IPv6 Unsecurity – Router Advertisement is evil

Hi,

IPv6 is a mighty protocoll which will bring a lot of cool features in the future. I cant wait till my coffee machine has his own IPv6 Adress and is hackable!

In the meantime till it is established and everyone is handling those hexadecimal addresses as naturally as our good old IPv4 addresses it brings a lot of potential security risks.

So to make the connection to IPv6 and Router Adverstisment:

the c’t magazine (famous IT magazine in germany) published an article in it’s edition 8/2011 which explains how to set up an IPv6 Tunnel in a few easy steps. So in the end you have a working IPv6 Tunnel with sixxs or freenet6 and a linux router which uses aiccu or gw6c and radvd to provide IPv6 connectivity to the home network.

One advancement of IPv6 is ease of use/setup. This can be a big headache to IT security in my opinion. Windows Vista,7,2008(R2) are all IPv6 capable. Out of the box they wait for Router Advertisement and configure them self for Public IPv6 addresses without even asking the User once.

So I tested what i feared and found out that when I set up an Ubuntu VM with gw6c and radvd I can publish the whole Subnet my PC is located in on the Internet with routable IPv6 addresses. A nightmare for an security administrator.

To explain the risk factor further you need to know that my company builds network enabled devices and thus also is forced to jump on the IPv6 train to handle it before the average customer wants it. So there is a lot of experimenting going on with it. I am also sure that a third of my company reads the c’t magazine and is now able to set up a IPv6 Router VM with Router Advertisement in about 15 minutes.

I’m glad that c’t magazine also gave instructions on how to configure ip6tables but as a lot of the people who are going to experiment with that stuff are probably not that much into networking they may just not see the point in it and dont bother with it.

Also to become the man in the middle was never so easy. Its a feature!

For users it is usually done when it works:

So I figured this is not good for the security of our companys network and i decided to look for possible ways to block this behavior.

I talked to our network administrators and they already had a partly solution for it. We use Cisco Switches and Routers and Cisco is really good in pointing out security risks and provides excelent documentations:

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html

This guide explains how to disable RA on the access level so users are not able to “hijack” other Windows machines anymore.

This is a huge security improvement in my opinion. But what to do if the R&D department actually needs to test this feature. Besides providing them with a fully closed off developemnt network an administrator is often forced to do ideal compromises and turn those features back on for the cash cow departmets.

So I also looked for a way to make Windows less eager to configure itself -> disable router advertisment.

Unfortunately in contrast to Cisco, Microsoft is pro IPv6 (even has solutions that require it e.g. Direct Access) so that they are not big into publishing informations in how to tame the IPv6 functionality of Windows: The user is happy when it works, let Symantec take care of making it secure…

Im not saying that there is definitely now instruction available on that anywhere but I was not able to find it in a reasonable time on technet via google.

After a little more search i found a page listing the needed netsh command:

http://www.excaliburtech.net/archives/192

On Windows 2008, Vista, 7, and later versions you can disable auto configuration from the command prompt.

First determine the network interface to disable it on

netsh interface ipv6 show interface

Then disable the router discovery

netsh interface ipv6 set interface 10 routerdiscovery=disabled

So what i did in the end was to advise the network administrators to enable raguard functionality on all switch ports and the windows domain administrators to disable routerdiscovery via group policy.

Maybe this helps someone out there who has the same concern.

Regards
Sebastian

Advertisements

About SebastianB

read it in my blog
This entry was posted in network and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s