IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region



Similar documents
VOICE OVER IP SECURITY

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

ITL BULLETIN FOR JANUARY 2011

Vulnerabili3es and A7acks

Recommended IP Telephony Architecture

IPv6 First Hop Security Protecting Your IPv6 Access Network

Securing IPv6. What Students Will Learn:

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

Security of IPv6 and DNSSEC for penetration testers

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Industry Automation White Paper Januar 2013 IPv6 in automation technology

Migrating to IPv6 Opportunity or threat for network security?

Firewalls, Tunnels, and Network Intrusion Detection

Introduction to IP v6

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc.

IPv6 Fundamentals: A Straightforward Approach

CIRA s experience in deploying IPv6

ProCurve Networking IPv6 The Next Generation of Networking

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

INSTANT MESSAGING SECURITY

Security Technology: Firewalls and VPNs

Securing the Transition Mechanisms

Network Access Security. Lesson 10

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

IP(v6) security. Matěj Grégr. Brno University of Technology, Faculty of Information Technology. Slides adapted from Ing.

CMPT 471 Networking II

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK

Security vulnerabilities in the Internet and possible solutions

Security with IPv6 Explored. U.S. IPv6 Summit Renée e Esposito Booz Allen Hamilton Richard Graveman RFG Security

IPv6 Security. Scott Hogg, CCIE No Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN USA

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

SECURITY IN AN IPv6 WORLD MYTH & REALITY. SANOG XXIII Thimphu, Bhutan 14 January 2014 Chris Grundemann

This chapter covers the following topics:

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

ΕΠΛ 674: Εργαστήριο 5 Firewalls

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

21.4 Network Address Translation (NAT) NAT concept

Guidance Regarding Skype and Other P2P VoIP Solutions

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Securing Cisco Network Devices (SND)

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

3.5 IPv6 Forum Certified Security Course, Engineer, Trainer & Certification (GOLD)

IPv6 Fundamentals, Design, and Deployment

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

MUNICIPAL WIRELESS NETWORK

IPv6 Security: How is the Client Secured?

Network Security Fundamentals

Architecture Overview

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

COSC 472 Network Security

ICSA Labs Network Protection Devices Test Specification Version 1.3

The Truth about IPv6 Security

Firewall Security. Presented by: Daminda Perera

Firewall Architecture

Matt Ryanczak Network Operations Manager

Symantec Endpoint Protection 11.0 Network Threat Protection (Firewall) Overview and Best Practices White Paper

Security Technology White Paper

What is VLAN Routing?

Interconnecting Cisco Network Devices 1 Course, Class Outline

Proxy Server, Network Address Translator, Firewall. Proxy Server

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

How To Compare Ipv6 And Ipv4 To Ipv5 (V1.2.0)

Network Security Guidelines. e-governance

Protocol Security Where?

Securing IP Networks with Implementation of IPv6

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Firewalls and Intrusion Detection

Chapter 9 Firewalls and Intrusion Prevention Systems

DirectAccess in Windows 7 and Windows Server 2008 R2. Aydin Aslaner Senior Support Escalation Engineer Microsoft MEA Networking Team

13 Ways Through A Firewall

Mobility on IPv6 Networks

NETWORK SECURITY (W/LAB) Course Syllabus

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

HONEYPOT SECURITY. February The Government of the Hong Kong Special Administrative Region

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Firewalls. Chapter 3

How To Protect Your Network From Attack

INTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1)

Network Security IPv4 + IPv6

Achieving PCI-Compliance through Cyberoam

Basics of Internet Security

Protecting and controlling Virtual LANs by Linux router-firewall

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Introduction of Intrusion Detection Systems

Implementing Cisco IOS Network Security

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

Tomás P. de Miguel DIT-UPM. dit UPM

Transcription:

IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express permission of the Government of the HKSAR. Disclaimer: Whilst the Government endeavours to ensure the accuracy of the information in this paper, no express or implied warranty is given by the Government as to the accuracy of the information. The Government of HKSAR accepts no liability for any error or omission arising from or related to the use of the information. IPv6 Security v1.1 1

TABLE OF CONTENTS Summary... 3 1 Introduction... 4 2 Security Considerations... 6 A. Security Improvements Over IPv4... 6 B. Concerns, Potential Threats and Measures... 8 C. Common Attacks In Both IPv4 and IPv6... 11 D. IPv6 Transition... 12 3 Best Practices... 14 IPv6 Security v1.1 2

SUMMARY The IPv6 protocol has solved some, but not all, of the security problems found in IPv4 networks. One example is the mandatory inclusion of IP Security (IPsec) in the IPv6 protocol, which makes it fundamentally more secure than the older IPv4 standard. However, given its flexibility, the IPv6 protocol introduces new problems. A mobile IP protocol is built into the IPv6 protocol, and security solutions for this protocol are still under development. In addition, the dynamic configuration flexibility of IPv6 (such as stateless address autoconfiguration) could also become a serious security problem, if not implemented correctly. The overall enhancements in IPv6 may provide better security in certain areas, but there are areas that attackers may be able to exploit. This article will focus on the security improvements over IPv4, possible threats, security considerations and some best practices on IPv6 deployment. IPv6 Security v1.1 3

1 INTRODUCTION The prevailing Internet Protocol standard is IPv4 (Internet Protocol version 4), which dates back to the 1970s. There are well-known limitations of IPv4, including the limited IP address space and lack of security. IPv4 specifies a 32-bit IP address field, and available address spaces are rapidly running out. The only security feature provided in IPv4 is a security option field that provides a way for hosts to send security and handling restrictions parameters 1. As a result, the Internet Engineering Task Force (IETF) has been working on the IPv6 (Internet Protocol version 6) specifications in order to address these limitations, along with a number of performance, ease-of-configuration, and network management issues. The core IPv6 specifications have been defined by various Request for Comments (RFCs) such as RFC 2460 2 (IPv6 Protocol), RFC 4861 3 (IPv6 Neighbour Discovery), RFC 4862 4 (IPv6 Stateless Address Auto-Configuration), RFC 4443 5 (Internet Control Message Protocol for IPv6 (ICMPv6)), RFC 4291 6 (IPv6 Addressing Architecture), and RFC 4301 7 (Security Architecture for IP or IPsec). IPv6 is also referred as the Next Generation 1 http://www.ietf.org/rfc/rfc0791.txt 2 http://tools.ietf.org/html/rfc2460 3 http://tools.ietf.org/html/rfc4861 4 http://tools.ietf.org/html/rfc4862 5 http://tools.ietf.org/html/rfc4443 6 http://tools.ietf.org/html/rfc4291 7 http://tools.ietf.org/html/rfc4301 IPv6 Security v1.1 4

Internet Protocol (IPng). The differences between IPv6 and IPv4 headers are outlined in the tables below: 1. IPv6 header format 2. IPv4 header format The new features introduced with the IPv6 protocol can be summarised as: 1. A new header format 2. A much larger address space (128-bit in IPv6, compared to the 32-bit address space in IPv4) 3. An efficient and hierarchical addressing and routing infrastructure 4. Both stateless and stateful address configuration IPv6 Security v1.1 5

5. IP Security 6. Better Quality of Service (QoS) support 7. A new protocol for neighbouring node interaction 8. Extensibility These enhancements in IPv6 provide better security in certain areas, but some of these areas are still open to exploitation by attackers. 2 SECURITY CONSIDERATIONS A. Security Improvements Over IPv4 1. Massive Size of the IP Address Space Makes Port Scanning Harder When they start, attackers usually employ port scanning as a reconnaissance technique to gather as much information as possible about a victim s network. It is estimated that the entire IPv4 based Internet can be scanned in about 10 hours with enough bandwidth 8, given that IPv4 addresses are only 32 bits wide. IPv6 dramatically increases this limit by expanding the number of bits in address fields to 128 bits. By itself, such a massive address space creates a significant barrier for attackers wanting to conduct comprehensive port scanning. 8 http://www.opte.org/history/ IPv6 Security v1.1 6

However, it should be noted that the port scanning reconnaissance technique used in IPv6 is basically the same as in IPv4, apart from the larger IP address space. Therefore, current best practices used with IPv4, such as filtering internal-use IPv6 addresses in border routers, and filtering un-used services at the firewall, should be continued in IPv6 networks. Cryptographically Generated Address (CGA) In IPv6, it is possible to bind a public signature key to an IPv6 address. The resulting IPv6 address is called a Cryptographically Generated Address (CGA) 9. This provides additional security protection for the IPv6 neighbourhood router discovery mechanism, and allows the user to provide a "proof of ownership" for a particular IPv6 address. This is a key differentiator from IPv4, as it is impossible to retrofit this functionality to IPv4 with the current 32-bit address space constraint. CGA offers three main advantages: 1. It makes spoofing attacks against, and stealing of, IPv6 addresses much harder. 2. It allows for messages signed with the owner's private key. 3. It does not require any upgrade or modification to overall network infrastructure. 2. IP Security (IPsec) 10 IP Security, or IPsec for short, provides interoperable, high quality and cryptographically based security services for traffic at the IP layer. It is optional in IPv4 but has been made mandatory in the IPv6 protocol. IPsec enhances the original IP protocol by providing authenticity, integrity, confidentiality and access control to each IP packet through the use of two protocols: AH (authentication header) and ESP (Encapsulating Security Payload). 9 Cryptographically Generated Addresses (CGA) is specified in RFC 3972 (http://www.ietf.org/rfc/rfc3972.txt). 10 RFC4301 (http://tools.ietf.org/html/rfc4301) IPv6 Security v1.1 7

3. Replacing ARP by Neighbour Discovery (ND) Protocol In the IPv4 protocol, a layer two (L2) address is not statically bound to a layer three (L3) IP address. Therefore, it can run on top of any L2 media without making significant change to the protocol. Connection between L2 and L3 addresses is established with a protocol named Address Resolution Protocol (ARP), which dynamically establishes mapping between L2 and L3 addresses on the local network segment. ARP has its own security vulnerabilities (such as ARP Spoofing). In the IPv6 protocol, there is no need for ARP because the interface identifier (ID) portion of an L3 IPv6 address is directly derived from a device-specific L2 address (MAC Address). The L3 IPv6 address, together with its locally derived interface ID portion, is then used at the global level across the whole IPv6 network. As a result, the security issues related to ARP no longer apply to IPv6. A new protocol called Neighbour Discovery (ND) Protocol for IPv6 is defined in RFC 4861 11 as a replacement to ARP. B. Concerns, Potential Threats and Measures 1. IP Addressing Structure The IP addressing structure defines the architecture of a network. A well-planned addressing structure will reduce potential risks associated with new features provided by IPv6. The following areas should be considered when designing an IPv6 network. Numbering plan and hierarchical addressing The numbering plan describes how the organisation segregates its IPv6 allocation, for example, if an organisation is granted with a 16 subnet bits (/48) address block, this will 11 http://tools.ietf.org/html/rfc4861 IPv6 Security v1.1 8

allow to support 65,000 subnets. A good numbering plan can simplify access control lists and firewall rules in security operations, and identify ownership of sites, links and interfaces easily. Organisations should carefully plan and create a site hierarchy by consider subnet methods as follows: Sequentially numbering subnets VLAN number IPv4 subnet number Physical location of network Functional unit of an organisation (Accounts, Operation, etc) Problems with trackable EUI-64 addresses The IEEE EUI-64 address 12 represents a new standard for network interface addressing in IPv6. Physical address of the network interface (MAC address) is an input to the algorithm that generates EUI-64 address for network interfaces. With the capability of auto-configuration, a global IPv6 address for the interface can be generated by combining the network identifier with the EUI-64 address. By using a EUI-64 address, an attacker could potentially reveal the make and model of a remote machine, and use the information to target attacks. To mitigate the risk, non-predictable addresses should be used by making use of cryptographic algorithm (e.g. Cryptographically Generated Address) or assigning addresses with DHCPv6. 2. Unauthorized IPv6 Clients IPv6 support is available for most modern operating systems or equipment, it can be easy and sometime unnoticeable to user where the IPv6 protocol is enabled. Due to the 12 EUI is an acronym for Extended Unique Identifier, e.g. 3BA7:94FF:FE07:CBD0 is an EUI-64 identifier in colon hexadecimal notation. IPv6 Security v1.1 9

extended capabilities of IPv6, as well as the possibility of an IPv6 host having a number of global IPv6 addresses, it potentially provides an environment that make network level access easier for attacker if the access controls are not properly deployed. To reduce the risk, the following measures could be considered: Locate and disable any IPv6 enabled equipment Detect and block IPv6 or IPv6 tunnel traffic at network perimeter Include IPv6 usage policies in the organization s security plan 3. Neighbour Discovery and Stateless Address Auto-configuration Neighbour discovery (ND) is a replacement for ARP, and stateless address autoconfiguration which allows an IPv6 host to be configured automatically when connected to an IPv6 network is a lightweight DHCP-like function provided in ICMPv6. They are both powerful and flexible options in the IPv6 protocol. However, ND may be still subject to attacks that could cause IP packets to flow to unexpected places. Denial of service may be one of the results. Also, such attacks could be used to allow nodes to intercept and optionally modify packets destined for other nodes. While this may be protected with an IPsec AH, RFC 3756 13 (IPv6 ND Trust Models and Threats) also defines the type of networks in which the secure IPv6 ND mechanisms are expected to work. The three different trust models can roughly corresponding to secured corporate intranets, public wireless access networks, and pure ad hoc networks. Moreover, the SEcure Neighbor Discovery (SEND) protocol is developed to provide an alternate mechanism for securing neighbor discovery with a cryptographic method. Neighbour discovery, as well as router solicitation in the IP network (v4 or v6) uses ICMP. While ICMPv4 is a separate protocol on the outside of IPv4, ICMPv6 is an 13 http://tools.ietf.org/html/rfc3756 IPv6 Security v1.1 10

integral protocol running directly on the top of the IPv6 protocol, which again could lead to security problems. Exchanging ICMPv6 messages on the top of the IPv6 protocol for vital "network health" messages and environment solicitations are crucial for IPv6 communication. However, this could be abused by sending fake, carefully crafted response messages for denial of service, traffic re-routing or other malicious purposes. For security reasons, the IPv6 protocol recommends that all ICMP messages use an IPsec AH, which is able to offer integrity, authentication and anti-relay functions. It may be better to specify critical systems as static neighbour entries to their default router, instead of using ND, this would avoid many typical neighbour-discovery attacks. However, certain administrative efforts would be required. 4. Dual Operations Organisations cannot change all their networks to IPv6 overnight, IPv6 will be gradually deployed while IPv4 will be supported for legacy clients and services. A dual protocol environment increases the complexity for operations and also security. Nevertheless, existing measures on IPv4 should be maintained while the same level of coverage should be applied to IPv6. Organisations need to implement a consistent security policy for both IPv4 and IPv6 (including firewalls and packet filters). During operations, administrators should be aware of relevant threats and vulnerabilities in both protocols and apply appropriate measures to mitigate the risks. C. Common Attacks In Both IPv4 and IPv6 IPv6 Security v1.1 11

IPv6 cannot solve all security problems. Basically it cannot prevent attacks on layers above the network layer in the network protocol stack. Possible attacks that IPv6 cannot address include: 1. Application layer attacks: Attacks performed at the application layer (OSI Layer 7) such as buffer overflow, viruses and malicious codes, web application attacks, and so on. 2. Brute-force attacks and password guessing attacks on authentication modules. 3. Rogue devices: Devices introduced into the network that are not authorised. A device may be a single PC, but it could be a switch, router, DNS server, DHCP server or even a wireless access point. 4. Denial of Service: The problem of denial of service attacks is still present with IPv6. 5. Attacks using social networking techniques such as email spamming, phishing, etc. D. IPv6 Transition Transitioning tools allow IPv4 applications to connect to IPv6 services, and IPv6 applications to connect to IPv4 services. However, attackers might exploit this if the security issues have not been fully addressed. There are a variety of IPv6 transition technologies, such as 6to4 (defined in RFC 3056 14 ), Simple Internet Transition 15 (SIT) tunnels, and IPv6 over UDP (such as Teredo 16 ). IPv6 14 http://tools.ietf.org/html/rfc3056 15 http://playground.sun.com/ipv6/ipng-transition.html IPv6 Security v1.1 12

traffic can enter networks via these methods while administrators are not aware that networks are vulnerable to IPv6 exploits. In addition, many firewalls permit UDP traffic, allowing IPv6 over UDP to get through firewalls without the knowledge of administrators. Attackers might also use 6to4 tunnels to evade intrusion detection or prevention systems. Some firewall products are only capable of filtering IPv4 traffic and not IPv6 traffic. Attackers can exploit this loophole and hence compromise the network by using IPv6 packets. SIT tunnels and tunnelling routers make it possible to deploy islands of IPv6, within sea of IPv4 networks, without IPv6 routers being directly connected to each other. This arrangement allows intruders to subvert simple workstations and use them as routers to direct traffic across entire sub-networks without having to compromise infrastructure routers or firewalls. To inspect encapsulated traffic within tunnels, deploy security devices that can understand tunnelled traffic. Moreover, security policies should be enforced at both the inbound and outbound of the tunnel. For host security on IPv4-IPv6 mixed networks, it should also be noted that applications are subject to attacks in both IPv6 and IPv4 networks. Therefore, if traffic blocking is required, it is necessary to block traffic for both IP versions on any host control systems (firewalls, VPN clients, intrusion detection or prevention systems, and so on). IPv6 network traffic should be monitored, router and neighbor solicitations should be audited to detect the insertion of any rogue router or unauthorised device to the network. 16 http://technet.microsoft.com/en-us/network/cc917486.aspx IPv6 Security v1.1 13

3 BEST PRACTICES Below are some best practices for reference in building and maintaining secure IPv6 networks: - Use standard, non-obvious static addresses for critical systems; - Ensure adequate filtering capabilities for IPv6; - Filter internal-use IPv6 addresses at border routers; - Block all IPv6 traffic on IPv4-only networks; - Filter unnecessary services at the firewall; - Develop a granular ICMPv6 filtering policy and filter all unnecessary ICMP message types; - Maintain host and application security with a consistent security policy for both IPv4 and IPv6; - Use IPsec to authenticate and provide confidentiality to assets; - Document the procedures for last-hop traceback; and - Pay close attention to the security aspects of transition mechanisms. Last Update/Review: May 2011 IPv6 Security v1.1 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information