IPv6 and New Security Paradigm

Transcription

1 Doc. No. 79 IPv6 and New Security Paradigm 2 nd December 2003 NTT Communications IPv6 project Yasuki SAITO

2 2 Agenda 1. Introduction to IPv6 2. Security Myth 3. IPv6 s s security merit and demerit 4. New security paradigm 5. New mechanisms (P2P VPN and PIA)

3 3 Agenda 1. Introduction to IPv6 2. Security Myth 3. IPv6 s s security merit and demerit 4. New security paradigm 5. New mechanisms (P2P VPN and PIA)

4 4 Characteristics of IPv6 protocol Expansion of address space ( >2 128 ). Equipped with Security functions (IPsec). QoS (Quality of Service) functions. Plug and Play. Systematic address structure (routing becomes easy).

5 5 Characteristics of IPv6 Internet Free from NAT (Network Address Translation) Problem. Realization of true Peer to Peer model. Networking Non-PCs (Home appliances, cars, any products, environmental sensors and information itself!). Security and QoS. Broadband?

6 6 New Internet Model Global IP address Mobile equipment NAT IPv4 Data exchange Real-time data distribution Remote Control Mobile NW Secure End-to-End Communication LAN Remote Maintenance IPv6 Private address Home Network Home appliance OA equipment IPv4 : one-way communication due to NAT the business model is client & server. IPv6: two-way communication two-way communications between appliance and mobile new internet business models will be created

7 7 Agenda 1. Introduction to IPv6 2. Security Myth 3. IPv6 s s security merit and demerit 4. New security paradigm 5. New mechanisms (P2P VPN and PIA)

8 8 Internet is insecure myth 1. Internet is full of malicious crackers. 2. Open system is dangerous, closed system is safe. 3. Open source software is dangerous. 4. If you use cryptography, you can get safety. 5. It is always safe or dangerous (all or nothing argument). 6. You cannot avoid intrusion of viruses. 7. There is no escape from SPAM mails. 8. You cannot avoid port attack (such as DoS attack).

9 9 Myth 2: Open system is dangerous, closed system is safe. It is true that you do not get attacked from outside if your network is closed. But people inside often cause trouble. American statistics says 80% of information leak is from inside. Security awareness will be paralyzed if you think you are safe because your network is closed.

10 10 Agenda 1. Introduction to IPv6 2. Security Myth 3. IPv6 s s security merit and demerit 4. New security paradigm 5. New mechanisms (P2P VPN and PIA)

11 11 End-to-End secure communication (merit) Easy Easy to to setup setup IP-VPN between End-to-End terminals with with IPv6 IPv6 IPv4 Site to Site secure communications Private address segments Branch A IPsec Node NAT Global address segments Secure Transmission IPv4 Internet IPsec R R Node Private address segments NAT Branch B Low security in the LAN segments Low interoperability between deferent vendors Global address segments Secure Transmission IPv6 End to End secure communications Branch A R IPv6 Internet Secure Transmission R R Branch B End to End secure communications Easy to set up new connection Partner company

12 12 IPv6 s security threat (demerit) Crackers does not distinguish IPv4 and IPv6, so certain type of Internet threats continue even in IPv6 Internet World. Everything becomes reachable from anywhere.

13 13 Agenda 1. Introduction to IPv6 2. Security Myth 3. IPv6 s s security merit and demerit 4. New security paradigm 5. New mechanisms (P2P VPN and PIA)

14 14 Closed is safe to Open yet safe IPv6 s benefit is only appreciated when IPv6 network is open. If you stick to closeness, you may be safe, but you cannot enjoy many new features of IPv6 Internet. But open network is not completely safe without certain precautions and security assuring mechanisms.

15 15 Agenda 1. Introduction to IPv6 and NTT Communications IPv6 activities 2. Security Myth 3. IPv6 s s security merit and demerit 4. New security paradigm 5. New mechanisms (P2P VPN and PIA)

16 16 IPv6 P2P VPN (MyNet Manager) IPsec IPsecpolicy server server to to provide provide IPsec IPsecpolicy file file to to each each peer peer on on demand demand - - Effortless Effortless setup: setup: No No or or low low skill skill requirements requirements Just Just register register your your communication communication partner partner on on the the web web - - Adaptable Adaptable to to all all communication communication mode mode : : Client-Server, Client-Server, Peer-to-Peer, Peer-to-Peer, Mobile Mobile - - Secure Secure instant instant communication communication : : Connect Connect instantly, instantly, while while achieving achieving end-to-end end-to-end security security Branch Office :A VERIO VERIO Data Data Center Center CA IPsec Policy Server Headquarters IPsec Policy Strategic Team IPsec NTT/VERIO IPv6 Global Backbone Branch office :B IPsec IPsec Server IPsec?? HOTSPOT Digital Certificate Jointly developed by cracker

17 17 Case study : Remote control for Data Center Data Center Data Center IPv6 Internet IPsec Operation center center Data Data Center Camera Thermometer Monitor and control the Data Center Fan

18 18 Case study : Building Monitoring Solution Monitoring Monitoring solution solution provider provider controls controls devices devices over over secure secure channel channel IPv6 Internet IPsec Operation Operation center center Office Office Building Building Camera, Camera, door door key, key, safe safe are are controlled controlled by by IPv6 IPv6 IPsec. IPsec. Also, Also, air air conditioning, conditioning, lighting lighting can can be be controlled controlled remotely remotely to to save save energy energy consumption. consumption.

19 19 Case Study: Personal Remote Access IPv4 (conventional model) Access from MANY Home Home / SOHO SOHO LAN Access from IN-side to OUT-side IPv4 Internet Web server Mail server Company s Intranet IPv6 (improved model) outside Home Home / SOHO SOHO Access from OUT-side to IN-side LAN IPv6 Internet Mobile Network Access from ONLY Myself

20 PIA (Plug-and-Play IPsec Architecture) 1. Configuration-less Plain IP communications, at first Configuration-less 2. Protected by IPsec after a while (Authentication-less, and vulnerable to man-in-the-middle at this phase) 3 (optional). Each device has unique ID and shares symmetry key Trusted Server with the trusted server 20 -Proved to be man-in-the-middle free -Authenticated -Authorized -Logged

21 21 IPsec Discovery 1/2 IPsec Discovery does not affect communications with legacy systems IPsec Discovery supported host Legacy host #1 TCP SYN IP header IPsec Discovery bit (inside IP header, can be in TOS for v4 and flow label for v6 for example) #2 IP header TCP SYN ACK #3 TCP ACK IP header The peer replies to #1 in the ordinary way if IPsec Discovery is not supported

22 IPsec Discovery 2/2 Key Exchange triggered by IPsec Discovery IPsec Discovery supported HOST-A IPsec Discovery supported HOST-B #1 #2 TCP SYN IP header IP header TCP SYN ACK Receiving a packet with IPsec Discovery bit set, HOST-B kicks off Background Key Exchange #3 TCP ACK IP header IP header UDP SPIi, g^i mod p #4 #5 #6 Data Data TCP TCP ESP IP header IP header IP header TCP SPIi, SPIr, g^r mod p, Nr Data UDP IP header IP header UDP SPIi, SPIr, Nr 22 #7 Encrypted with IPsec IP header TCP Data Encrypted with IPsec IPsec SAs and Security Policy is installed according to Background Key Exchange

23 23 Conclusions IPv6 movement is a shift from current Internet practice to completely new way of thinking about security. IPv6 Internet is inherently open network, and you must consider security in this open context. Even within open network, if you use various mechanisms, you can guarantee security. So, let s stop thinking closed is safe, and seek for a new paradigm open yet safe!

24 24 Thank you very much for your attention! URL : Mail : ipv6@ntt.com

25 25 About NTT Group and NTT Communications Group Total Operating Revenues 2002 : $86 Billion Stock Holding Company 100% 100% 67% 54% NTT Data Local Telecoms in Japan 100% Mobile Systems Development 100% Long Distance, International And Internet Services Other Subsidiaries International Data Service, IP Service Data Center & Web Hosting in the U.S. and Europe

26 26 NTT/VERIO s Evolution in IPv6 activities p2p application trial MyNetManager Join European Project 6net Application layer Join Chinese Project 6TNet Join Japanese National Project Research Phase Trial Phase Commercial Service Phase - NTT Labs started global IPv6 research network - Verio joined 6bone in the U.S. - NTT Com obtained stla address - NTT/VERIO started the world s first commercial IPv6 service in Japan Network layer OCN Tunneling Trial (200 users) Services in Japan - NTT MCL started commercial IPv6-IX service in the U.S. NTT Europe IPv6 Trial (400 users) Service in Europe Service in Hong Kong Services in Malaysia / Australia Services in Korea, Taiwan, and The U.S.

27 NTT/VERIO Global IPv6 Backbone and services NTT/VERIO IPv6 Backbone NSPIXP6 JPNAP6 PAIX S-IX EQUI6IX UK6X LINX AMS-IX Korea Korea Hong Kong Hong Kong Taiwan Taiwan Japan Japan The U.S. The U.S. Malaysia Malaysia Australia Australia Europe Europe 27 OCN in Japan IPv6&IPv4 DUAL ADSL IPv6 over IPv4 TUNNEL IPv6 NATIVE transit Our Strength Global IPv6 networks covering Asia, US, Europe Providing commercial IPv6 transit services in Japan (Apr 01-), in Europe (Feb 03-) in U.S. (June 03-) and many Asia-Pacific countries (June 03-) More than 3 year s experience in running 24x7 monitoring and operations by NTT/VERIO dual NOC in Japan and U.S. Main IPv6-IX Connection Optimal IPv6 routes

28 28 Other activities: