Presentation on theme: "Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,"— Presentation transcript:
Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,
Welcome to WatchGuards IPv6 Webinar Series! 1 3 4 2 Security Implications of IPv6 v6 in a v4 world v6 security advantages/disadvantages
Youre here because v6 matters to you Were here to help!Things well answer: What are the security implications of IPv6 in my IPv4 network (Transition)? What are the inherent security advantages and disadvantages of IPv6?
Part 1: Security Implications of IPv6 in a (mostly) IPv4 World
Im Running IPv4…Does This Affect Me? Your network may be IPv4… …but your devices may be another story!
Built-In IPSec Offers Better Security… Right? IPSec is a mandatory part of the IPv6 Protocol
Whats IPSec Again? Among other things, IPSec consists of: Authentication Headers (AH) – Provides data origin authentication and integrity (protects against replay attacks) Encapsulating Security Payloads (ESP) – Adds encryption to the mix to provide confidentiality Internet Protocol Security (IPSec) is a standard for adding strong authentication, message integrity, antireply, and encryption (confidentiality) to IP packets, thus providing secure and private communications.
What are IPv6 Extension Headers? Remember IPv6 header simplification? VersionIHL Type of Service Total Length Identification Flags Fragment Offset Time to Live ProtocolHeader Checksum Source Address Destination Address OptionsPadding IPv4 Header (20 bytes) Version Traffic Class Flow Label Payload Length Next Header Hop Limit Source Address Destination Address IPv6 Header (40 bytes) Dropped Dropped options need to go somewhere… IPv6 Header Payload IPv6 Header Extension Header Payload IPv6 Header Extension Header Payload Ext. headers may include: Hop-by-hop options Destination Options Routing Fragmentation AH Header ESP Header Etc…
Built-In IPSec Offers Better Security… Right? IPSec is a mandatory part of the IPv6 Protocol What does this really mean? Part of IPv6 protocol stack, not an optional add-on Implemented with AH and ESP Extension Headers Follows one standard (less interop issues) Every IPv6 device can do IPSec However, IPSec usage is still OPTIONAL!
Wait! Doesnt IPv4 Offer IPSec too? Some truths about IPv6s additional IPSec Security: IPv4 has it too (though, not natively) You dont have to use it, and most dont Still complex May require PKI Infrastructure So is this really a security benefit? Short term – probably no measureable advantage over IPv4 IPSec Long term – More applications will leverage it now that its mandatory!
So Long NAT! Hello, End-2-End Addressing NAT does NOT provide security! End-2-End (public) addressing increases accountability
Vast Address Space Naturally Thwarts Certain Attacks (340 unidecillion) Too big for automated reconnaissance and attack: Average network port scans would take decadesAutomated worm propagation would slow to a crawl
Immature Protocols = Increased Vulnerability & Risk During the creation life-cycle of new standards and protocols: Security is often an after-thought Unexpected problems happen due to complex interactions Many issues dont surface until the tech receives wider usage These concepts have proven themselves with many new network protocols in the past. Most experts suspect there are many security issues in IPv6, and related protocols, that we have yet to uncover.
Unfamiliarity Causes Misconfigurations Many network administrators and IT practitioners are still relatively unfamiliar with all IPV6s ins and outs Common issues: Not realizing IPv6 is already in their network Ignorance of Tunneling Mechanisms Lack of ACL policy for IPv6 multi-homing Unawareness of potential privacy issues Over permissiveness, just to get it to work
Automatic Addressing May Pose Privacy Concerns In the first webinar, we showed one way SLAAC could automatically created a EUI-64 address. However, this makes your MAC public, which you may consider a privacy issue. Privacy Enhanced Addresses [RFC 3041] Cryptographically Generated Addresses (CGA) [RFC 3972] There are options to rectify this issue: 1.MAC Address: 90-3A-2B-06-2C-D1 2.Split in half: 90-3A-2B 06-2C-D1 3.Insert FFFE: 90:3A:2B:FF:FE:06:2C:D1 4.Change 7 th bit to 1: 92:3A:2B:FF:FE:06:2C:D1
I also have 192.168.20.1 A Look Back at IPv4 ARP Poisoning Who has 192.168.20.34? Who has 192.168.20.34? I Do. Heres my MAC Hey Everyone. I have 192.168.20.34 And 192.168.20.2, And ….. And 192.168.20.2, And ….. No authentication or security
I Do. Send traffic to me I Do. Send traffic to me Neighborhood Discovery Suffers from Similar Issues Who has 2001::3/64? Who has 2001::3/64? I Do. Heres my Layer 2 address Who has 2001::3/64? Who has 2001::3/64? Neighbor Solicitation Neighbor Advertisement ND Spoofing No authentication or security
Many Other Neighbor and Router Discovery Issues Solution: SEcure Neighbor Discovery (SEND) – RFC 3971 Essentially adds IPSec to ND communications Requires PKI Infrastructure Not available in all OSs yet. 802.1X also an option Other ND related attacks: Duplicate Address Detection (DAD) DoS attack ND spoofing attack for router (allows for MitM) Neighbor Unreachability Detection (NAD) DoS attack Last Hop Router spoofing (malicious router advertisements) And many more… (http://rfc-ref.org/RFC-TEXTS/3756/chapter4.html)
New Multicast Protocol Helps with Reconnaissance In the first webinar, we introduced IPv6 multicast addresses:IPv6 multicast includes a ton of reserved addresses. Heres a few: Multicast AddressReservation FF02::1All Host Address FF02::2All Router Address (LL) FF02::9RIP Routers FF02::AEIGRP Routers FF02::BMobile-Agents FF02::1:2All DHCP Agents FF05::2All Router Address (SL) FF05::1:3All DHCP Servers FF05::1:4ALL DHCP Relays FF0X::101NTP FF0X::106Name Service Server Attackers can use these multicast addresses to enumerate your network. Note: RFC 2375
IPv6 Security Controls Lagging Hacking Arsenal/Tools Attackeralready have many IPv6 capable tools: THC-IPv6 Attack SuiteUnfortunately, IPv6 security controls and products seems to be a bit behind.
Neutral IPv6 Differences of Concern Some of IPv6s differences have security connotations that you should know about. However, they arent necessarily inherently good or bad
Typical IPv6 Devices Have Multiple Addresses At least a Link-Local Address (FE80::/10) Likely a Unique Global Address (2000::/3) Possibly a Site-Local Address (FC00::/7) You will probably need MULTIPLE Firewall or ACL policies for these extra networks within your organization
So… Does/Will IPv6 Provide More Security? Probably Not. Few will adopt/use the IPv6 related security additions early on. Furthermore, the protocols newness and administrators unfamiliarity may result in more vulnerabilities at first. That said, IPv6 security is NOT worse than IPv4. Short Term Yes. If leveraged, some IPv6 additions can increase our overall network security. As we become more familiar with it, and more network services begin to leverage advanced options, IPv6 should prove slightly more security than IPv4. Long Term
Coming Up Next…(1 month from now) 1 2 4 3 What To Expect from IPv6 ISP activities Connecting the Islands
Major References IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation http://www.cisco.com/web/about/security/security_services/ciag/documents/v6-v4-threats.pdf IPv6 Security Challenges https://www.cs.siue.edu/~wwhite/CS447/TopicalPaper/Originals/Bridges_IPv6SecurityChallenges.pdf https://www.cs.siue.edu/~wwhite/CS447/TopicalPaper/Originals/Bridges_IPv6SecurityChallenges.pdf IPv6 Security Challenges by Samuel Sotillo http://www.infosecwriters.com/text_resources/pdf/IPv6_SSotillo.pdf http://www.infosecwriters.com/text_resources/pdf/IPv6_SSotillo.pdf IPv6 Security Best Practices http://www.cisco.com/web/SG/learning/ipv6_seminar/files/02Eric_Vyncke_Security_Best_Practices.pdf http://www.cisco.com/web/SG/learning/ipv6_seminar/files/02Eric_Vyncke_Security_Best_Practices.pdf IPv6 Security Considerations and Recommendations http://technet.microsoft.com/en-us/library/bb726956.aspx NIST: Guidelines for the Secure Deployment of IPv6 http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf IPv6 Transition/Coexistence Security Considerations (RFC 4942) http://www.ietf.org/rfc/rfc4942.txt And many more….