In my go6lab, I often work with vendors to test the implementation of various IPv6 features and let them know how things are working in a real IPv6 network environment. Recently, we got a quite powerful firewall device from a vendor we’ve been working with for years to test out in the lab. In version 6 of their operating system (PanOS), they started implementing some neat IPv6 security checks that we usually don’t see with other vendors. Of course, we don’t have all firewall vendors’ devices here (we are open for everyone to send in a device and we’ll put it in our setup), but from what we see, these IPv6 security checks at firewalls are quite rare and that was the reason we took some time and looked at them a bit more closely.
We had the privilege and honor to host the IPv6 Toolkit development VPS for Fernando Gont, so we have all the latest tools and attacks at hand for testing and I would like to thank Fernando for some additional ideas about what tests to run. Of course, we used IPv6 Toolkit for all our testing and below are the commands if you have this toolkit installed.
So, what did we test? We set up a target device on the other side of the new firewall and tried to send all sorts of malformed or malicious packets through with different settings, then watched on the other side to see if some of these packets came through to the target.
This is how firewall zone protection profile setting looks like by default:
There are many very useful options, but unfortunately they are not enabled by default. From their documentation we can learn that the IPv6 sub-tab has various options that provide the ability to drop IPv6 packets based on different fields of the IPv6 header like type 0 routing header, anycast source address, hop-by-hop extension, routing extension, if the packet has needless fragmentation, etc.
So, let’s test some of the most interesting ones. We changed the configuration to enable all the options on the list to see if we can get any of the attacks through. For demonstration reasons we are using documentation prefix, 2001:db8::2 is our target where we are sending packets from 2001:db8:1::2 host.
First we tried atomic fragments: frag6 -d 2001:db8::2 –frag-type atomic
Next we tried: frag6 -d 2001:db8::2 –frag-reass-policy -v
Of course, the pMTUd less than 1280 trick: icmp6 –icmp6-packet-too-big -d 2001:db8::2 –peer-addr 2001:db8:1::2 –mtu 1000 -o 80 -v -l -z 1
The firewall did not block all the malicious or malformed packets with the default setting of Zone protection profile, but with all options turned on the device correctly identified the attacks and blocked the traffic to destination machine. Well done!
Then we went to RFC7112 compliance tests:
tcp6 -d 2001:db8::2 -X S -a 4444 -v –probe-mode script
This command sends a SYN, and the tool prints whether it received a response or it timed out – and it’s passing the firewall as this is a legitimate packet to send.
Then we tried more nasty stuff: tcp6 -d 2001:db8::2 -X S -a 4444 -v –probe-mode script -u 8
This command does the same thing, but now the IPv6 packet carrying the SYN segment will employ a Dest Options IPv6 EH of 8 bytes – and these packets are immediately filtered and blocked by the firewall.
After this we sent the same packet, but now with Destination option of 1k: tcp6 -d 2001:db8::2 -X S -a 4444 -v –probe-mode script -u 1000
…and finally we tried this: tcp6 -d 2001:db8::2 -X S -a 4444 -v –probe-mode script -u 1000 -y 600
This command produces one of the RFC7112-forbidden packets (it employs a Dest Opt EH of 1000 bytes but requests the tool to frag each packet in 600 bytes (-y 600), so the extension header chain gets fragmented. Of course, all those packets were recognized and blocked by the firewall.
We also did many other tests and this vendor did recognized every malformed IPv6 packet and blocked the attacks. We are very happy to see that IPv6 implementations are progressing and that there are vendors that are paving the way in IPv6 security.
Go6lab recently received a second PA-4050 device from this firewall vendor and we are testing PanOS 7 beta for even more advanced IPv6 features, but we can’t talk about this yet as this version was not released to the public yet and new features are still under NDA – but we’ll keep you posted.