Unit 3 - Associated IPv6 Protocol Security Flashcards

Question

List NDP security considerations

Answer 1

- NDP messages should have a Hop Limit of 255. If the value is different then the message should be discarded. - All NDP based attacks need local access to the network by the attacker. - NDP specification mentions IPsec as a possible security solution, but in practice it is not used. This is because of its complexity and the need of a PKI (Public Key Infrastructure), which is not widely used. - SEND (Secure Neighbor Discovery) was implemented in order to provide a solution to NDP security vulnerabilities. It has been standardised but is not widely used.

Answer 2

- A form of attack in which the attacker would send either: --- A NS with a changed/wrong source link-layer option (the option that contains the sender's MAC address). --- A changed/wrong target link-layer option (the option that contains the target's MAC address) - Can be used for redirection and DoS attacks. - Limited duration since once the neighbor cache expires, the bad information will be discarded so the attacker needs to continuously reply with the bad information - Requires local network access - If the attacker sends a MAC not present on the network, all traffic sent to that MAC will be blackholled, causing a DoS.

Answer 3

- Neighbor Unreachability Detection failure. - An attacker waits for an NS sent for NUD purposes and responds with an NA with its own MAC address or an incorrect MAC address. - Like NA/NS spoofing, this requires local network access and NAs need to be continuously sent to keep the bad record in the legitimate user's neighbor cache.

Answer 4

- An attacker listens for NSs sent for DAD purposes and responds that the address is already in use, even when it isn't, legitimately. If the attacker does this for every address the legitimate user attempts to configure, it will cause a DoS since the legitimate user won't be able to configure any address.

Answer 5

- RA-Guard - DHCPv6 Guard/DHCPv6 Shield - IPv6 Snooping (ND inspection and DHCPv6 Snooping) - IPv6 Source/Prefix guard - IPv6 Destination guard (or ND resolution rate limiting) - MLD Snooping

Answer 6

- Analyses control and data traffic going through the switch. - Inspects NDP, DHCPv6, and other IPv6 messages - Uses IP and MAC addresses seen on each interface to create a binding table that contains a record of MAC and IP addresses per switch port. Any NA/NS messages that don't match an already trusted binding are dropped. - Can be used to defend against IP spoofing such as spoofed NA messages

Answer 7

- Uses the binding table created by IPv6 Snooping to validate the source address of IPv6 traffic source from a particular link. - Can be used to defend against IP spoofing.

Answer 8

- Malicious Last Hop Router - Bogus On-Link Prefix - Bogus Address Configuration Prefix - Parameter Spoofing These are all examples of Rogue Router Advertisement vulnerabilities

Answer 9

- Uses rogue RA messages to achieve redirection or DoS - An attacker on the link masqeurades as a router and attempts to become the default gateway of the network. - If accepted, the attacker can send Redirect messages and make it appear to hosts as if the traffic is still flowing. - This attack can be improved upon by spoofing RA messages that a legitimate router may be sending and giving them a lifetime of 0. This indicates that the router is disconnecting from the link and hosts should no longer use it. - Attacker must send RAs periodically and respond to all RS messages.

Answer 10

- Uses rogue RA messages to achieve DoS - Every IPv6 enabled device has a list of prefixes, for each interface, used on the link it is connected to. This list is used to determine the next hop when sending a packet. If the destination is part of any of the listed prefixes, the device determines it does not need a router to send the traffic as it's on the same link. - An attacker can cause a DoS by using an RA to advertise that there is a prefix on link that isn't actually on the link.

Answer 11

- Uses rogue RA messages to achieve DoS - An on-link attacker sends an RA including a prefix, that does not exist on the link, for address autoconfiguration and all necessary flags. - A host can use SLAAC to configure an address with this prefix and as the address is not advertised as part of that link, return packets could never reach the host.

Answer 12

- Uses rogue RA messages to achieve DoS - An attacker sends RAs that are duplicates of a legitimate router's RAs except with different parameters meant to disrupt traffic. - An example of this is a false low default hop limit which can stop a device from sending traffic to its destination due to not being able to go far enough - Another example would be setting the M and O flags to 1. This would trigger the host to use DHCPv6 to obtain its IP configuration which can be used in conjuction with a bogus DHCP server/relay.

Answer 13

- Link Monitoring - SEND (Secure Neighbor Discovery) - Manual Configuration - Host-Based Packet Filters - Router Preference Option - ACLs on Managed Switches - RA Snooping on Switches

Answer 14

- A link monitoring tool can know what a legitimate router's link local/MAC address are and verify that RAs coming from those addresses are legitimate. - Some link monitoring tools will notify of rogue RAs being detected but some tools can actively stop these attacks. For example by resending the rogue RA to affected devices with a lifetime of 0.

Answer 15

- 6MoNPlus - NDPmon - 6GUARD - RAMOND

Answer 16

- Secure Neighbor Discovery - Designed to be used on the local link to secure NS/NA/RS/RA messages - Generally not used due to lack of availability and requires a more complex setup

Answer 17

- A router sending RAs with a higher preference will be preferred by hosts. - Malicious RAs would have to be using lower preference for this to work

Answer 18

- Used as a solution to rogue RAs - Specifies ports that rogue RAs should be received on. - Stateless RA-Guard means that decisions are based on examination of received RAs or switch configuration - Stateful RA-Guard means that the switch dynamically learns what port(s) the legitimate router(s) is connected to and allows RAs to be received from these authorised sources

Answer 19

True. Extension Headers (particularly Fragement Headers) can be used if this particular implementation of RA Guard does not check the entire header chain to identify the RA message and instead only checks the 'Next Header' field.

Answer 20

- Requires access to the link. - The goal is to introduce a malicious route into a host's routing table. - Could be used as for a DoS attack or a redirect attack - Attacker needs to consistently respond to the NUD checks from the legitimate host. - The attacker sends ICMPv6 Redirect packets to the host advising that traffic to an already known destination (e.g. the host's default gateway) should actually be sent to the attacker. The attacker could then perform a redirect attack (inspect and forward the traffic to the correct destination) or a DoS attack - Can be avoided by not allowing ICMPv6 Redirects on your network.

Answer 21

True. However, it is recommended to not accept them.

Answer 22

- Can be made from outside the local network - The goal is to block legitimate traffic on the target network by filling up the target router's Router Neighbor Cache in order to perform a DoS. - Can be avoided with IPv6 Destination Guard or by limiting the amount of neighbors that can be cached for each interface

Answer 23

- Also known as ND Resolution Rate Limiter - Validates the destination address of the IPv6 traffic reaching the link. If the destination address belongs to a directly connected link but doesn't exist in the neighbor cache then address resolutions are rate limited

Answer 24

- A First Hop Security technology - Allows Multicast traffic to only be allowed on certain interfaces

Answer 25

- MLDv2 is mandatory, MLDv1 is not. Although if a device on a link is using MLDv1, all other devices on that link must use MLDv1. - MLDv2 has 2 messages whereas MLDv1 has 3. - MLDv2 allows source specific multicast addresses. MLDv1 does not. - MLDv2 allows multicast address filtering, MLDv1 does not.

Answer 26

- Not mandatory. - Has 3 message types and some subtypes: - Multicast Listener Query (ICMPv6 Type 130) - General Query - Used by a router to learn which multicast addresses have listeners on an attached link. Sent to FF02::1. - Multicast Address Specific Query - Used by a router to learn if a specific multicast address has any listeners attached on a link. Sent to the specific multicast address. - Report Message (ICMPv6 Type 131) - Sent to a specific multicast address two or more times to be sure of delivery by all IPv6 nodes when joining a multicast address group, specifically for Solicited Node Multicast addresses. Listeners report themselves either as an answer to a Query or as a result of joining a Multicast address group. - Done Message (ICMPv6 Type 132) - Sent by listeners when they want to leave a multicast address group to FF02::2.

Answer 27

- Mandatory for all IPv6 nodes as opposed to MLDv1. However MLDv1 and MLDv2 can coexist because the prescence of an MLDv1 node on a link causes all other devices to operate in MLDv1 mode. - Extends MLDv1 by allowing Source-Specific Multicast which allows listeners to report interest on specific sources of multicast traffic. - Has two types of filters: - Include Filter - A node indicates a multicast group and a list of senders for the group from which it wishes to receive traffic. - Exclude Filter - A node indicaste a multicast group and a list of senders from which it wishes to exclude multicast traffic. This filter is used rarely and there is a version of MLDv2 called 'Lightweight MLDv2' that omits this filter completely. - Has 2 types of messages and some subtypes: - Multicast Listener Query (ICMPv6 Type 130) - General Query - Router periodically queries all multicast addresses that have listeners on a link. Sent to FF02::1. - Multicast Address Specific Query - Used by a router to learn if a specific multicast address has any listeners attached on a link. Sent to the specific multicast address. Sent in response to State Change Reports and not Current State Reports. - Multicast Address and Source Specific Query - Sent to find out if any of the sources from the specified list of a particular multicast address has any listeners on the link or not. Sent in response to State Change Reports and not Current State Reports. - V2 Multicast Listener Report (ICMPv6 Type 143) - Sent to FF02::16 (Link-scope all MLDv2 capable routers) twice or more times to be sure of delivery by all MLDv2 IPv6 nodes when joining a multicast address group specifically for the Solicited Node Multicast addresses (State Change Report), or as an answer to a Query message (Current State Report). Another MLDv2 Report is also sent by all IPv6 nodes when they cease to listen to a multicast address on an interface.

Answer 28

- All queries must be responded to received on any unicast or multicast addresses. - To use MLDv2, all nodes must use MLDv2. A single MLDv1 node on the link causes all nodes to use MLDv1. - Some Operating Systems join specific multicast addresses that can be used as identifiers. For example Windows uses FF02::1:3 for LLMNR (Link-Local Multicast Name Resolution) so attackers can use this to identify a Windows device.

Answer 29

- Flooding of MLD messages - Traffic amplification - Network scanning

Answer 30

- RAM and CPU overconsumption causing a DoS

Answer 31

- Limit the amount of memory available to process MLD messages in the router. Also known as limiting the number of MLD states. - Limit the rate of processed MLD messages in hardware - You can also disable MLD altogether but this is not advised. Even limiting the above can cause issues since it can limit the number of multicast joins.

Answer 32

- An attacker can send generic query messages with the router's address spoofed as the source address to all hosts in the network. Report messages will then be sent back for each multicast address they have configured to the legitimate router.

Answer 33

- Rate limiting MLD messages on the router. - Disable MLD query functionality so the router does not need to process the Report messages. This functionality is only required if Multicast routing is being used.

Answer 34

- Passive network scanning means to sniff MLD messages on the link and try to identify hosts, routers, and specific operating systems for example. - Active network scanning means to send Query messages and listen to the Report messages.

Answer 35

- All messages should be sent with a hop limit of 1 so MLD messages cannot go out of the link - Link-local addresses should be used as source addresses, protecting against MLD messages sent from outside the link - MLD messages should include a 'Router Alert' option in a Hop-by-Hop extension header. This is necessary for the routers to examine MLD messages sent to multicast addresses in which the routers themselves have no interest. - Messages that don't comply with the above should be discarded

Answer 36

- A mechanism implemented on switches that restricts multicast traffic to the switch ports that have listeners. These are hosts that have sent a Report stating that they want to receive multicast traffic to a specific multicast address. - Technically breaks the conceptual OSI model since layer 2 devices investigate layers 3 and 4 for information. - Does not protect against threats, just optimises the amount of multicast traffic seen on the network.

Answer 37

- Configure the switch using ACLs to only accept MLD Query messages in a port connected to a router.

Answer 38

- Rate limiting the amount of Report messages accepted from hosts. Protects against resource exhaustion. - Disabling MLD on a router that is not used for multicast routing

Answer 39

- Becoming the victim's DNS server

Answer 40

- NDP Threats - If the legitimate DNS server is on the link, the attacker can poision the victim's neighbor cache to make it appear as if it is the legitimate DNS server. If the legitimate DNS server is outside of the link, DNS queries will be sent to the default gateway first. The attacker could perform a MITM attack on traffic to or from the gateway. - Autoconfiguration - Using SLAAC the attacker can send RA messages with the RDNSS (Recursive DNS Server) option containing the IPv6 of the attacker's DNS server. Using DHCPv6 the attacker can send DHCPv6 messages with their DNS listed as the attacker's DNS server.

Answer 41

- DoS - Answering DNS queries falsely and sending the customer to the wrong potentially malicious destination - Forwarding DNS queries to the legitimate DNS server to perform a MITM attack.

Answer 42

- An attacker initially answers DNS queries with fake answers after making themself the host's DNS server. Based on the destinations the host attempts to get to, the attacker can then respond to other services. E.g. it can respond to HTTP and HTTPS requests based on the website the host is attempting to reach.

Answer 43

- An attacker becomes a host's DNS server and answers DNS queries with addresses that will not answer the host's requests for services.

Answer 44

- DNS-SD - DNS Service Discovery - mDNS - Multicast DNS - LLMNR - Link Local Multicast Name Resolution

Answer 45

- DNS Service Discovery - A mechanism that hosts can use to automatically discover instances of services available on a network. Attackers can use it to impersonate real services, for traffic amplification and find devices and services.

Answer 46

- Multicast DNS - Using multicast allows DNS-like name resolution on the local link. It’s based on DNS with some differences. The attacker can be waiting for queries and try to answer and give its own IP address (MITM) or a wrong one (DoS).

Answer 47

- Link Local Multicast Name Resolution - Is a protocol used to resolve domain names, in the scope of a link, when no DNS resolution is available. Based on DNS, it uses multicast addresses. An attacker can answer queries with wrong information to produce a DoS or MITM attack. - Microsoft proprietary mDNS

Answer 48

- Use a client-server model - Use UDP - Can use a relay between a client and a server if there is no DHCP server in the same broadcast domain as the host.

Answer 49

- DHCPv6 doesn't provide a default gateway - DHCPv6 uses port 546 for clients and 547 for servers/relays. DHCPv4 uses port 68 for clients and 67 for servers. - DHCPv6 uses DUID (DHCP Unique ID) instead of MAC address to identify servers and clients. - DHCPv4 message names are different compared to DHCPv6 - DHCPv6 can delegate IPv6 prefixes (DHCPv6-PD)

Answer 50

- Discovery (v4) - Solicit (v6) - A client attempts to locate DHCP servers - Offer (v4) - Advertise (v6) - A server indicates that it is providing DHCP services in response to a Solicit. - Request (v4) - Request (v6) - A client requests configuration parameters - Acknowledge (v4) - Reply (v6) - Sent by a server in response to a Solicit, Request, Renew, Information, or Rebind message with configuration parameters, or in response to a Confirm message either confirming or denying that the address(es) assigned to the client are appropriate for the link the client is on, or to acknowledge receipt of a Release or Decline message.

Answer 51

- Confirm - Renew - Rebind - Release - Decline - Reconfigure - Relay-Forward - Relay-Reply

Answer 52

- FF02::1:2 - All DHCP Relay Agents and Servers - Servers and relays listen on this link-local scope multicast address, it is used by the client to reach a server or relay. - FF05::1:3 - Servers listen on this site-local scope multicast address, it is used by relays to reach servers within the site, but the relay will use the server's unicast address if it doesn't use this multicast address.

Answer 53

- The first option is to send an RA with the M flag set to 1 (which overrides the value of the O flag). This indicates to hosts that they can get DHCPv6 information and other parameters such as DNS from the attacker. The attacker will then respond to these queries. - The second option is to send an RA with the O flag set to 1 so that the host attempts to use the attacker to autoconfigure its DNS server and/or other parameters. The attacker will respond as a stateless DHCPv6 server.

Answer 54

- If the M flag is 1 then the O flag is redundant and can be ignored. - M = 0 and O = 0 - No information is available via DHCPv6 - M = 0 and O = 1 - Information other than addressing is available via DHCPv6, for example DNS - M = 1 and O = 1 - Addressing information is available via DHCPv6

Answer 55

- The relay will commonly use unicast source and destination addresses for communication with the server - The relay will send an R-F (Relay-Forwarding) message to the server with the client's original request encapsulated in an option inside. - The server will respond to the relay with an R-R (Relay-Reply) message with its response encapsulated in an option inside. The relay extracts this and sends it to the client.

Answer 56

False. Using Multicast destination addresses makes the Solicit and Request messages visible to all hosts on a link.

Answer 57

- Information-Request - Sent by the client - Reply - Sent by the relay/server

Answer 58

- Iterative Allocation - Addresses are allocated sequentially one by one. This is faster and easier but makes addresses easier to guess since once you know once address you can easily guess the other ones. - Identifier-Based Allocation - Addresses are allocated based on a fixed identifier for each client, usually resulting in the same client getting the same address anytime it uses the same server. This makes it easier to track the activity of that client - Hash Allocation - An extension of Identifier-Based Allocation but instead of using the identifier directly it is hashed first. If implemented correctly this stops the identifier being disclosed which reduces the impact of address scanning and OS/Vendor discovery. Not fully bulletproof. - Random Allocation - The server picks an address pseudorandomly out of a pool. Also stops returning clients from getting the same address or prefix again. This is useful from a privacy perspective since addresses and prefixes generated this way are not susceptible to correlation attacks, OS/Vendor discovery, or identity discovery.

Answer 59

- An attacker listens for DHCP requests on a link and answers as if it were a legitimate server. The attacker succeeds if it's replies reach the host before the legitimate server's. - Can bse used for DNS Spoofing, giving the host a fake IPv6 address that will likely cause a DoS, or any other potential attack with DHCPv6 options like an incorrect NTP server address

Answer 60

False. DHCPv6 is not used to configure the default gateway.

Answer 61

- Can be used to make it more likely that Rogue DHCPv6 server attack succeeds by ensure the legitimate DHCPv6 server has no addresses to give. - The attacker will send lots of requests to a legitimate DHCPv6 server for different IP addresses. - This attack makes more sense in IPv4 since in IPv6 there are significantly more addresses to exhaust.

Answer 62

- Simple Attack - The basic attack in which the attacker sends Advertise messages and answers Solicit requests from clients. The first Advertise message to arrive at a client determines what DHCPv6 server the client will use. - DHCP Reply Injection - The rogue DHCPv6 server listens for DHCPv6 message exchanges and before the legitimate server can send a Reply, the attacker sends it with its own parameters.

Answer 63

True. This means the messages can be authenticated and encrypted, protecting from hijacking, tampering, or eavesdropping. This won't protect from attacks on the link.

Answer 64

- A mechanism that uses public key cryptography to protect end-to-end communication between DHCPv6 clients and servers. - Provides encryption in all cases and can be used for authentication provided certificates are shared between authenticating devices. - Authenticates between client and server to defend against active attacks such as spoofing - Encrypts between client and server in order to protect DHCP communication from monitoring.

Answer 65

- Protects hosts connected to a switch against rogue DHCPv6 servers - Equivalent to DHCP Snooping in IPv4; based on packet filtering at the switch. - Does not protect servers, only clients - Before being deployed, the port(s) which DHCPv6 server messages are allowed in on are specified. Only ports connected to relays/servers should be specified. Messages will not be allowed in on any other port(s). - DHCPv6-Shield can be considered a vendor specific implementation from some vendors.

Answer 66

- Authenticating neighbors/peers - Securing routing updates - Using route filtering - Router hardening

Answer 67

- RIPng - OSPFv3 - IS-IS - MBGP

Answer 68

False. RIPv2 supports MD5 but this is not available in RIPng. Further to this, IPSec is recommended but not mandated so the protocol is not secure by default.

Answer 69

- There is no authentication method. The only security measure that would even remotely help is IPSec.

Answer 70

- IPSec - ESP or AH manual keys - Authentication Trailer - Hash of OSPFv3 values. Authenticated between neighbors using a shared key.

Answer 71

- A method of authentication for the routing protocol - Allows a router to confirm that a received packet has been issued by a router knowing the shared authentication key - Avoids needing to configure IPSec and protects against reply attacks - It is a hash of OSPFv3 values

Answer 72

- ESP must be supported and AH may be supported - Manual keying is required with current implementations

Answer 73

- HMAC - Can be used with MD5 (not recommended) or SHA.

Answer 74

- TCP MD5 Signature Option - The first security meeasure available for securing BGP sessions. Obsolete due to using MD5. - TCP Authentication Option - Preferred over MD5.

Answer 75

True. IPSec can be used, although this isn't universally supported so not always feasible. OSPFv3 also being one-to-many can make key management difficult since keys need to be generated and shared manually.

Unit 3 - Associated IPv6 Protocol Security Flashcards

(100 cards)