Presentation is loading. Please wait.

Presentation is loading. Please wait.

Host Scanning in IPv6 Networks (draft-gont-opsec-ipv6-host-scanning) IETF 84 Vancouver, Canada. July 29-August 3, 2012.

Published byBrittney Curtis Modified over 8 years ago

Similar presentations

Presentation on theme: "Host Scanning in IPv6 Networks (draft-gont-opsec-ipv6-host-scanning) IETF 84 Vancouver, Canada. July 29-August 3, 2012."— Presentation transcript:

1 Host Scanning in IPv6 Networks (draft-gont-opsec-ipv6-host-scanning) IETF 84 Vancouver, Canada. July 29-August 3, 2012

2 IETF 84, OPSEC WG meeting Vancouver, Canada. July 29-August 3, 2012 Overview ● IPv6 address-scanning attacks have long been considered unfeasible ● This myth has been based on the assumption that: ● IPv6 subnets are /64s, and, ● Host addresses are “randomly” selected from that /64 ● However, IPv6 address-scanning attacks have already been seen in the wild

3 IETF 84, OPSEC WG meeting Vancouver, Canada. July 29-August 3, 2012 draft-gont-opsec-ipv6-host-scanning ● Raises awareness about IPv6 address-scanning attacks ● Sheds some light on what the real search space is ● Explores a number of techniques for IPv6-address scanning ● Discusses possible mitigations to these attacks ● It is expected to explore other host-scanning techniques in detail (in future revisions) – in the TODO list!

4 IETF 84, OPSEC WG meeting Vancouver, Canada. July 29-August 3, 2012 4 IPv6 address scanning of remote networks

5 IETF 84, OPSEC WG meeting Vancouver, Canada. July 29-August 3, 2012 IPv6 addresses in the real world ● Malone measured (*) the address generation policy of hosts and routers in real networks Hosts Routers Malone, D., "Observations of IPv6 Addresses", Passive and Active Measurement Conference (PAM 2008, LNCS 4979), April 2008,.http://www.maths.tcd.ie/~dwmalone/p/addr-pam08.pdf

6 IETF 84, OPSEC WG meeting Vancouver, Canada. July 29-August 3, 2012 IPv6 addresses embedding IEEE IDs ● In practice, the search space is at most ~2 23 bits – feasible! ● The low-order 24-bits are not necessarily random: ● An organization buys a large number of boxes ● In that case, MAC addresses are usually consecutive ● Consecutive MAC addresses are generally in use in geographically-close locations IEEE OUI FF FE Lower 24 bits of MAC | 24 bits | 16 bits | 24 bits | Known or guessable Known Unknown

7 IETF 84, OPSEC WG meeting Vancouver, Canada. July 29-August 3, 2012 IPv6 addresses embedding IEEE IDs (II) ● Virtualization technologies present an interesting case ● Virtual Box employs OUI 08:00:27 (search space: ~2 23 ) ● VMWare ESX employs: ● Automatic MACs: OUI 00:05:59, and next 16 bits copied from the low order 16 bits of the host's IPv4 address (search space: ~2 8 ) ● Manually-configured MACs:OUI 00:50:56 and the rest in the range 0x000000- 0x3fffff (search space: ~2 22 )

8 IETF 84, OPSEC WG meeting Vancouver, Canada. July 29-August 3, 2012 IPv6 addresses embedding IPv4 addr. ● They simply embed an IPv4 address in the IID ● e.g.: 2000:db8::192.168.0.1 ● Search space: same as the IPv4 search space – feasible!

9 IETF 84, OPSEC WG meeting Vancouver, Canada. July 29-August 3, 2012 IPv6 “low-byte” addresses ● The IID is set to all-zeros, except for the last byte ● e.g.: 2000:db8::1 ● There are other variants.. ● Search space: usually 2 8 or 2 16 – feasible!

10 IETF 84, OPSEC WG meeting Vancouver, Canada. July 29-August 3, 2012 Possible mitigations ● Do not employ predictable Interface IDs ● Replace traditional SLAAC addresses with draft-ietf-6man-stable-privacy- addresses ● Manually-configured addresses should not result in “low-byte” addresses ● etc. ● You may employ IPS'es – large number of non-existent IPv6 addresses will be probed!

11 IETF 84, OPSEC WG meeting Vancouver, Canada. July 29-August 3, 2012 11 IPv6 address scanning of local networks

12 IETF 84, OPSEC WG meeting Vancouver, Canada. July 29-August 3, 2012 Overview ● Leverage IPv6 all-nodes link-local multicast address ● Employ multiple probe types: ● Normal multicasted ICMPv6 echo requests (don't work for Windows) ● Unrecognized options of type 10xxxxxx ● Combine learned IIDs with known prefixes to learn all addresses ● Technique implemented in the scan6 tool of SI6's IPv6 toolkit ● Available at: http://www.si6networks.com/toolshttp://www.si6networks.com/tools

13 IETF 84, OPSEC WG meeting Vancouver, Canada. July 29-August 3, 2012 Possible mitigations ● Do not respond to multicasted ICMPv6 echo requests ● Currently implemented in Windows ● Multicasted IPv6 packets containing unsupported options of type 10xxxxxx should not elicit ICMPv6 errors ● See draft-gont-6man-ipv6-smurf-amplifier ● However, it's virtually impossible to mitigate IPv6 address scanning of local networks ● Think about mDNS, etc.

14 IETF 84, OPSEC WG meeting Vancouver, Canada. July 29-August 3, 2012 Moving forward ● Adopt as wg item?

15 IETF 84, OPSEC WG meeting Vancouver, Canada. July 29-August 3, 2012 Thanks! Fernando Gont fgont@si6networks.com www.si6networks.com

Download ppt "Host Scanning in IPv6 Networks (draft-gont-opsec-ipv6-host-scanning) IETF 84 Vancouver, Canada. July 29-August 3, 2012."

Similar presentations

73rd IETF meeting, November 16-21, 2008

73rd IETF meeting, November 16-21, 2008
IPv6 Addressing Internet2 IPv6 Workshop Research Triangle Park, NC 5-7 March 2002.

IPv6 Addressing Internet2 IPv6 Workshop Research Triangle Park, NC 5-7 March 2002.
1 IPv6. 2 Problem: 32-bit address space will be completely allocated by 2008. Solution: Design a new IP with a larger address space, called the IP version.

1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.
IPv6. Key Aspects Increased address space SLAAC Security Simplified router processing.

IPv6. Key Aspects Increased address space SLAAC Security Simplified router processing.
IPV6. Features of IPv6 New header format Large address space More efficient routing IPsec header support required Simple automatic configuration New protocol.

IPV6. Features of IPv6 New header format Large address space More efficient routing IPsec header support required Simple automatic configuration New protocol.
IPv6 The Next Generation Presented by Anna La Mura Jens Waldecker.

IPv6 The Next Generation Presented by Anna La Mura Jens Waldecker.
Engineering Workshops IPv6 Addressing. Engineering Workshops Overview of Addressing Historical aspects Types of IPv6 addresses Work-in-progress Abilene.

Engineering Workshops IPv6 Addressing. Engineering Workshops Overview of Addressing Historical aspects Types of IPv6 addresses Work-in-progress Abilene.
IPv4 & IPv6 Coexistence & Migration Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.

IPv4 & IPv6 Coexistence & Migration Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
5: Link-Local Addresses Rick Graziani Cabrillo College

5: Link-Local Addresses Rick Graziani Cabrillo College
Results of a Security Assessment of the Internet Protocol version 6 (IPv6) Fernando Gont DEEPSEC 2011 Conference Viena, Austria, November 15-18, 2011.

Results of a Security Assessment of the Internet Protocol version 6 (IPv6) Fernando Gont DEEPSEC 2011 Conference Viena, Austria, November 15-18, 2011.
Week 5: Internet Protocol Continue to discuss Ethernet and ARP –MTU –Ethernet and ARP packet format IP: Internet Protocol –Datagram format –IPv4 addressing.

Week 5: Internet Protocol Continue to discuss Ethernet and ARP –MTU –Ethernet and ARP packet format IP: Internet Protocol –Datagram format –IPv4 addressing.
Ian Rice Network Management 44049 May 4 th, 2009.

Ian Rice Network Management May 4 th, 2009.
IETF 80: NETEXT Working Group – Logical Interface Support for IP Hosts 1 Logical Interface Support for IP Hosts Sri Gundavelli Telemaco Melia Carlos Jesus.

IETF 80: NETEXT Working Group – Logical Interface Support for IP Hosts 1 Logical Interface Support for IP Hosts Sri Gundavelli Telemaco Melia Carlos Jesus.
INTERNET PROTOCOL Version 6 I/II IPIAC 2013 Martin Pokorný.

INTERNET PROTOCOL Version 6 I/II IPIAC 2013 Martin Pokorný.
1 Chapter Overview IP (v4) Address IPv6. 2 IPv4 Addresses Internet Protocol (IP) is the only network layer protocol with its own addressing system and.

1 Chapter Overview IP (v4) Address IPv6. 2 IPv4 Addresses Internet Protocol (IP) is the only network layer protocol with its own addressing system and.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 10 Internet Protocol Version 6 (IPv6)

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 10 Internet Protocol Version 6 (IPv6)
Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 1.

Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 1.
Network Layer4-1 NAT: Network Address Translation 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 138.76.29.7 local network (e.g., home network) 10.0.0/24 rest of.

Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.
CSIS 4823 Data Communications Networking – IPv6

CSIS 4823 Data Communications Networking – IPv6

Similar presentations

Ads by Google