‹ Back
Deploy360 8 April 2015

New IPv6 Security Testing from go6lab

Jan Žorž
By Jan ŽoržFormer Operational Engagement Programme Manager

IPv6 badgeIn my go6lab, I often work with vendors to test the implementation of various IPv6 features and let them know how things are working in a real IPv6 network environment. Recently, we got a quite powerful firewall device from a vendor we’ve been working with for years to test out in the lab. In version 6 of their operating system (PanOS), they started implementing some neat IPv6 security checks that we usually don’t see with other vendors. Of course, we don’t have all firewall vendors’ devices here (we are open for everyone to send in a device and we’ll put it in our setup), but from what we see, these IPv6 security checks at firewalls are quite rare and that was the reason we took some time and looked at them a bit more closely.

We had the privilege and honor to host the IPv6 Toolkit development VPS for Fernando Gont, so we have all the latest tools and attacks at hand for testing and I would like to thank Fernando for some additional ideas about what tests to run. Of course, we used IPv6 Toolkit for all our testing and below are the commands if you have this toolkit installed.

So, what did we test? We set up a target device on the other side of the new firewall and tried to send all sorts of malformed or malicious packets through with different settings, then watched on the other side to see if some of these packets came through to the target.

This is how firewall zone protection profile setting looks like by default:

screen-capture-306
There are many very useful options, but unfortunately they are not enabled by default. From their documentation we can learn that the IPv6 sub-tab has various options that provide the ability to drop IPv6 packets based on different fields of the IPv6 header like type 0 routing header, anycast source address, hop-by-hop extension, routing extension, if the packet has needless fragmentation, etc.

So, let’s test some of the most interesting ones. We changed the configuration to enable all the options on the list to see if we can get any of the attacks through. For demonstration reasons we are using documentation prefix, 2001:db8::2 is our target where we are sending packets from 2001:db8:1::2 host.

First we tried atomic fragments: frag6 -d 2001:db8::2 –frag-type atomic

Next we tried: frag6 -d 2001:db8::2 –frag-reass-policy -v

Of course, the pMTUd less than 1280 trick: icmp6 –icmp6-packet-too-big -d 2001:db8::2 –peer-addr 2001:db8:1::2 –mtu 1000 -o 80 -v -l -z 1

The firewall did not block all the malicious or malformed packets with the default setting of Zone protection profile, but with all options turned on the device correctly identified the attacks and blocked the traffic to destination machine. Well done!

Then we went to RFC7112 compliance tests:

tcp6 -d 2001:db8::2 -X S -a 4444 -v –probe-mode script

This command sends a SYN, and the tool prints whether it received a response or it timed out – and it’s passing the firewall as this is a legitimate packet to send.

Then we tried more nasty stuff: tcp6 -d 2001:db8::2 -X S -a 4444 -v –probe-mode script -u 8

This command does the same thing, but now the IPv6 packet carrying the SYN segment will employ a Dest Options IPv6 EH of 8 bytes – and these packets are immediately filtered and blocked by the firewall.

After this we sent the same packet, but now with Destination option of 1k: tcp6 -d 2001:db8::2 -X S -a 4444 -v –probe-mode script -u 1000
…and finally we tried this: tcp6 -d 2001:db8::2 -X S -a 4444 -v –probe-mode script -u 1000 -y 600

This command produces one of the RFC7112-forbidden packets (it employs a Dest Opt EH of 1000 bytes but requests the tool to frag each packet in 600 bytes (-y 600), so the extension header chain gets fragmented. Of course, all those packets were recognized and blocked by the firewall.

We also did many other tests and this vendor did recognized every malformed IPv6 packet and blocked the attacks. We are very happy to see that IPv6 implementations are progressing and that there are vendors that are paving the way in IPv6 security.

Go6lab recently received a second PA-4050 device from this firewall vendor and we are testing PanOS 7 beta for even more advanced IPv6 features, but we can’t talk about this yet as this version was not released to the public yet and new features are still under NDA – but we’ll keep you posted.

PA-4050-twins

In the meantime, if you’re looking to get started with IPv6, learn more about IPv6 Security, or even if you don’t know where to start, we’ve got you covered!

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...

Join the conversation with Internet Society members around the world