Recent IPv6 Security Standardization Efforts. Fernando Gont

Similar documents
Recent Advances in IPv6 Security. Fernando Gont

Recent IPv6 Standardization Efforts. Fernando Gont

Recent Advances in IPv6 Security. Fernando Gont

Security Implications of IPv6 Addressing. Fernando Gont

Recent Advances in IPv6 Security. Fernando Gont

Recent IPv6 Security Standardization Efforts. Fernando Gont

Recent Advances in IPv6 Security. Fernando Gont

Recent Advances in IPv6 Security. Fernando Gont

IPv6 Specifications to Internet Standard

Results of a Security Assessment of the Internet Protocol version 6 (IPv6)

IETF Update about IPv6

Host Scanning in IPv6 Networks

IPv6 Security Fundamentals

IPv6 Protocol. Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer Cisco Systems, Inc.

IPv6 maintenance Working Group (6man) Updates: 3971, 4861 (if approved) January 12, 2012 Intended status: Standards Track Expires: July 15, 2012

IPv6 Security Vendor Point of View. Eric Vyncke, Distinguished Engineer Cisco, CTO/Consulting Engineering

Six Years of Six: Perspectives since the IPv6 Launch 2012

IPv6 Security. David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016

IPv6 Specifications to Internet Standard Open Issues. Ole Trøan,

IPv6 Technical Challenges

The Layer-2 Security Issues and the Mitigation

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

Recent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL Marc Heuse

Guide to TCP/IP Fourth Edition. Chapter 6: Neighbor Discovery in IPv6

Security Considerations for IPv6 Networks. Yannis Nikolopoulos

IPv6. Internet Technologies and Applications

IPv6 Security: Threats and Mitigation

IPv6 Implementation Best Practices For Service Providers

Operational Security Capabilities for IP Network Infrastructure

SECURITY IN AN IPv6 WORLD MYTH & REALITY. RIPE 68 Warsaw May 2014 Chris Grundemann

The Layer-2 Insecurities of IPv6 and the Mitigation Techniques

A Border Gateway Protocol 3 (BGP-3) DNS Extensions to Support IP version 6. Path MTU Discovery for IP version 6

Stateless automatic IPv4 over IPv6 Tunneling (SA46T)

Practical IPv6 for Windows Administrators

IPv6 Next generation IP

Internet Engineering Task Force (IETF) Updates: 3971, 4861 August 2013 Category: Standards Track ISSN:

jumbo6 v1.2 manual pages

IPv6 Protocols and Networks Hadassah College Spring 2018 Wireless Dr. Martin Land

Configuring IPv6 First-Hop Security

IPv6 Security Course Preview RIPE 76

TCP/IP Protocol Suite

IPv6 Security: Oxymoron or Oxycodone? NANOG 60 Atlanta Paul Ebersman IPv6

Internet Protocol v6.

Remember Extension Headers?

Radware ADC. IPV6 RFCs and Compliance

Advanced Computer Networking. CYBR 230 Jeff Shafer University of the Pacific. IPv6

Security in an IPv6 World Myth & Reality

IPv6 Associated Protocols. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011

Juniper Netscreen Security Device. How to Enable IPv6 Page-51

tcp6 v1.2 manual pages

Tomáš Podermański, Matěj Grégr,

An Industry view of IPv6 Advantages

A Sampling of Internetwork Security Issues Involving IPv6

TD#RNG#2# B.Stévant#

Foreword xxiii Preface xxvii IPv6 Rationale and Features

IPv4/v6 Considerations Ralph Droms Cisco Systems

Learning/Playing with IPv6 at home. Keith Garner, Gradebook Team Lead

IPv6. IPv4 & IPv6 Header Comparison. Types of IPv6 Addresses. IPv6 Address Scope. IPv6 Header. IPv4 Header. Link-Local

The Netwok Layer IPv4 and IPv6 Part 2

DHCPv6 OPERATIONAL ISSUES Tom Coffeen 4/7/2016

IPv6 Neighbor Discovery

OSI Data Link & Network Layer

Index Terms- IPv4, IPv6

Multi-requirement Extensions for DHCPv6 (draft-ren-dhc-mredhcpv6-00)

1. Introduction. Carpenter, Jung Expires June 1999 [Page 2] ^L. Internet Draft Transmission of IPv6 Packets over IPv4 Dec 1998

Dual-Stack lite. Alain Durand. May 28th, 2009

Configuring IPv6 basics

IPv6 Security 111 Short Module on Security

Configuring IPv6 for Gigabit Ethernet Interfaces

ECE 435 Network Engineering Lecture 14

IPv6 Protocol Architecture

SECURE ROUTER DISCOVERY MECHANISM TO OVERCOME MAN-IN THE MIDDLE ATTACK IN IPV6 NETWORK

Internet Protocol Version 6: advanced features. The innovative aspects of IPv6

IPv6 Deployment at the University of Pennsylvania

Post IPv4 completion. Making IPv6 deployable incrementally by making it. Alain Durand

Introduction to IPv6 - II

IPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery

Tik Network Application Frameworks. IPv6. Pekka Nikander Professor (acting) / Chief Scientist HUT/TML / Ericsson Research NomadicLab

OSI Data Link & Network Layer

New IP Header. Why change IP. Address Notation. Changes. Information Sources. IP Version 6 ITL

Information Sources Hans Kruse & Shawn Ostermann, Ohio University

Internet Control Message Protocol

IPv6 Bootcamp Course (5 Days)

IETF Activities Update

Cisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6

Advanced Computer Networking (ACN)

Request for Comments: 1972 Category: Standards Track August A Method for the Transmission of IPv6 Packets over Ethernet Networks

IPv6 Security Training Course

Information Sources Hans Kruse & Shawn Ostermann, Ohio University

Internet Protocol, Version 6

IPv6 Changes in Mobile IPv6 from Connectathon

Eric Vyncke, Distinguished Engineer, 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

Workshop on Scientific Applications for the Internet of Things (IoT) March

IPv6 migration challenges and Security

Configuring IPv6. Information About IPv6. Send document comments to CHAPTER

Considerations and Actions of Content Providers in Adopting IPv6

Results of a security assessment of the TCP and IP protocols and common implementation strategies

Internet Engineering Task Force (IETF) Alcatel-Lucent August DHCPv6-Shield: Protecting against Rogue DHCPv6 Servers

IPv6 address configuration and local operation

Transitioning to IPv6

Transcription:

Recent IPv6 Security Standardization Efforts Fernando Gont

Part I: Protocol Issues 2

IPv6 Addressing 3

Security & Privacy Analysis RFC 7721: Security and Privacy Considerations for IPv6 Address Generation Mechanisms RFC 7707: Network Reconnaissance in IPv6 Networks

Mitigation of Security & Privacy Issues RFC 7217: A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC) RFC 8064: Recommendation on Stable IPv6 Interface Identifiers

RFC7217: stable-privacy addresses Generate Interface IDs as: Where: F(Prefix, Net_Iface, Network_ID, DAD_Count, Secret_Key) F(): PRF (e.g., a hash function) Prefix: SLAAC or link-local prefix Net_Iface: some interface identifier Network_ID: e.g. the SSID of a wireless network DAD_Count: initialized to 0, and incremented by 1 upon collisions Secret_Key: unknown to the attacker (and randomly generated by default)

RFC7217: stable-privacy addresses (II) As a host moves: Prefix and Network_ID change from one network to another But they remain constant within each network F() varies across networks, but remains constant within each network This results in addresses that: Are stable within the same subnet Have different Interface-IDs when moving across networks For the most part, they have the best of both worlds

RFC7217: implementation status Known implementations: Linux kernel v4.0 NetworkManager v1.2.0-0.3.20151112gitec4d653.fc24 dhcpcd 6.4.0 OSes known to already ship with RFC7217: Mac OS Sierra Fedora

RFC7217 in Fedora (I) Node connects to Network #1

RFC7217 in Fedora (II) Node connects to Network #2

RFC7217 in Fedora (III) Node connects (back again) to Network #1

IPv6 Extension Headers 12

IPv6 Fragmentation Conceptually, same as in IPv4 Implemented with an IPv6 Fragmentation Header

IPv6 Fragmentation Overview IPv6 fragmentation performed only by hosts (never by routers) Fragmentation support implemented in Fragmentation Header Where: 8 bits 8 bits 13 bits 2b 1b Next Header Reserved Fragment Offset Res M Identification Fragment Offset: Position of this fragment with respect to the start of the fragmentable part M: More Fragments, as in IPv4 Identification : Identifies the packet (with Src IP and Dst IP)

Atomic fragments Atomic fragments: a complete packet that includes a fragment header (FO: 0, MF: 0) (Used to be) generated upon receipt of MTU<1280

Mitigating miscellaneous issues RFC 6980: Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery RFC 7739: Security Implications of Predictable Fragment Identification Values RFC 7112: Implications of Oversized IPv6 Header Chains draft-ietf-6man-rfc2460bis: Internet Protocol, Version 6 (IPv6) Specification

Mitigating issues with atomic fragments RFC 8021: Generation of IPv6 Atomic Fragments Considered Harmful RFC 6946: Processing of IPv6 "Atomic" Fragments RFC 7915: IP/ICMP Translation Algorithm draft-ietf-6man-rfc2460bis: Internet Protocol, Version 6 (IPv6) Specification

IPv6 Standardizaton Efforts Part II: Operational Issues 19

Operational Security Considerations draft-ietf-opsec-v6: Operational Security Considerations for IPv6 Networks

First-Hop Security RFC 7113: Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard) RFC 7610: DHCPv6-Shield: Protecting against Rogue DHCPv6 Servers RFC 6959: Source Address Validation Improvement (SAVI) Threat Scope

IPv6/IPv4 Interaction RFC 7123: Security Implications of IPv6 on IPv4 Networks RFC 7359: Layer 3 Virtual Private Network (VPN) Tunnel Traffic Leakages in Dual-Stack Hosts/Networks

Some conclusions 23

Some conclusions Increased interest and operational experience with IPv6 led to many improvements A lot has been done in the last 5 years or so!

Questions? 25

Thank you's Veronika McKillop Tim Chown Andy Butcher UK IPv6 Council Axians

Thanks! Fernando Gont fgont@si6networks.com IPv6 Hackers mailing-list https://www.si6networks.com/community/ www.si6networks.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback