Tweet
Tweet

Slide 1

Slide 1 text

Defeating IPv6 privacy extensions

Slide 2

Slide 2 text

What is IPv6, again?  128bit address field vs 32bit for IPv4  Two 64bit parts  network prefix  interface identifier  RFC 4862 / SLAAC  Router Advertisements / RA  48bit MAC to 64bit EUI-64  Checks with DAD

Slide 3

Slide 3 text

What are privacy extensions?  RFC 4941  Random interface identifier  Reasoning  Device specific vulnerabilities  Tracking a device across multiple networks  Disabling it  Windows  netsh interface ipv6 set privacy state=disabled store=persistent  MacOS  echo net.inet6.ip6.use_tempaddr=0 >> /etc/sysctl.conf

Slide 4

Slide 4 text

How we can defeat them anyways  DHCPv6 exists  Polling IPv6 neighbors table, storing it  Cisco  show ipv6 neighbors  Logging IPv6 associations  Cisco  ipv6 neighbor binding logging

Slide 5

Slide 5 text

IPv6 scripting specifics  Zero compression, these are all the same address  2001:4860:4802:32::a  2001:4860:4802:0032::0000:000a  2001:4860:4802:0032:0000:0000:0000:000a  Makes regex much more difficult than MAC or IPv4  Best to do matching/storing as binaries  INET6_ATON() SQL function  inet_pton() in PHP

Slide 6

Slide 6 text

 IPv4 regex ((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0- 5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])  MAC regex (([0-9a-f][0-9a-f])(:|-)){5,5}([0-9a-f][0-9a-f])

Slide 7

Slide 7 text

 IPv6 regex (([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA- F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0- 9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA- F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA- F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA- F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0- 9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0- 9a-fA-F]{0,4}){0,4}%[0-9a-zA- Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0- 9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0- 9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0- 9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0- 9]))

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

“I hate IPv6”  You're probably running it anyways  At least at the broadcast domain level  Drop IPv6 frames completely  Cisco ipv6 access-list allipv6 permit ipv6 any any ! vlan access-map breakipv6 match ipv6 address allipv6 action drop ! vlan filter breakipv6 vlan-list 1

Slide 10

Slide 10 text

Questions?  Follow me @jzsavoie  Send me PRs https://github.com/jsavoie/ipv6tracker