being forwarded by the AP back out to another. Really should be turned on in public access locations for this and other more obvious reasons.
The IP tables for v6 is great didn't even consider that one from the UNIX side.
The easy way to test if ping6 ff02::1%foo
They will cut off any local IPv6 connectivity regardless of whether the remote endpoint(asa) is configured to send/receive IPv6 traffic over the tunnel or not.
So basically if you're working in an IPv6 environment and start a VPN connection with AnyConncet to somewhere, the client will disconnect all your current IPv6 sessions.
According to Cisco this is a "feature not a bug".
Good article. I also hadn't considered the ip6tables...
It's also worth noting that vlan assignment doesn't work with IPv6 - it only affects IPv4
The only way to even disable IPv6 on these things is to disable layer2 multicasts. This of course breaks IPv4 multicast, but does at least stop IPv6 working.
Apparently this is unfixable in the 1st gen controllers / wisms. You need 5500/wism2 and a new software image (that we are promised "soon") which will support full IPv6 parity, including RA guard (a later image will support LWAPP over IPv6, if you care)
I would expect that wireless client isolation as posted Guy Smith
View details and ALC which will allow access only to GW as addition.