IPv6 Security Workshop (plus free sandwiches)

A free workshop in London on IPv6 Security, hosted by the UK IPv6 Council?
I'm in.

This is a write-up of the recent IPv6 Security Workshop held at the BT Centre, London, by the UK IPv6 Council.

My buy-in

In my previous role as PoC runner I performed a few that had a bias towards IPv6 and thus was forced to dust-off that oft-ignored section of the config guides entitled 'IPv6' and delve in. As with anything new I struggled with some aspects, and enjoyed others. I found that I would go deep for some PoCs, learn a host of stuff about SLAAC and M-bits then promptly forget it due to lack of practice. Overall I can't say I'm much of v6 advocate in Enterprise from this experience.

However, June '16 I delivered a v6 presentation to HPE partners at the TSS Event in Sweden. It was a Friday morning slot, one of the last of the week so I had some fun with it and tried to make it interactive. Laying out some basics of the protocol, but really it was a jokey look at the state of v6's development, all those RFCs and drafts. Privacy extensions, for and against, that kind of thing. The preso's conclusion was that although we do not see much demand for v6 in Enterprise, things are changing, and v6 in the home is a real. At the time Sky and BT were rolling out their v6 deployments in the UK so, like it or not, v6 is a reality and the audience needs to face up to that.

One part that stood out in my research for the presentations was the security aspects and implications of v6 so when I saw a free workshop on that very subject, I signed up.

The Workshop

Hosted by BT at their BT Centre near St Paul's, London, the event was held in the auditorium. All very convenient and a great venue. The steep-sided seating meant the whole audience was close to the stage and to each other, which aided interaction and discussion. Free coffee and sandwiches at lunch were generously laid-on by BT. There were over 100 attendees, the majority of which stayed all day. Although tickets were free this felt like an event of some importance. The full schedule is here

Run-down of the talks

The first couple of speakers, one from BT and one from the UK National Cyber Security Center were Security focused rather than having anything IPv6 specific. The talks themselves were interesting and all that but at a v6 day I kind of want to focus on IPv6, you know?

Next up was Dr. David Holder of Erion giving a whistle-stop tour through the v6 security fundamentals. A excellent talk and speaker, presenting the technical details with the right amount of his individual style, passion and humor to keep the audience with him as he skips along through some pretty heavy material. This was much more like it.

After lunch, we had Fernando Gont of SI6, the schedule listed two different presentations, but Fernando presented both, with some elasticity, in there I think. Travelling all the way from Argentina, Fernando did a great job of running through some v6 toolkits for security testing (hacking), one of which he authored.
The talk centred around a few key ideas:

  • Address scanning with IPv6 - With the huge scale of addresses in just a /64 scanning should be extremely difficult. But the way in which addresses tend to be implemented finding nodes can be quite easy. Practices like embedding the v4 address scheme in v6 and even embedding the port number (E.G. ::80:1 for a web server, ::80:2 for its backup) all make scanning that much easier.
    There was some discussion around this point of scanning, essentially asking 'So what?' these public-facing servers, especially web servers, by their very nature should be easy to find. Fernando's appeared to accept this and his view was some servers are to be found, but there are many others out there that the owners probably no not want hackers identifying, yet with the address schema and DNS they are easy to know a lot about. Why make a hacker's job any easier? I can understand both sides of the argument here. A determined hacker will find the servers, but much of the malignant practices spoken of were denial-of-service attacks, often by opportunistic, or bored, denizens of the internet (data presented by BT suggested attacks rise during winter school times, bored teenagers the suspected attackers). The opportunist will go for that which is easily in sight ahead of that which is obscured, so I see Fernando's point.

  • Extension Headers - Fernando is one of the authors of RFC 7872 , about how v6 traffic on the public internet is dropped if it has Extension Headers, he presented the statistics from that document. This is one of those unresolved aspects of v6 for me and something I was looking forward to finding out some more information. In fact, it remains unresolved. Those are the statistics, that's the reality. In Fernando's words 'Good luck' sending v6 traffic with EH across the Internet. So there we go.

  • Address Resolution - Information about ICMPv6, the dreaded Rogue RA and mitigating various Neighbour Discovery attacks. Current best practice is to restrict access to the local network and deploy ND Snooping. More advanced tools such as SEND are laughable, too heavy to implement, nice on paper but no vendor support.

  • Extension Headers (again) - this time on the LAN, chain lots of EH together to leapfrog ACLs and cause misery. Apparently this is a major problem for network hardware because it cannot parse the headers at wire speed. This is another area that I was looking for further info, having read as much during a PoC implementation back in 2014. Well, there's no real answer at present but they only way we are going to move things forward is by deploying v6 and working together towards a satisfactory resolution.

After this there was an IETF update, but that came across as a list of RFC numbers to me.

A Dose of Reality

Coffee drank, it was time to do anyway with the theory and get our hands dirty with two presentations about running IPv6 in the real world. I liked this structure and, especially with all the development and changes around v6, it was good to hear from people actually using it.

Up first was Russ Garrett of IRCCloud, who gave us a quick, humorous talk about running IRCCloud as one of only four employees utilising IPv6 as the preferred way to connect. According to Russ it is IRC but with today's essential features, like emojis. The main thing that stood out for me is just how much of a issue denial of service attacks are for anyone running public facing addresses. While this is worse in v4 land, there are attacks on IRCCloud's v6 addresses. Although one of the most troublesome ne'er-do-wells just needed to be asked nicely to stop.

Next was David Freedman of Claranet with a double-header of short presentations, both about working with v6 and the problems faced. The first section was about Claranet's efforts to implement 6PE after Dave's dream of LDPv6 came to nowt. This was a gallop over the core network infrastructure technologies, using MP-BGP on Cisco kit with a centralized BGP speaker in the control plane to handle prefix injection for black-holing. Each bug or issue in their attempts to implement 6PE seemed to cause another hack or trigger another bug to the extent that they faced questioning the decision to implement at all. Cisco built new features into the code for them, this killed other stuff they were running. IPv6 deployment, especially 6PE should be treated with respect and caution. The second preso was about First-Hop security (which I seem to have not made any notes about. Soz.)
Though dense with information Dave's presenting style was rapidly drilling through the layers of technical detail to deliver a satisfactory, amusing pay-off.

Overarching Themes

A few points that stood out to me across the various talks and discussions.

  • There is no such thing as a IPv4-only network - all networks are now dual-stack, most just have not consciously managed the v6 part yet, and that's a problem that needs to be addressed.

  • Should we NAT home-user IPv6 networks? - Quite a bit of debate around this. The consensus seemed to me to be 'no' (although you would expect this at a v6 event). The idea being just swap out NAT with v6 firewalling set to 'Deny Ingress All', only traffic that initiates internally should be allowed inbound.

  • How robust is IPv6 security? Well, as mentioned, a lot of what I already knew around the problems with Extension Headers and rogue RAs has not been solved. But then v4 has its own problems that have never been solved and the sun still rises.

Thoughts on the Day

An excellent workshop, great speakers and a lively community. I will definitely recommend attending any future workshops run by the UK IPv6 Council, although I cannot guarantee a free lunch.

IPv6 is a reality and is now an Internet Standard - RFC8200. It's time a lot of people faced up to it and started making plans. They are most likely already running a v6 network, they just haven't, literally, addressed it yet! Admittedly there are some unanswered problems, especially with security, but the only way we are going to make progress is by deploying and using v6 in earnest.

Final note (27Jul17):
If you would like to hear more about the UK IPv6 Council and upcoming events, they have a linkedin group here. Yeah, I know, linkedin. Apols for that.