Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS 265 – Project IPv6 Security Aspects Surekha Shinde.

Similar presentations

Presentation on theme: "CS 265 – Project IPv6 Security Aspects Surekha Shinde."— Presentation transcript:


2 CS 265 – Project IPv6 Security Aspects Surekha Shinde

3 IPv6 Security Aspects Agenda Introduction to IPv6 IPv4 and IPv6 Comparison Current issues in IPv4 IPv6 solutions for IPv4 issues New issues of new protocol Hacking Tools Conclusion

4 Introduction to IPv6 Why IPv6 IPv6 Important features : Wish-list Faster Packet Processing Enhanced QOS Improved Security Greater protocol Flexibility Dual-Stack approach

5 031 VersionClassFlow Label Payload LengthNext HeaderHop Limit 128 bit Source Address 128 bit Destination Address 4122416 The IPv6 Header 40 Octets, 8 fields

6 031 VerIHLTotal Length IdentifierFlags Fragment Offset 32 bit Source Address 32 bit Destination Address 482416 Service Type Options and Padding Time to Live Header Checksum Protocol Shaded fields are absent from IPv6 header The IPv4 Header 20 octets + options : 13 fields, including 3 flag bits

7 IPv6 Addressing IPv6 Addressing rules are covered by multiples RFC’s Architecture defined by RFC 2373 Address Types are : Unicast : One to One Anycast : One to Nearest Multicast : One to Many Reserved A single interface may be assigned multiple IPv6 addresses of any type (unicast, anycast, multicast) No Broadcast Address -> IPv6 Use Multicast

8 Notation & Abbreviation Notation 1111110111101100 1111111111111111 128 Bits = 16 bytes = 32 Hex digits : 76543210 :: ADBF : BBFF2922FFFF ::: FDEC BA98 FDEC : BA98 : 0074 : 3210 : 000F : BBFF : 0000 : FFFF FDEC : BA98 : 74 : 3210 : F : BBFF : 0 : FFFF Abbreviation Unabbreviated Abbreviated FDEC : 0 : 0 : 0 : 0 : BBFF : 0 : FFFF FDEC : 00 : BBFF : 0 : FFFF Abbreviated More Abbreviated

9 IPv6 Addressing for IPv4 IPv4-Compatible IPv6 Address format IPv4-Mapped IPv6 Address format 0 IPv4 Address 96 Bits 32 Bits 0:0:0:0:0:0 IPv4 Compatible Address = 0:0:0:0:0:0: = :: 0 IPv4 Address 80 Bits 32 Bits 0:0:0:0:0:0 FFFF 16 Bits IPv4-Mapped Address = 0:0:0:0:0:FFFF:

10 IPv6 over IPv4 Tunnels Tunneling is encapsulating the IPv6 packet in the IPv4 packet Tunneling can be used by routers and hosts IPv4 IPv6 Network Tunnel: IPv6 in IPv4 packet IPv6 HostA Dual-Stack RouterB Dual-Stack RouterA IPv6 HostB IPv6 Header IPv4 Header IPv6 Header Transport Header Data Transport Header

11 Dual Stack Approach & DNS In a dual stack case, an application that: Is IPv4 and IPv6-enabled Asks the DNS for all types of addresses Chooses one address and, for example, connects to the IPv6 address DNS Server IPv4 IPv6 = * ? 3ffe:b00::1

12 Security Advantages of IPv6 Over IPv4 IPv4 - NAT breaks end-to-end network security IPv6 - Huge address range – No need of NAT IPv4 – IPSEC is Optional IPv6 - Mandatory in v6 IPv4 - Security extension headers(AH,ESP) – Back ported IPv6 - Built-in Security extension headers IPv4 - External Firewalls introduce performance bottlenecks IPv6 - Confidentiality and data integrity without need for additional firewalls

13 Security Advantages of IPv6 Over IPv4 (2) IPv4 - Security issues related to ICMPV4. IPv6 - ICMPV6 uses IPSEC authentication and encryption. IPv4 - No mechanism for resistance to scanning IPv6 - RTS possible only in IPV6 IPV4 - Doesn’t support Auto configuration IPv6 - Built in Auto configuration support Ignorance of network administrator to IPV6 But, Thanks to the transitional efforts of IETF

14 IPV4 - Security option field and Optional IPSEC IPV6 - IPSEC part of protocol suite-mandatory IPSEC provides network-level security IPSEC uses:- AH ( Authentication Header) ESP( Encapsulating Security Payload) Header Important Security fields in IPv6

15 Authentication Header(AH) Data integrity Data authentication Anti-replay protection Next HeaderHdr Ext Len Security Parameters Index (SPI) Reserved Sequence Number Authentication Data Fig.- Authentication Header(AH) Packet Format

16 Authentication Header fields SPI:-Security parameter index Sequence number field :- Anti-replay protection Authentication data :- ICV-authentication and data integrity HMAC(Hash message authentication code)+MD5 & HMAC+SHA-1 AH supports several authentication algorithms Prevents IP spoofing attacks Prevents DOS attacks

17 Encapsulating Security Payload (ESP) Data confidentiality Data integrity Data authentication Anti-replay protection Authentication applied only to data being encrypted Optional services-select at least one

18 Payload Next Header Security Parameters Index (SPI) Sequence Number Authentication Data Padding Length Padding ESP Packet Header Format

19 ESP Packet Header ESP header with confidentiality service – prevents sniffing Ex.TCP dump & Windump ESP - symmetric key algorithms like DES, 3DES and AES ESP Header Fields: SPI:-Security parameter index Sequence number field :- Anti-replay protection

20 Security issues in IPV6: IPSEC Relies on PKI, Not yet fully Standardized Scanning possible – If poorly designed No protection against all denial of service attack (DoS attacks difficult to prevent in most cases) No many firewalls in market with V6 capable But ??????

21 By The Way… IPv6 Hacking Tools Sniffer/packet capture Analyzer Snort TCP dump Ethereal Windump WinPcap Scanners IPV6 security scanner Halfscan6 Nmap DOS Tools 6tunneldos 4to6DDOS Imps6-tools Packet forgers SendIP Packit Spak6 Worms Slapper RealSecure & Proventia Tools

22 Conclusion ‘Black Hats’ Vs ‘White Hats’ Time for ignoring IPV6…..PAST Time for understanding,recognizing and deploying it…… NOW

23 References Computer Networks By Larry Peterson and Bruce Davie

24 Questions ?


Download ppt "CS 265 – Project IPv6 Security Aspects Surekha Shinde."

Similar presentations

Ads by Google