IPv6 Security Issues and Challenges

Similar documents
IPv6 Security. Pedro Lorga - WALC 2006 (Quito, Ecuador July 06)

IPv6 Security János Mohácsi IPv6 workshop, Skopje June 2011

Results of a Security Assessment of the Internet Protocol version 6 (IPv6)

Insights on IPv6 Security

IPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery

IPv6 Security. David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016

IPv6 Security 111 Short Module on Security

Insights on IPv6 Security

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Security Considerations for IPv6 Networks. Yannis Nikolopoulos

IPv6 Security Considerations: Future Challenges

Network Interconnection

Planning for Information Network

IPv6 Security Fundamentals

CSCE 715: Network Systems Security

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

A Review on ICMPv6 Vulnerabilities and its Mitigation Techniques: Classification and Art

IPv6 migration challenges and Security

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Virtual Private Networks (VPN)

Unit 5 - IPv4/ IPv6 Transition Mechanism(8hr) BCT IV/ II Elective - Networking with IPv6

IPv6 Next generation IP

IPSec. Overview. Overview. Levente Buttyán

Network Security. Thierry Sans

CSE 565 Computer Security Fall 2018

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

CTS2134 Introduction to Networking. Module 08: Network Security

ETSF05/ETSF10 Internet Protocols Network Layer Protocols

IPv6: An Introduction

Advanced Computer Networking. CYBR 230 Jeff Shafer University of the Pacific. IPv6

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Foreword xxiii Preface xxvii IPv6 Rationale and Features

Recent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL Marc Heuse

IPv6 is Internet protocol version 6. Following are its distinctive features as compared to IPv4. Header format simplification Expanded routing and

ECE 435 Network Engineering Lecture 23

IPv6 Rapid Deployment: Provide IPv6 Access to Customers over an IPv4-Only Network

IPv6 Security Safe, Secure, and Supported.

Operational Security Capabilities for IP Network Infrastructure

SECURE ROUTER DISCOVERY MECHANISM TO OVERCOME MAN-IN THE MIDDLE ATTACK IN IPV6 NETWORK

CSC 4900 Computer Networks: Network Layer

Recent Advances in IPv6 Security. Fernando Gont

An analytical study for Security in IPv6

CompTIA Network+ Study Guide Table of Contents

IPV6 SIMPLE SECURITY CAPABILITIES.

Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks

SECURITY IN AN IPv6 WORLD MYTH & REALITY. RIPE 68 Warsaw May 2014 Chris Grundemann

The IPsec protocols. Overview

Security in an IPv6 World Myth & Reality

Introduction to IPv6 - II

SEN366 (SEN374) (Introduction to) Computer Networks

IPv6 Protocol. Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer Cisco Systems, Inc.

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964

IPv6 Associated Protocols. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

TCP/IP Protocol Suite

IPv6 Security Course Preview RIPE 76

Cisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6

Tik Network Application Frameworks. IPv6. Pekka Nikander Professor (acting) / Chief Scientist HUT/TML / Ericsson Research NomadicLab

ET4254 Communications and Networking 1

IPv6 Technical Challenges

A Border Gateway Protocol 3 (BGP-3) DNS Extensions to Support IP version 6. Path MTU Discovery for IP version 6

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Computer Networks. Course Reference Model. Topic. Error Handling with ICMP. ICMP Errors. Internet Control Message Protocol 12/2/2014.

Securing the Transition Mechanisms

Avaya Networking IPv6 Using Fabric Connect to ease IPv6 Deployment. Ed Koehler Director DSE Ron Senna SE Avaya Networking Solutions Architecture

Next Generation IPv6 Cyber Security Protection Through Assure6i TM Product Line

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August

Integrated Security 22

ECE 435 Network Engineering Lecture 23

CSC 4900 Computer Networks: Security Protocols (2)

Why Firewalls? Firewall Characteristics

Internet of Things (IOT) Things that you do not know about IOT

CyberP3i Course Module Series

Mapping of Address and Port (MAP) an ISPs Perspective. E. Jordan Gottlieb Principal Engineer Charter Communications

CCNA Exploration Network Fundamentals. Chapter 06 Addressing the Network IPv4

A Sampling of Internetwork Security Issues Involving IPv6

IPv Implementation - The Naked Truth. Dr. Omar Amer Abouabdalla IPv6 Global Sdn. Bhd.

Use of IPSec in Mobile IP

Transition Strategies from IPv4 to IPv6: The case of GRNET

20-CS Cyber Defense Overview Fall, Network Basics

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

IP: Addressing, ARP, Routing

Outline. CS5984 Mobile Computing. Host Mobility Problem 1/2. Host Mobility Problem 2/2. Host Mobility Problem Solutions. Network Layer Solutions Model

Internet Protocol, Version 6

Networking: Network layer

Virtual Private Networks

Fixed Internetworking Protocols and Networks. IP mobility. Rune Hylsberg Jacobsen Aarhus School of Engineering

RMIT University. Data Communication and Net-Centric Computing COSC 1111/2061. Lecture 2. Internetworking IPv4, IPv6

Cisco Network Address Translation (NAT)

IPv6 Security: Threats and Mitigation

Outline. CS6504 Mobile Computing. Host Mobility Problem 1/2. Host Mobility Problem 2/2. Dr. Ayman Abdel-Hamid. Mobile IPv4.

Remember Extension Headers?


CS 356: Computer Network Architectures. Lecture 15: DHCP, NAT, and IPv6. [PD] chapter 3.2.7, 3.2.9, 4.1.3, 4.3.3

IPv6 Feature Facts

IPv6 Security: Oxymoron or Oxycodone? NANOG 60 Atlanta Paul Ebersman IPv6

Internet Protocol and Transmission Control Protocol

The Internet. The Internet is an interconnected collection of netw orks.

Lecture Computer Networks

IPv6 Transition Technologies (TechRef)

Transcription:

IPv6 Security Issues and Challenges Dr. Omar A. Abouabdalla (omar@ipv6global.my) Head Technology Consultant IPv6 Global Sdn Bhd 7 November 2012

IPv6 TO MIGRATE OR NOT TO MIGRATE? It s not an option. Either we migrate or we will be left behind. Malaysian government has mandated they will be IPv6 native by end of 2015. Malaysian major trading partners including the U.S., China and India has already started aggressively migrating to IPv6. If we want to continue to be relevant, communicate and do business with these countries, we will have to migrate.

What's the problem? People First, We have firewalls and Intrusion Detection Systems so we re safe from outside attack. VPNs, SSH, etc. allow secure remote access. SSL/TLS protects t web access so phishing attacks don t work. Virus scanning is effective - so viruses are a thing of the past. Security patches applied The patches never break anything. IPv6 has complete built-in security. And cows can fly!

IPv4 to IPv6 Challenging Move The exhaustion of the finite pool of IPv4 addresses. IPv6 deployment is critical to safeguarding the future expansion of the internet. IPv6 deployment comes with its own set of challenges, and security issues. Networks need to be dual-stack during the transition phase. In most cases, settings will not be automatically copied between IPv4 and IPv6. Whenever you make a change for one protocol you have to do it for the other, which doubles the chances of making a mistake.

Some interesting aspects about IPv6 security We have much less experience with IPv6 than with IPv4. IPv6 implementations are much less mature than their IPv4 counterparts. Security products (firewalls, NIDS, etc.) have less support for IPv6 than for IPv4. The complexity of the resulting network will greatly increase during the transition/coexistence period: Two internetworkin protocols (IPv4 and IPv6) Increased use of NATs Increased use of tunnels Lack of trained human resources.

Bi Brief comparison between IPv6 and IPv4 IPv6 and IPv4 are very similar in terms of functionality (but not in terms of mechanisms) IPv4 Addressing 32 bits 128 bits Address Resolution ARP IPv6 ICMPv6 NS/NA Auto- DHCP & ICMP RS/RA ICMPv6 RS/RA & DHCPv6 configuration (recommended) Fault Isolation ICMP ICMPv6 IPsec support Optional Recommended (not mandatory) Fragmentation Both in hosts and routers Only in hosts

Bi Brief comparison between IPv6 and IPv4 Header formats:

Flow Label The three-tuple tuple {Source Address, Destination Address, Flow Label} was meant to identify a communication flow. Currently unused by many stacks others use it improperly Speficication of this header field, together with possible uses, is work in progress at the IETF. Potential vulnerabilities depend on the ongoing work at the IETF: Might be leveraged to perform dumb (stealth) address scans. Might be leveraged to perform Denial of Service attacks.

Hop Limitit Analogous to IPv4 s Time to Live (TTL). Identifies the number of network links the packet may traverse. Packets are discarded when the Hop Limit is decremented to 0. Could be leveraged for: Detecting the Operating System of a remote node. Fingerprinting a remote physical device. Locating a node in the network topology.

Hop Limit: it Fingerprinting i Devices or OSes Different Oses use different defaults for the Hop Limit (typically a power of two: 64, 128, etc.) If packets originating from the same IPv6 addresses contain very different Hop Limits, they might be originated by different devices. E.g.: Packets from FTP server 2001:db8::1 arrive with a Hop Limit of 60 Packets from web server 2001:db8::2 arrive with a Hop Limit of 124 We infer: FTP server sets the Hop Limit to 64, and is 4 routers away. Web server sets the Hop Limit to 128, and is 4 routers away. Detecting the Operating System of a remote node.

Hop Limit: Locating a Node H Li it L ti N d Basic idea: if we are receiving packets from a node and assume that it is using the default Hop Limit, we can infer the orginal Hop Limit If we have multple sensors, we can triangulate the position of the node Source Hop Limit A 61 B 61 C 61 D 62 F is the only node that is: 4 routers from A 4 routers from B 4 routers from C 3 routers from D

Threats to be Countered in IPV6 Scanning Gateways and Hosts for weakness Scanning for Multicast Addresses Unauthorised Access Control Protocol Weaknesses Distributed Denial of Service (DDos) Transition Mechanisms Worms/Viruses There are already worms that use IPv6 e.g. Rbot.DUD

Scanning Gateways and Hosts IPv6 Subnet Size is much larger More than 500 000 years to scan a /64 subnet@1m addresses/sec. Scanning for backdoors impractical. Scanning for proxies impractical. Scan-based worms can not propagate.

Scanning Gateways and Hosts IPv6 Scanning methods are changing Public servers will still need to be DNS reachable giving attacker some hosts to attack. Administrators may adopt easy to remember addresses (::1,::2,::53, or simply IPv4 last octet). Use of trivial EUI-64 derived addresses. EUI-64 derived from interface MAC addresses. By compromising routers at key transit points in a network, an attacker can learn new addresses to scan. Avoid using easy to guess addresses.

Scanning Multicast Addresses S i M lti tadd New Multicast Addresses - IPv6 supports new multicast t addresses enabling attacker to identify key resources on a network and attack them. E.g. Site-local all DHCP servers (FF05::1:3), mdnsv6 (FF05::FB), and All Routers (FF05::2) Addresses must be filtered at the border in order to make them unreachable from the outside. To prevent smurf type of attacks: IPv6 specs forbids the generation of ICMPv6 packets in response to messages to global multicast addresses that contain requests.

Security of IPv6 Addresses Cryptographically Generated Addresses (CGA) IPv6 addresses [RFC3972]. Host ID - part of address is an encoded d hash. h Binds IPv6 address to public key Used for SEcuring Neighbor Discovery [RFC3971]. Is being extended for other uses [RFC4581]. Privacy addresses as defined [RFC 4941]. Prevents device/user tracking Makes accountability harder

Unauthorised Access Control Policy implementation in IPv6 with Layer 3 and Layer 4 is still done in firewalls. Some design considerations: Filter site-scoped multicast addresses at site boundaries. Filter IPv4 mapped IPv6 addresses on the wire. Action Src Sst Src port Dst port permit a:b:c:d::e X:y:z:w::v any ssh deny any any

Amplification (DDoS) Attacks A lifi ti (DD S) Att k There are no broadcast addresses in IPv6 This would stop any type of amplification attacks that send ICMP packets to the broadcast address Global multicast addresses for special groups of devices, e.g. link-local addresses, etc. IPv6 specifications forbid the generation of ICMPv6 packets in response to messages to global multicast addresses Many popular operating systems follow the specification. Still uncertain on the danger of ICMP packets with global multicast source addresses.

Mitigation of IPv6 amplification Be sure that t your host implementations ti follow the ICMPv6 specification [RFC 4443]. Implement Ingress Filtering. Defeating Denial of Service Attacks which employ IP Source Address Spoofing [RFC 2827]. Implement ingress filtering of IPv6 packets p g g p with IPv6 multicast source address.

Mixed IPv4/IPv6 Environments Some security issues with transition mechanisms. Tunnels often interconnect networks over areas supporting the wrong version of protocol. Tunnel traffic often not anticipated by the security policies. It may pass through firewall systems due to their inability to check two protocols in the same time. Do not operate completely automated tunnels. Avoid translation mechanisms between IPv4 and IPv6, use dual stack instead. Only authorised systems should be allowed as tunnel end-points.

L3 L4 Spoofing in IPv4 with 6to4 Via 6to4 tunneling, spoofed traffic can be injected from IPv4 into IPv6. IPv4 Src: IPv4 Address. IPv4 Dst: 6to4 Relay IPv6 Src: 2002:: Spoofed Source IPv6 Dst: Valid Destination Attacker 6to4 GW 6to4 relay IPv6 network Public IPv4 network IPv6 network

IPv6 and IPsec General IP Security mechanisms that provides: Authentication Confidentiality key management -requires a PKI infrastructure (IKEv2) Applicable to use over LANs, across public & private WANs, & for the Internet IPSec is not a single protocol. Instead, IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication. IPS i d t d i IP 6 l f d t d IPSec is mandated in IPv6 you can rely on for end-to-end security.

What is IPsec? Work done by the IETF IPsec Working Group Applies to both IPv4 and IPv6 and its implementation is: Mandatory for IPv6 Optional for IPv4 IPsec Architecture: RFC 2401 IPsec services Authentication Integrity Confidentiality IPsec modes: Transport Mode & Tunnel Mode IPsec protocols: AH (RFC 2402) & ESP (RFC 2406)

IPsec Protocols, modes and combinations Transport Mode Tunnel Mode AH Authenticates IP payload and selected portions of IP header Authenticates entire inner IP datagram (header & payload) and selected portions of the outer IP header ESP Encrypts IP payload Encrypts inner IP datagram ESP with Authentication ti ti Encrypts IP payload and authenticates IP payload but not IP header Encrypts and authenticates inner IP datagram

Some thoughts... While IPv6 provides similar features as IPv4, it uses different mechanisms. and the evil lies in the small details. The security implications of IPv6 should be considered before it is deployed (not after!). Most systems have IPv6 support enabled by default, and this has implications on IPv4-only networks! Even if you are not planning to deploy IPv6 in the short term, most likely you will eventually do it. It is time to learn about and experiment with IPv6!

Summary IPv6 carries a number of advantages Improved addressing Improved security Improved routing IPv6 advantages can be used against networks Backdoors hidden Communications channels hidden Security mechanisms bypassed IPv6 is easier and cheaper to provide than prevent Time for ignoring IPv6 is past Time for understanding and using IPv6 is now

Acknowledgements This presentation includes some material from these other sources: National Advanced IPv6 Centre (NAv6) 6Deploy

Who is IPv6 Global Sdn Bhd IPv6 Global Sdn Bhd is an affiliate to Universiti Sains Malaysia s s National Advanced IPv6 Center (NAV6). NAV6 is a world leader in IPv6 R&D and sit in IPv6 Council of several countries including China, India and Singapore. In 2005, the Ministry of Information, Culture and Communication appointed NAV6 to spearhead the country's transition to be IPv6. We aim to provide a complete one-stop centre for all IPv6 requirements and needs. Contact information Zulkifli Shahari zul.shahari@ipv6global.my 0133305588 info@ipv6global.my or go to our website, www.ipv6global.my

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback