Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Defeating IPv6 privacy extensions

Julien Savoie
November 28, 2018

Defeating IPv6 privacy extensions

This will be a brief follow up to last months talk on general IPv6 security. Given that privacy addresses are selected at random, and not derived from a MAC address, tracking abuse can prove difficult. While in corporate environments, it's feasible to disable such privacy addresses, in BYOD or public access networks this is not the case. What follows will be a number of solutions for tracking these random addresses back to machines and ultimately users.

Julien Savoie

November 28, 2018
Tweet

More Decks by Julien Savoie

Other Decks in Technology

Transcript

  1. What is IPv6, again?  128bit address field vs 32bit

    for IPv4  Two 64bit parts  network prefix  interface identifier  RFC 4862 / SLAAC  Router Advertisements / RA  48bit MAC to 64bit EUI-64  Checks with DAD
  2. What are privacy extensions?  RFC 4941  Random interface

    identifier  Reasoning  Device specific vulnerabilities  Tracking a device across multiple networks  Disabling it  Windows  netsh interface ipv6 set privacy state=disabled store=persistent  MacOS  echo net.inet6.ip6.use_tempaddr=0 >> /etc/sysctl.conf
  3. How we can defeat them anyways  DHCPv6 exists 

    Polling IPv6 neighbors table, storing it  Cisco  show ipv6 neighbors  Logging IPv6 associations  Cisco  ipv6 neighbor binding logging
  4. IPv6 scripting specifics  Zero compression, these are all the

    same address  2001:4860:4802:32::a  2001:4860:4802:0032::0000:000a  2001:4860:4802:0032:0000:0000:0000:000a  Makes regex much more difficult than MAC or IPv4  Best to do matching/storing as binaries  INET6_ATON() SQL function  inet_pton() in PHP
  5.  IPv6 regex (([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA- F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0- 9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA- F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA- F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA- F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0- 9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-

    9a-fA-F]{0,4}){0,4}%[0-9a-zA- Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0- 9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0- 9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0- 9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0- 9]))
  6. “I hate IPv6”  You're probably running it anyways 

    At least at the broadcast domain level  Drop IPv6 frames completely  Cisco ipv6 access-list allipv6 permit ipv6 any any ! vlan access-map breakipv6 match ipv6 address allipv6 action drop ! vlan filter breakipv6 vlan-list 1