Thinking about our passive exposure to IPv6 issues

April 24, 2023

Over on the Fediverse, I recently saw a thought-provoking remark by Michael Gebis (via):

If I were an evil threat actor, I'd be learning as much about #ipv6 as possible right now. I'm convinced that many companies that say they "aren't using" IPv6 are in reality just ignoring IPv6, and it would be easy to set up a "shadow network" consisting of IPv6 traffic where you could get away with murder. Nobody at the company is logging IPv6 traffic and events, none of the tools are configured to monitor it, and a large majority of the staff knows nothing about it.

"But we disable IPv6!"

Really? On your users mobile devices? On printers? On random IoT devices? And most of all, on your remote user's networks? Good luck, my guy.

This got me thinking about what I'll call our passive exposure to IPv6. By that I mean whatever exposure we get from having IPv6 enabled on random devices, and perhaps automatically configured by systems or deliberately set up by a threat actor. For example, could a threat actor use IPv6 to bypass firewall protections or pass traffic in ways that would be invisible to our normal monitoring?

So far, we don't have IPv6 set up on any of our networks, and as a result we have no deliberate IPv6 network to network routing (or public IPv6 address assignment through any of DHCP6, SLAAC, or static assignment). However, as is the way of the world these days almost all of our servers have IPv6 enabled and they've assigned themselves fe80::/10 link local IPv6 addresses. It's likely that people's desktops, laptops, and mobile devices have done similarly on the networks where they live. When we look at general network traffic with tools like tcpdump, we do see a certain amount of IPv6 traffic trying to happen (using fe80::/10 link local addresses from what I've seen).

All of our firewalls explicitly block IPv6 traffic, and our core router doesn't have any IPv6 routes (because we have no IPv6 networks). A threat actor that wanted to use plain IPv6 across network boundaries would have to compromise one or more firewall rule sets, and getting plain IPv6 routing to the outside world would be quite complex. However, because we don't have IPv6 active on our own networks, we probably wouldn't notice if a threat actor set up a DHCP6 or SLAAC server that advertised itself as an IPv6 gateway to the local network. The attacker would have to tunnel the traffic in and out through IPv4, but there are various options for that that we probably wouldn't notice.

(Our core router might automatically start routing IPv6 traffic between our public subnets if those subnets started advertising appropriate IPv6 bits, but I don't know. However, those subnets can already reach each other with IPv4, and we're not doing traffic monitoring on the core router.)

Machines on internal networks that don't have port isolation can talk to each other with IPv6 (using link local addresses or addresses handed out by a threat actor), but then they can already talk to each other with IPv4. Machines on port isolated internal networks should still be port isolated from each other even if they use IPv6, but I admit we haven't tested the behavior of our switches to be completely sure of that.

(Port isolation is theoretically an Ethernet layer thing, not an IP layer one, but switches are extra smart these days so one is never entirely sure.)

We mostly don't use IP filtering on servers themselves, only on firewalls, so we don't have to worry about server IP filtering not being set up for IPv6 (an issue that I once had on my home machine). Where we do have some IP filtering, it's in the form of a default deny with a restricted positive allowance (for example, systemd's IP access controls or Apache access controls); this means that using an IPv6 address to access the service instead of an IPv4 address wouldn't bypass access restrictions; you specifically have to have the right IPv4 IP address.

We handle our DNS ourselves, so compromising our DNS infrastructure to add IPv6 addresses for some of our services would already be a pretty bad compromise by itself. We're no more or less likely to notice the addition of IPv6 records than we are to notice any other DNS change that doesn't visibly and clearly degrade services. I can imagine that the addition of IPv6 records might be able to do some damage because it might let an attacker get TLS certificates for some of our names and intercept the traffic of outside people on networks with IPv6 support.

(To avoid people noticing the service not working, the attacker could then send the traffic to the original server via IPv4.)

So on the whole I think we have a low passive exposure to IPv6 issues. A lot of this comes down to the long ago decision to explicitly block IPv6 traffic on all of our firewalls, even though we didn't (and still don't) have any IPv6 traffic.


Comments on this page:

From 193.219.181.219 at 2023-04-25 02:50:24:

However, because we don't have IPv6 active on our own networks, we probably wouldn't notice if a threat actor set up a DHCP6 or SLAAC server that advertised itself as an IPv6 gateway to the local network. The attacker would have to tunnel the traffic in and out through IPv4, but there are various options for that that we probably wouldn't notice.

Your switches nowadays likely have "RA Guard" as an option, in a similar way to how they've had features to guard against rogue DHCP4 servers – they can be set up to block ICMPv6 Router Advertisements from untrusted ports.

We mostly don't use IP filtering on servers themselves, only on firewalls, so we don't have to worry about server IP filtering not being set up for IPv6

Our hosts mostly use just port-based filtering (i.e. allowing some TCP ports to the world and others to the entire internal network, with the router firewalls enforcing the more specific allow-lists), so I think it's still useful to make sure the same firewall ruleset is loaded for both v4 and v6. Easy enough to have both iptables-restore and ip6tables-restore accept the same rules file using the -4 and -6 line prefixes, while it's automatic with ferm or nftables anyway.

I can imagine that the addition of IPv6 records might be able to do some damage because it might let an attacker get TLS certificates for some of our names and intercept the traffic of outside people on networks with IPv6 support.

Once they have the TLS certificate, they'd be able to use it even on IPv4 networks if they're in a position to intercept traffic.

But on the other hand, if they can add IPv6 addresses to DNS, they probably can add ACME DNS challenge tokens just as easily, or replace your IPv4 address with their own (proxying traffic back to the real one) – so it's not a new risk at all.

One of the common issues that came up on IPv6 day many years ago was Windows machines that set up IPv6 tunnels (as a v4/v6 transition mechanism) and inadvertently became the v6 routers for their subnet. Tunnelling tech like Teredo is obsolete now, but it is instructive because misconfigured VPN clients can cause similar problems.

So, yes, v4-only networks need RA guard. If your switches have packet filters, maybe also drop any ethernet frames with the v6 protocol number.

If an attacker has compromised a system on a local subnet, they can send router advertisements (RAs) that can do a couple of things, e.g., make the compromised host IPv6 gateway and DNS server for the other hosts on the subnet. They can also enable DHCPv6 for the hosts on the subnet and become DHCPv6 server. They can use an IPv6 over IPv4 tunnel to connect to the IPv6 Internet, too.

RA Guard (RFC 6105) is intended to help against attackers sending RAs.

DHCPv6 Shield (RFC 7610, currently BCP 199) is intended to help against attackers posing as DHCPv6 servers.

Filtering outgoing tunnel protocols can partly mitigate connecting to the IPv6 Internet, but one can tunnel via HTTPS (or DNS, ICMP, …) or invent a new tunneling protocol.

These IPv6 security measures also apply to networks where hosts are IPv6 enabled, but the network infrastructure is not.

By neo at 2023-04-25 10:40:30:

Text is so small can't read; good writing :)

By cks at 2023-04-25 11:27:44:

All the text here is in the browser's default text size, partly because I'm not good enough of a typographer and designer to pick text sizes.

By Etienne Champetier at 2023-06-10 16:29:06:

If in your network you have enabled IPv6 RA Guard because you want to block attackers, not just misconfigured devices, I recommend you to look at the bypass techniques that I published last year ("Layer 2 network security bypass using VLAN 0, LLC/SNAP headers and invalid length"):

- https://kb.cert.org/vuls/id/855201

- https://blog.champtar.fr/VLAN0_LLC_SNAP/ (includes a test script)

Some vendors did not provide fixes, only workarounds :(

Written on 24 April 2023.
« Programming on Unix and automatic memory management
Understanding ZFS ARC hit (and miss) kstat statistics »

Page tools: View Source, View Normal.
Search:
Login: Password:

Last modified: Mon Apr 24 22:39:15 2023
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.