1
Q
What field(s) in the IPv4 header are no longer needed in IPv6?
A
- Checksum
- Header Length
2
Q
What field(s) in the IPv4 header have been moved in the IPv6 header?
A
Fragmentation. This has been moved to Extended Headers in IPv6.
3
Q
What is the name of the new field in IPv6 that has been added but not currently utilised?
A
Flow Label
4
Q
List parts of the IPv6 basic header in order
A
- Version - 4 bits - Set to 4 for IPv4 and 6 for IPv6
- Traffic Class - 8 bits - Equivalent of ToS field in IPv4. Used for QoS. Indicates class or priority of the IPv6 packet.
- Flow Label - 20 bits - Used along with source address to differentiate and identify traffic flows. Intermediate network equipment can use this to differentiate traffic flows. Currently not in use.
- Payload Length - 16 bits - Indicates the length of the IPv6 payload (the part of the header after the basic header including the extension header and upper-layer PDU) in bytes. Maximum size of 65535, if the payload exceeds this size the header is set to 0 and the Jumbo Payload option in the Hop-by-Hop header is used to state the true header length.
- Next Header - 8 bits - Identifies the type of the first extension header that follows the basic header or protocol type in the upper-layer PDU.
- Hop Limit - 8 bits - Similar to TTL in IPv4 header, defining the maximum hops a packet can pass through. Each device that forwards the packet decrements this by 1, if it reaches 0 the packet is discarded.
- Source Address - 128 bits - Source address of the packet.
- Destination Address - 128 bits - Destination address of the packet.
5
Q
What field(s) are the same in function and name in IPv6 as they are in IPv4?
A
- Version
- Source Address
- Destination Address
6
Q
What field(s) are not retained in IPv6?
A
- IHL (Internet Header Length)
- Identification
- Flags
- Fragment Offset
- Header Checksum
- Options
- Padding
7
Q
What field(s) have changed their names in IPv6 but are similar in function in IPv4?
A
- Type of Service - Traffic Class
- Protocol - Next Header - IPv6 provides more extended options than IPv4.
- TTL - Hop Limit - Just a rename
- Total Length - Payload Length - Total Length measures the entire packet including IPv4 headers. Payload Length only measures the data portion of the header along with Extension Headers.
8
Q
What threat relates to the IPv6 Source Address field? What is the solution?
A
IP Spoofing - When an attacker changes their IP address to an address that is not assigned to their device.
The solution is Ingress Filtering and uRPF.
9
Q
Describe Ingress Filtering as a solution to IP Spoofing threats
A
Ingress Filtering would allow only subnets/prefixes connected to an ISPs interface into that interface. Therefore if an attacker connected to this interface attempted to use an address outside of this address space, it would be rejected.
10
Q
What threat relates to the Traffic Class and Flow Label headers?
A
Covert Channel - Hidden methods of communication allowing clients to communicate that shouldn’t be able to. Data can be injected into these headers as well as the Hop Limit header in chunks that fit within the size contraints of the relevant fields.
The solution is to use IDS and IPS systems that can detect abnormalities in packet fields. e.g. Flow Label should always be 0.
11
Q
What is the solution to Covert Channel attacks?
A
Use IDS and IPS systems that can detect abnormalities in packet fields. e.g. Flow Label should always be 0.
12
Q
What are IPv6 Extension Headers?
A
- Used to carry extra IPv6 information and added to a packet only if special processing is required.
- Limited number of defined EHs and are only present if they are needed
- Come right after the Basic IPv6 Header but before the upper layer header
13
Q
List IPv6 Extension Header options
A
- Hop-by-hop options
- Destination options (Options for IPs in routing header)
- Routing
- Fragmentation
- IPSec: AH
- IPSec: ESP
- Destination options (Options for destination IPs)
14
Q
True or False. All Extension Headers can appear multiple times in a single packet header
A
False.
Only Destination Options can appear twice.
15
Q
True or False. All Extension Headers are processed by all hops in a route.
A
False.
Except in the case of Hop-by-Hop and Routing options.
16
Q
What are Hop-by-Hop Extension Headers?
A
Used to carry optional information thaqt may be examined and processed by every node along a packet’s path from source to destination
17
Q
What are Routing Extension Headers?
A
Packets with these are processed by all IPv6 stacks of devices that have their IPv6 addresses included in the Routing header as nodes to be visited along a packet’s path.
18
Q
What is the IPv6 Header Chain?
A
- Consists of the Initial Basic IPv6 Header, 0 or more Extension Headers, and then an Upper-Layer Header.
- If an Upper-Layer Header or more than 1 extension headers is not present, the header chain is terminated using the Next Header value 59 (No Next Header) in last the extension header. This is used in the basic header if no extension headers are present.
19
Q
What implications do IPv6 Extension Headers have?
A
- Due to the flexibility of Extension Headers, they can come with complexity. Due to complexity it makes it more difficult for security tools to analyse IPv6 packets.
- Security tools must be able to inspect the entire IPv6 Header Chain.
- Security tools must be able to filter IPv6 headers based on Extension Headers. They should also be able to support any of the standard IPv6 Extended Header options (Hop-by-Hop, Fragmentation, Destination, Routing, Authentication (AH), Encapsulating Security Payload (ESP)).
20
Q
Can new Extension Headers be created?
A
Yes, however, there needs to be a detailed technical explanation as to why this is required and why it cannot be handled by another already in use header.
- New headers with Hop-by-Hop functionality cannot be created and must be handled by the Hop-by-Hop options already present.
- Instead of defining new Extension Headers, it is recommended to use the Destination Options header to carry optional information that must be examined only by a packet’s destination node(s) because they provide better handling and backward compatibility.
Some examples of new Extension Headers are:
- Mobility Header
- Host Identity Protocol
- SHIM6 Protocol
21
Q
What is an SPD?
A
- Security Policy Database
- Contains the packet’s IP and next layer header.
- Used so the IPSec device can determine whether to Discard, Bypass (sending the packet unprotected), or Protect the packet.
22
Q
What is IPSec Tunnel Mode?
A
- Traffic is unprotected between host and router, only protected between two routers. Normally used to protect data between networks that traverse untrusted networks.
- The original IPv6 header is encapsulated in another IPv6 header. Everything is protected as opposed to Transport where only the payload is encrypted.
- Useful against traffic analysis since external devices would only be able to see the source and destination router’s IPs rather than the hosts themselves.
- Easier to traverse NAT than Transport.
- Greater overhead than Transport.
- Used on routers as a proxy for the rest of the network. Encrypts all traffic between associated networks that match policies.
23
Q
What is IPSec Transport mode?
A
- Traffic is protected from end to end (host to host).
- The original IP header is maintained and unprotected, only the upper layer headers are protected. Tunnel protects everything including the IP header.
- Harder to traverse NAT since the host’s original IP header is maintained. Not a problem if the host has a public IP and doesn’t need to be NAT’d.
- Lower overhead than Tunnel.
- Could be used for a Telnet session internal to a network to protect it.
24
Q
Which headers used for IPSec are supported by IPv6 by default?
A
- AH (Authentication Header) - Used for data integrity. (Not mandatory). Used on systems with less compute power available for encryption.
- ESP (Encapsulation Security Payload) - Used for confidentiality and data integrity.
25
What is an ICV?
- Integrity Check Value
- A hash function used by the Authentication Header in IPSec to verify data integrity
26
Which Extension Headers should go before the ESP header (when used for confidentiality)?
- Any that need to be inspected by intermediate hops in a route e.g. Hop-by-Hop, Fragmentation, Routing
- Extension Headers that only need to be inspected by the destination can go after the ESP header to be encrypted.
27
True or False. AH and ESP are mandatory for IPSec.
False. Only one is required.
ESP is required if you want confidentiality as well as data integrity.
28
What is the Fragment Header?
- Used to send a packet bigger than the link's MTU. Does this by dividing the packet into smaller pieces each with a fragment header.
- All fragments that are part of the same packet have the same fragment ID. They also have a fragment offset which ensures that the receiver puts the fragments into the correct order.
29
List the different parts of a Fragment Header and what they do
- Next Header (8 bits) - Identifies the header right after the per-fragment headers of the original non-fragmented packet. The value is standard protocol number.
- Reserved (8 bits) - Initialised to 0 for transmission and ignored on reception.
- Fragment Offset (13 bits) - Used by the receiver of fragmented packets to put the fragments back in the correct order.
- Res (2 bits) - Initialised to 0 for transmission and ignored on reception.
- M (1 bit) - Used by the destination to determine if there are more fragments to come. If set to 0 it is the last fragment. If set to 1 there are more fragments to follow this fragment.
- Identification (32 bits) - Identifies the original packet that a fragment is a part of. All fragments that belong to a packet will have the same value here.
30
What are Per-Fragment Headers?
- Must consist of the basic IPv6 headers plus any extension headers that need to be examined by every hop in the route
31
How is fragmentation done differently in IPv6 compared to IPv4?
- Reduces the possibility of attacks based on overlapping fragments or tiny fragments.
- Considerations for unordered fragments are the same as IPv4, but only in end-hosts.
- There must be a timeout for reassembling all fragments.
- Firewalls should not filter fragments.
32
What are overlapping fragments?
- Normally seen as a security threat.
- Two fragments have offsets that would have them both being in the same place. These are impossible to reassemble so a device attempting to reassemble them would likely slow down and crash.
- This would be seen as a DoS. Can also be used to attempt to avoid IDS.
- To avoid this, any datagrams that have overlapping fragments should be silently discarded.
33
What is another name for an IP Fragmentation attack?
- Teardrop Attack
34
What are tiny fragments?
- Normally seen as a security threat.
- A fragment is transmitted that is so tiny that its own header can't fit in it. The header is sent in a subsequent fragment. This causes reassembly issues which can cause devices to slow down and potentially crash.
- This would be seen as a DoS.
35
List the different parts of a routing header and what they do.
- Next Header (8 bits) - Identifies the type of header immediately following the routing header. The value is a standard protocol number.
- Length (8 bits) - Length of the routing header in 8 octet units, not including the first octet.
- Routing Type (8 bits) - Identifies the routing header variant.
- Segments Left (8 bits) - Number of route segments remaining e.g. List of intermediate nodes still to be visited.
36
List types of routing header
- RH0 (type 0) - Source route (depreciated)
- RH1 (type 1) - Used for nimrod (New Internet Routing and Address Architecture) (depreciated)
- RH2 (type 2) - for Mobile IPv6. This one is safe and no concerns exist, so far
- RH3 (type 3) - used for RPL Source Route Header (this is related to routing protocol used in Low power and lose networks (LowPANs), related with IoT)
- RH4 (type 4) used for Segment Routing Header (SRH)
37
Which Routing Header type was found to be dangerous for the internet?
RH0 (Type 0)
38
List parts of Routing Header RH0 specifically
- Segments Left - 8-bit unsigned integer. Number of route segments remaining, i.e., number of explicitly listed intermediate nodes still to be visited before reaching the final destination.
- Reserved - 32-bit reserved field. Initialised to zero for transmission; ignored on reception.
- Address[1...n] - Vector of 128-bit addresses, numbered from 1 to n. Multicast addresses should not appear in the Address[1...n] vector, or in the IPv6 Destination Address field of a packet carrying a Routing header of Type 0.
39
Why was Routing Header type RH0 depreciated?
- It as considered dangerous for the internet as it can be used to flood a path or link remotely on the Internet. It would do this by listing the same two addresses alternating in its Address field repeatedly, meaning that the packet would be sent back and forth over a link between those two nodes until the Segments field reaches 0. This can cause congestion on the link.
- The correct mitigation for the above form of attack is to not allow the use of RH0.
40
How can Extension Headers be used as an attack vector?
- Some implementations of RA Guard (Router Advertisement Guard) won't check the entire IPv6 Header Chain, only the Next Header field of the Basic IPv6 Header. If the Basic Header has its Next Header set to an Extension Header, RA Guard/RA Filtering may inspect the Extension Header but not the ICMPv6 router advertisement that it actually needs to inspect.
- Fragment headers can specifically be used to obscure IPv6 RAs. Ways to mitigate this are to not allow NDP packets to be fragmented and to include the whole IPv6 chain in the first fragment.
41
True or False. From a security purpose it is preferred to disallow fragmented NDP packets.
True.
This stops malicious ICMPv6 RA packets from bypassing RA Guard/RA Filtering.
42
What type of security issues can occur from the last fragment of a datagram not being sent?
- The destination host will continuously wait for the final fragment while containing the rest of the fragments in memory, thereby using up resources.
- Depending on how many datagrams of this nature are sent, this can cause resource exhaustion.
- To avoid this attack, a standard timeout is implemented in IPv6 of 60 seconds from the time the first fragment is received. If this timer reaches 60 seconds without the final fragment being received, all fragments are discarded.
43
List different types of security threats that can be caused by packet fragmentation.
- Overlapping Fragments
- Last fragment not received
- Atomic Fragments
44
What security threats are caused by Atomic Fragments?
- Atomic fragments are part of packets that have the offset and the M flags set to 0. This means it is a packet that is fragmented into only one fragment.
- This can allow an unnecessary vector for attack since there is a fragment header where one is not required.
- A solution to this is implemented as standard into IPv6 which is to ensure that atomic packets are processed in isolation from other packets and fragments.
45
What are the methods of generating the IID part of an IPv6 address via SLAAC?
- Modified EUI-64 - Used to generate static IIDs based off of an interface's MAC address. Given that this never changes it introduces security concerns regarding location trackin, network activity correlation, etc.
- Privacy Extensions - Precursor to Temporary Addresses. Generated in addition to the original static SLAAC address so it is still possible to track the original address. It just means that it is more difficult to monitor browsing activity.
- Semantically Opaque IID (Default for SLAAC) - Generates a random IID per network. However, the address remains the same while connected to a single network thereby providing the stability of an EUI-64 address but improved privacy over a temporary Privacy Extensions address.
- Temporary Address Extensions - Typically used for outgoing communications since the address changes over time.
46
How can an attacker guess your IID?
- An EUI-64 address would have the first 24 bits set as the OUI of the manufacturer of the device and then 16 bits for fffe. That leaves 24 bits to guess.
- If not using EUI-64, most of the bits are likely to be set to 0s barring the last bit.
- Some IPv6 addresses have an IPv4 address embedded within them.
- Some IPv6 addresses have a port number for a service they run as part of the address.
- You can put words into IPv6 addresses (that are comprised of the hexadecimal letters)
- If the addresses are assigned sequentially then you can guess all of them if you know one.
47
What is the point of IPv6 embedded IPv4 addresses?
- To allow IPv6 devices to communicate with IPv4 enabled devices as part of the IPv4 to IPv6 transition.
- Used in 6to4 tunnels to allow IPv6 traffic to be encapsulated within IPv4 traffic.
48
What are some methods you can use to determine a network prefix?
- Common Patterns used when assigning /64 blocks from a larger prefix. The larger prefix can be found online usually.
- Direct DNS Resolution - Confirming a single resolved address can allow you to work out the rest of the /64.
- Reverse DNS Resolution - Performing rDNS lookup on a larger prefix can allow you to find out which IPs have domain names that resolve to them. You only need search the prefixes that resolve to something as the others are likely not in use.
- Traceroute6 - Can be used to guess the network prefix along a path.
49
Tips for making it difficult for attackers to know your IPv6 address and/or network prefix.
- Use random IIDs/IIDs that are hard to guess. IIDs that need to be static can be generated using Semantically Opaque IIDs (default for SLAAC). Dynamic IIDs can be generated using Temporary Address Extensions.
- Use a DHCPv6 server to randomly assign from a large pool.
- Use a mechanism (e.g. IDS/IPS) to detect scanning patterns.
- Packet filtering
- Ensure routing information is not leaked.
50
