IPv6 Security

76 Chapter 3: IPv6 Internet SecurityMore About ICMP and Amplification AttacksRFC 2463, “Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version6 (IPv6) Specification,” states that no ICMP messages can be generated in response to anIPv6 packet destined to a multicast group. The intent is to prevent all the amplificationattacks if all IPv6 nodes correctly implement this RFC.One issue with RFC 2463 is that there are two exceptions to the strict rule: “Packet too big”and “Parameter problem ICMP message” error messages can still be generated in responseto a packet destined to a multicast group. This is required to allow path maximumtransmission unit (MTU) discovery for a multicast video stream. This opens the door to anamplification attack in the same shot, even if all IPv6 nodes are RFC 2463 compliant.While the amplification attacks cannot be prevented at the node level, the effect can bethwarted by applying rate limiting to those ICMP messages: They should be rare in everynetwork so that a rate limit (10 messages/sec) can permit the correct use of those messages(path MTU discovery) while blocking the amplification attack.In Chapter 2, “IPv6 Protocol Security Vulnerabilities,” you learned that it is a good practiceto limit who can send to multicast groups. Because IPv6 does not have broadcast as a formof communications, multicast is the method for one-to-many communications. For thisreason, multicast can be leveraged by attackers for packet amplification attacks. Therefore,the solution is to tightly control who can send to multicast groups and when it is appropriateto respond to a multicast packet. Service providers can also consider rate-limiting userconnections and particularly rate-limit IPv6 multicast traffic. Most multicasts should beconfined to the LAN, so if an attacker is already on your LAN, you need to use other meansto protect against that. Physical security, disabling unused switch ports, enabling Ethernetport security, and using an 802.1X or Network Admission Control (NAC) technology areoptions to prevent unauthorized access to the internal networks.DoS attacks can be performed using a feedback loop to consume resources or amplify thepackets sent to a victim. In Chapter 2, you saw how RH0 packets could be created with alist of embedded IPv6 addresses. The packet would be forwarded to every system in the listbefore finally being sent to the destination address. If the embedded IPv6 addresses in anRH0 packet were two systems on the Internet listed numerous times, it could cause a typeof feedback loop.Figure 3-1 shows how this type of ping-pong attack would work. The attacker would firstsend the crafted packet to a network device on the Internet that is susceptible. That systemwould forward it onto the next system in the list. The two systems could continue to do sountil they ran out of bandwidth or resources. However, sometime soon, this type of attackwill have limited success because RFC 5095 has deprecated the use of Type 0 routingheaders in IPv6 implementations.