PaloAlto Ignite 2012 notes: IPv6 Security

This article is part of a series which depicts some of the notes I took during several sessions in the Palo Alto Networks Ignite conference in Las Vegas.

IPv6 Security Notes

  • Ensure that the IPv6  Firewalling option has been enabled under device > settings otherwise the PaloAlto will just route IPv6 traffic. Post PAN-OS v5 will enable this option by default
  • When writing IPv6 security policies targeting ICMP traffic, use the ipv6-icmp application object. Contrast this to IPv4 traffic which uses the icmp and ping address objects
  • ICMP plays a much more important role in IPv6 than it did in IPv4, so do not completely block ICMP. This will definitely break some features such as Path MTU discovery and possibly others such as neighbor discovery.

Checklist when buying or migrating to IPv6 capable equipment

  • Ensure routers and switches are IPv6 capable. Unless these are very old, they tend to be very feature rich and generally only a software upgrade is needed to obtain IPv6 capabilities
  • IPv6 management capability
  • IPv6 High Availability features
  • IPv6 application and user based policies
  • Reporting and visibility into IPv6 traffic
  • IPv6 SSL decryption
  • IPv6 Holistic threat prevention
  • Check for IPv6 ready certification:

The above checks for compliance with several IPv6 features, such as:

  • Correct header processing
  • Extension header processing
  • Fragmentation behavior
  • Neighbor discovery and auto configuration
  • Router redirects
  • ICMPv6 behavior
  • However, note that the above do not include any security considerations

Illustration of IPv6 security issues

  • Tunneling and other transitional mechanisms can circumvent IPv4 based security policies
  • Example: SLAAC [stateless autoconfiguration] attack

 

The above described attack is easy and normally successfully carried out because:

  • IPv6 is now enabled and prefered by default
  • Tunneling over IPv6 can provide an easy way out to the internet for an attacker
  • Since world IPv6 day, more and more sites are switching on IPv6, meaning most PC prefer to use IPv6 to reach sites such as facebook, google, etc

 

Mitigation of IPv6 attacks

  • Use a static IPv6 host configuration
  • Disable IPv6
  • Positive enforcement: use policy to shut down tunneling and other known mechanisms that are unneeded and can be used for nefarious purposes

IPv6 PAN-OS notes

Updated support for:

  • USER ID
  • SLAAC
  • NAT64 (transition mechanism, NAT IPv6 addresses to IPv4

Caveats:

  • OSPFv3 support still lacking
  • MP-BGP support still lacking