The Truth about IPv6 Security



Similar documents
Security Implications of the Internet Protocol version 6 (IPv6)

Security Assessment of Neighbor Discovery for IPv6

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Security of IPv6 and DNSSEC for penetration testers

Recent Advances in IPv6 Security. Fernando Gont

IPv6 Network Reconnaissance:

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

IP(v6) security. Matěj Grégr. Brno University of Technology, Faculty of Information Technology. Slides adapted from Ing.

Vulnerabili3es and A7acks

IPv6 Network Reconnaissance:

CPNI VIEWPOINT. SECURITY IMPLICATIONS OF IPv6. Disclaimer: MARCH 2011

Industry Automation White Paper Januar 2013 IPv6 in automation technology

IPv6 Security. Scott Hogg, CCIE No Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN USA

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Dedication Preface 1. The Age of IPv6 1.1 INTRODUCTION 1.2 PROTOCOL STACK 1.3 CONCLUSIONS 2. Protocol Architecture 2.1 INTRODUCTION 2.

IPv6 Fundamentals: A Straightforward Approach

ITL BULLETIN FOR JANUARY 2011

About the Technical Reviewers

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

Securing the Transition Mechanisms

Matt Ryanczak Network Operations Manager

Firewalls und IPv6 worauf Sie achten müssen!

Migrating to IPv6 Opportunity or threat for network security?

IPv6 First Hop Security Protecting Your IPv6 Access Network

Charter Text Network Design and Configuration

Recommended IP Telephony Architecture

ProCurve Networking IPv6 The Next Generation of Networking

Personal Firewall Default Rules and Components

Windows 7 Resource Kit

IPv6 Fundamentals, Design, and Deployment

IPv6 Security ::/0. Poland MUM Warsaw March, 2012 Eng. Wardner Maia Brazil

IPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc.

IPv6 Associated Protocols

8 Steps for Network Security Protection

8 Steps For Network Security Protection

IPv6 Security 111 Short Module on Security

Types of IPv4 addresses in Internet

Beginner s Guide to Securing IPv6

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Vicenza.linux.it\LinuxCafe 1

Joe Klein, CISSP IPv6 Security Researcher

IPv6 Hardening Guide for Windows Servers

A Sampling of Internetwork Security Issues Involving IPv6

Discovering IPv6 with Wireshark. presented by Rolf Leutert

INLICHTINGEN DIENSTEN INLICHTINGEN DIENSTEN

Basic IPv6 WAN and LAN Configuration

C)PTC Certified Penetration Testing Consultant

IPv6 Network Security.

IPV6 DEPLOYMENT GUIDELINES FOR. ARRIS Group, Inc.

IETF IPv6 Request for Comments (RFCs) Updated

IPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date

DirectAccess in Windows 7 and Windows Server 2008 R2. Aydin Aslaner Senior Support Escalation Engineer Microsoft MEA Networking Team

Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX

Tomás P. de Miguel DIT-UPM. dit UPM

Interconnecting Cisco Network Devices 1 Course, Class Outline

Security with IPv6 Explored. U.S. IPv6 Summit Renée e Esposito Booz Allen Hamilton Richard Graveman RFG Security

Deploying IPv6 in 3GPP Networks. Evolving Mobile Broadband from 2G to LTE and Beyond. NSN/Nokia Series

Getting started with IPv6 on Linux

IPv6 Security. Scott Hogg. Global Technology Resources, Inc. Director of Technology Solutions CCIE #5133, CISSP #4610

Implementing Cisco IOS Network Security

IPv6 INFRASTRUCTURE SECURITY WORKSHOP SESSION 10 BUILDING IPv6 INFRASTRUCTURE NETWORK SECURITY

Eric Vyncke, Distinguished Engineer, 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

Practical Security Assessment of IPv6 Networks and Devices. Fernando Gont

HughesNet Broadband VPN End-to-End Security Enabled by the HN7700S-R

IPv6 Opportunity and challenge

Networking 4 Voice and Video over IP (VVoIP)

SSVVP SIP School VVoIP Professional Certification

FIREWALLS & CBAC. philip.heimer@hh.se

IPv6 Infrastructure Security

CloudEngine Series Switches. IPv6 Technical White Paper. Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

R4: Configuring Windows Server 2008 Network Infrastructure

Protocol Specification & Design. The Internet and its Protocols. Course Outline (trivia) Introduction to the Subject Teaching Methods

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

Some insights about the recent TCP DoS (Denial of Service) vulnerabilities

IPv6 Transport Support and Market Segmentations

Residential IPv6 IPv6 a t at S wisscom Swisscom a, n an overview overview Martin Gysi

How To Compare Ipv6 And Ipv4 To Ipv5 (V1.2.0)

Recent advances in IPv6 insecurities Marc van Hauser Heuse Deepsec 2010, Vienna Marc Heuse

With a little bit of IPv6 magic: Windows 7 DirectAccess

Topics in Network Security

Broadband Network Architecture

Transcription:

The Truth about IPv6 Security Fernando Gont UTN/FRH FutureNet: MPLS, Ethernet and Beyond Boston, MA, USA, May 10-13, 2010

Agenda Brief comparision of IPv4 and IPv6 A few myths about IPv6 security Transition Technologies Ongoing work on IPv6 security at UK CPNI Key areas where further work is needed Conclusions

Brief comparision of IPv4 and IPv6 IPv4 and IPv6 are very similar in terms of functionality Addressing Auto-configuration Address resolution IPsec support Fragmentation IPv4 32 bits DHCP & RS/RA ARP Optional Both in hosts and routers IPv6 128 bits ICMPv6 RS/RA & DHCPv6 (opt) ICMPv6 Mandatory Only in hosts

Mandatory IPsec support Myth: IPv6 has improved security as a result of its mandatory IPsec support IPsec already existed for IPv4 The mandatory-ness of IPsec for IPv6 is just words on paper Also, there are problems with its deployment as a general end-to-end security mechanism Deployment of IPsec(v6) has similar problems as those of IPsec(4). As a result, IPsec(v6) is not deployed as a general end-to-end security mechanism, either

Larger address space Myth: It is unfeasible to brute-force scan an IPv6 network for alive nodes, as the IPv6 address space is so large. Such a scan would take ages! [Malone, 2008] (*) measured IPv6 address assignement patterns For hosts, 50% autoconf, 20% IPv4-based, 10% Teredo, 8% low-byte For infrastructure, 70% low-byte, 5% IPv4-based Anyway, most compromised systems are hosts. Once a host is compromised, brute-force scanning becomes trivial Size matters only if you use it properly! ;-) (*) Malone, D. 2008. Observations of IPv6 Addresses. Passive and Active Measurement Conference (PAM 2008, LNCS 4979), 29 30 April 2008.

Auto-configuration & address-resolution Based on Neighbor Discovery messages (ICMPv6) DHCPv6 is optional Stateless autoconfiguration more powerful than the IPv4 counterpart but also provides more potential vectors for attackers to exploit (e.g., THC s IPv6 attack suite) Less support in Layer-2 boxes for mitigation of ND attacks Secure Neighbor Discovery (SEND) was specified for mitigating ND security threats, employing: Cryptographically-Generated Addresses (CGAs) RSA signatures (RSA signature option) Certificates Not widely supported (e.g., no support in Windows XP/Vista/7 or KAME) Even then, SEND does not eliminate (nor should it) Layer-4+ attack vectors (e.g., DNS spoofing)

Transition technologies Original IPv6 transition plan was dual-stack (yes, it failed) Current strategy is a transition/co-existence plan based on a toolbox: Configured tunnels Automatic tunnels (ISATAP, 6to4, Teredo, etc.) NATs (NAT64, NAT46, ALGs, etc.) Automatic-tunneling mechanisms are enabled by default in Windows Vista and Windows 7 They may be (and have been) leveraged to bypass local network policies Some automatic tunnels use anycast IPv4 addresses: Where is your Teredo and 6to4 traffic going through? This might (or might not) be of concern to you

Ongoing work (or what we re doing on v6 security )

Ongoing work on IPv6 security at CPNI The UK CPNI (Centre for the Protection of National Infrastructure) is currently working on a security assessment of the IPv6 protocol suite Similar project to the one we carried out years ago on TCP and IPv4: Security assessment of the protocol specifications Security assessment of common implementation strategies Production of assessment/proof-of-concept tools Publication of best practices documents Currently cooperating with vendors and other parties

Further work (or what s missing? )

Key areas in which further work is needed IPv6 Resiliency Implementations have not really been the target of attackers, yet Only a handful of publicly available attack tools Lots of vulnerabilities and bugs still to be discovered. IPv6 support in security devices IPv6 transport is not broadly supported in security devices (firewalls, IDS/IPS, etc.) This is key to be able enforce security policies comparable with the IPv4 counterparts Education/Training Pushing people to Enable IPv6 point-and-click style is simply insane. Training is needed for engineers, technicians, security personnel, etc., before the IPv6 network is running.

Conclusions (or so what? )

Conclusions Most security vulnerabilities have to do with Layer4+ No layer-3 protocol will help an unsecured DNS, broken browser, or broken database application Even when it comes to previously-known Layer3 issues, IPv6 is not that different from IPv4 to make a difference After all, IPv6 is 96 more bits, no magic -- Gaurab Raj Upadhaya

Questions?

Acknowledgements UK CPNI, for their continued support Future-Net organizers, for the invitation to present in this conference Fernando Gont fernando@gont.com.ar http://www.gont.com.ar

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information