Presentation is loading. Please wait.

Presentation is loading. Please wait.

Irish IPv6 Task Force - Irish IPv6 Task Force IPv6 and Security.

Similar presentations

Presentation on theme: "Irish IPv6 Task Force - Irish IPv6 Task Force IPv6 and Security."— Presentation transcript:

1 Irish IPv6 Task Force - Irish IPv6 Task Force IPv6 and Security

2 Irish IPv6 Task Force - Irish IPv6 Task Force IPv6 Training Slide-sets 1.The Bigger Picture: Why is IPv6 so Important? 2.IPv6 Deployment & Strategy (technical) 3.Introduction to IPv6 Fundamentals (technical) 4.The Business Case for IPv6 5.Mobile IPv6 (technical) 6.IPv6 Quality of Service (technical) 7.IPv6 Security (technical) <- This slide set is seventh in a series

3 Irish IPv6 Task Force - Presentation Structure Introduction to Security Problems What's new with IPv6& IPv6 Overview Problem solved? IPv6 and the “Anatomy of a Hack” Final thoughts

4 Irish IPv6 Task Force - Introduction to Security Problems

5 Irish IPv6 Task Force - Introduction to Security Problems Security - isn’t it all solved? Conventional threats Wireless systems now A vision of the future Protection now Protection in the future

6 Irish IPv6 Task Force - Whats the problem? We have firewalls and Intrusion Detection Systems –so we’re safe from outside attack −They never give false positives and are trivial to configure VPNs, RADIUS, SSH, etc. allow secure remote access −These are all user friendly and easy to use PKI can be used to determine identity −And DNSsec is in operation world-wide S/MIME or PGP protects mail −We all use secure email SSL/TLS protects web access −Phishing attacks don’t work Virus scanning is effective −So virii are a thing of the past Security patches can be applied centrally –SMS −The patches never break anything IPv6 has complete built-in security −Which is widely deployed And Pigs can fly!

7 Irish IPv6 Task Force - Why is there a problem? Hostile environment (motivations for attack vary) −Industrial Espionage −Ddos threats/extortion Lack of security consciousness Lots of potential points of attack Policies are often seen as unacceptable No regulatory framework Legal aspects unclear

8 Irish IPv6 Task Force - Pearls of wisdom If you believe that encryption (or firewalls or Intrusion Detection Systems) are the answer to all your security problems, then you probably asked the wrong question. Security is about securing a system. Security is a process NOT a product. Over-concentration on technology is deeply naïve. However if you do major changes, like IPv4 to IPv6,you must ensure you have not introduced new problems.

9 Irish IPv6 Task Force - Network Threats Passive tap Active tap Denial of service Faking/replay Traffic analysis

10 Irish IPv6 Task Force - Other Threats Physical attack Trojan Horses, viruses, worms, logic bombs Passwords Loopholes Collusion Accidental access Tempest Social Engineering

11 Irish IPv6 Task Force - Cost Effective Security Absolute security? −It is fictional in network connected system. Security = delay = cost to an attacker. Security costs to implement. So it is a compromise −Evaluate risks −Evaluate cost of losses −Don’t spend more than this −This is difficult because don’t know motivation of attacker don’t know value of information or goodwill

12 Irish IPv6 Task Force - New Problems Infrastructure doesn’t protect data Applications can’t be trusted to secure data New forms of virii? Security in mobile devices not standardised (many OS) Devices easy to lose (or steal) or break Radio is a broadcast medium Most mobile devices come with security disabled Data loss is painful; the more so the more one relies on it

13 Irish IPv6 Task Force - What is new with IPv6 & IPv6 Overview

14 Irish IPv6 Task Force - What is new with IPv6? Security was considered from the beginning in IPv6 −One can rely on certain features existing When new services were considered, their security was part of IPv6 thinking Some of the areas where the thinking is obvious are: −Threats to Mobile access and Mobile IP −Cryptographically generated addresses −Protocols for Authentication and Network Access −IPsec Making intrusion harder

15 Irish IPv6 Task Force - IPv6 Overview Expands addresses to 128 bits Formalised address boundaries IPSec (backported to IPv4 some time ago) Quality of Service (QoS) typing Stateless and stateful address autoconfiguration Dynamic address renumbering Transition tunnels and translators Robust resistance to brute force scanning No broadcast addresses It is NOT just IPv4 with bigger addresses!

16 Irish IPv6 Task Force - IPv6 Overview IPv6 has been around for many years IPv6 is still under development IPv6 will have new bugs that don't exist in IPv4 Few bugs derive exclusively from the IP layer Few vulnerabilities derive exclusively from the IP layer A lot of IPv6 is very similar to IPv4 Lessons learned in IPv4 should give IPv6 a better start

17 Irish IPv6 Task Force - IPv6 and IPsec General IP Security mechanisms provides −Authentication −Confidentiality −key management -requires a PKI infrastructure (IKEv2) applicable to use over LANs, across public & private WANs, & for the Internet IPSec is not a single protocol. Instead, IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication. IPSec is mandated in IPv6 –you can rely on for end-to-end security

18 Irish IPv6 Task Force - What is IPsec? Work done by the IETF IPsec Working Group Applies to both IPv4 and IPv6 and its implementation is: −Mandatory for IPv6 −Optional for IPv4 IPsec Architecture: RFC 2401 IPsec services −Authentication −Integrity −Confidentiality −Replay protection IPsec modes: Transport Mode & Tunnel Mode IPsec protocols: AH (RFC 2402) & ESP (RFC 2406)

19 Irish IPv6 Task Force - IPsec Architecture (RFC2401) Security Policies: Which traffic is treated? Security Associations: How is traffic processed? Security Protocols: Which protocols (extension headers) are used? Key Management: Internet Key Exchange (IKEv2) Algorithms: Authentication and Encryption

20 Irish IPv6 Task Force - IPsec Modes Transport −Above the IP level −Below the Transport Level −Only the IP datagram payload is protected −Usage Host to Host Service Tunnel Mode −IP within IP −Below the Transport Level −All the tunneled IP datagrams are protected −Usage Host to Host Service Gateway to Gateway Host to Gateway

21 Irish IPv6 Task Force - IPsec Protocols Authentication Header (AH) −RFC 2402 −Provides Connectionless Integrity Data origin authentication Replay protection Encapsulating Security Payload Header (ESP) −RFC 2406 −Provides Connectionless Integrity Data origin authentication Replay protection Confidentiality

22 Irish IPv6 Task Force - IPsec Protocols, modes and combinations Transport ModeTunnel Mode AH Authenticates IP payload and selected portions of IP header Authenticates entire inner IP datagram (header & payload) and selected portions of the outer IP header ESP Encrypts IP payloadEncrypts inner IP datagram ESP with Authentication Encrypts IP payload and authenticates IP payload but not IP header Encrypts and authenticates inner IP datagram

23 Irish IPv6 Task Force - IPsec Key Management Manual −Keys configured statically on each system Automatic: IKEv2 (RFC 4306 - Internet Key Exchange (IKEv2) Protocol) −IKE performs mutual authentication between two parties and establishes an IKE security association (SA) that includes shared secret information that can be used to efficiently establish Security Associations for Enciphering and or Authenticating purposes −Also automatically establishes a common set of cryptographic algorithms to be used.

24 Irish IPv6 Task Force - Problem solved?

25 Irish IPv6 Task Force - Problem Solved? IPsec doesn’t solve all our problems Other Issues to consider −Transition Mechanisms All the ways you didn’t know of getting in and out of your network −Scanning and Addresses −Broadcasts

26 Irish IPv6 Task Force - Transition Mechanisms Intended to promote IPv6 adoption and interoperability Compatibility addresses aid IPv4 – IPv6 communications SIT (Six in Tunnel) / 6in4 6to4 Automatic SIT tunnels IPv6 over UDP in various encapsulations 6over4 Proxy Services, Services, and Protocol Bouncers DSTM and 4in6 provides reverse transition support Translators (NAT-PT, TRT)

27 Irish IPv6 Task Force - 6to4/SIT Simple Internet Transition / Six In Tunnel Protocol 41 (iPv6) in IPv4 Basis for several IPv6 tunnel schemes −Static SIT tunnels use preconfigured endpoints −Tunneling at the heart of ISATAP routed addresses Can pass “many” IPv4 NAT devices (proto 41 forwarding) −Not reliable and not preferred over NAT Most tunnel brokers provide IPv6 through SIT tunnels −Some (OCCAID, Hurricane Electric) only provide 6in4 tunnels 6to4 provides autoconfigured 6in4 tunnels −2002::/16 prefix −Assigns a /48 IPv6 network to every IPv4 address! −No tunnel brokers or static configuration required

28 Irish IPv6 Task Force - IPv6 over UDP IPv6 over UDP (default - port 3544/udp) Intended to provide IPv6 tunnels over IPv4 NAT devices Both endpoints may be NATed and/or firewalled! Can bypass most firewalls (uses outbound UDP sockets) Uses a robust NAT traversal similar to STUN (RFC 3489) Provides peer-to-peer IPv6 connectivity for clients over NAT devices Clients requires a Teredo server and relay on public IPv4 Teredo servers carry no production traffic Teredo relays are currently advertized in BGP Miredo project provides Teredo support on Linux and FreeBSD IANA assigned address prefix 2001:0::/32 IETF Standard RFC 4380

29 Irish IPv6 Task Force - More IPv6 over UDP UDP based transports work well over IPv4 NAT −Also bypasses most firewalls – including stateful firewalls −Some may be “STUN” enabled TSP - Tunnel Setup Protocol (3653/udp) −Promoted by FreeNet6 / Hexago −Also used with 4in6 for DSTM −Still an IETF draft AICCU - Automatic IPv6 Connectivity Client Utility (8374/udp) −SixXS in Europe (HEAnet host the SixXS pop in Ireland) OpenVPN (1194/udp v2 – 5100/udp v1) −Used by the German “Join” project as an IPv6 tunnel broker −Uses ESPinUDP (IPSec NAT-T) encapsulation −Directly tunnels IPv6 in IPv4 without additional tunneling layers

30 Irish IPv6 Task Force - Other methods IPv6 can be transported over anything that transports IPv4. PPP – Native or tunneled IPv4 using 6in4 IPSec / IPSec NAT-T −Encrypted tunnel −Encapsulation and transport of IPv6 over IPv4 using 6in4 −NAT-T provides a further UDP transport, but provides no STUN support (yet) 6over4 - Uses IPv4 multicast ISATAP - Complex setup using 6in4 - Large enterprises Generic Routing Encapsulation (GRE) −IPv6/4 over IPv4 −IPv4/6 over IPv6

31 Irish IPv6 Task Force - Less known methods Used to avoid detection. Ping Tunnel −Tunneling over ICMP Echo / Echo Reply Htunnel (tunnel over http, including proxies) TCPtunnel −Covert Channel in TCP header bits Covert Channel Tunneling Tool (CCTT) −Brings several covert tunneling encapsulations under one roof −Tunneling over ICMP −Tunneling over HTTP −Tunneling over DNS −Tunneling over NTP

32 Irish IPv6 Task Force - The IPv6 Underground Already active on IPv6 IPv6 only IRC channels IPv6 only FTP sites IPv6 only Web sites Many IRC bots have IPv6 patches IPv6 has been used for communications tunnels IPv6 can be used to hide backdoors IPv6 can be used to bypass firewalls IPv6 can enable end to end peer to peer connectivity −Even when all clients are behind NAT −Using 3 rd party STUN or Teredo servers −Public servers carry no “malicious traffic”

33 Irish IPv6 Task Force - Scanning and addresses Several orders of magnitude harder to scan 1 IPv6 subnet than all of IPv4 “Efficient” (dense) allocations == Feature Rich Targets Sparse allocations make brute force scanning impractical −Scanning for backdoors impractical By attackers By defenders −Scanning for proxies impractical −Scan-based worms can not propagate No more slammer No more blaster Cripples brute force scanning for open relays for Spam Reduces hacker “hijack wars” and “shelling matches” Use of trivial EUI-64 derived addresses can degrade this −EUI-64 derived from interface MAC addresses −Remains constant across subnets −Potential privacy issues

34 Irish IPv6 Task Force - IPv6 and Broadcasts Mostly good news No broadcast addresses −No local broadcast −No directed broadcast −No global broadcast Broadcast functions handled by various multicast addresses −Multicast addresses may never be source addresses −Some mutlicast addresses and functions can still have a large scope No more broadcast scanning for nodes No more directed broadcast “food fights” No help with local broadcast DDoS Zombies

35 Irish IPv6 Task Force - IPv6 and the “Anatomy of a Hack”

36 Irish IPv6 Task Force - IPv6 and the Anatomy of a Hack Basic layers in the Anatomy of a Hack −Identify targets −Initial Compromise (Gain access) −Acquire shell −Elevate privilege −Clean up traces −Secure communications and future access IPv6 impacts some, but not all, layers of this model

37 Irish IPv6 Task Force - Identify Targets Brute force scanning is impractical −Targets have to be individually chosen Port probes are possible once system is identified Security access may be on alternate addresses Services may be dispersed across multiple addresses −Security services, ssh, on unpublished addresses −Public services, web, smtp, ftp, on published addresses −No substitute for firewalls Result, Advantage defender

38 Irish IPv6 Task Force - Initial Compromise Access to other systems may be acquired from compromised systems secured by IPv6 tunnels Multiple systems may be accessed and routed out through single hosts anchoring IPv6 tunnels Additional global routing may contribute to accessing systems behind firewalls or on private IPv4 address space IPv6 traffic may be detected (if you know what to look for) Result, a Draw

39 Irish IPv6 Task Force - Securing Access IPv6 aids in hiding backdoors Many IDS systems do not detect IPv6 traffic Many IDS systems do not detect communications tunnels Properly configured IDS systems can detect IPv6 traffic Security scanners may not scan for IPv6 backdoors IPv6 is easy to set up without interfering with IPv4 operations Bots and malware may connect back to multiple addresses Result, Advantage Attacker

40 Irish IPv6 Task Force - Final thoughts

41 Irish IPv6 Task Force - Firewalls Not all firewalls configured to block protocol 41 by default −(Most now are) IPv4 firewalls can not see TCP or UDP in tunnels (Toredo, SIT) IPv6 firewalls can not see protocol 41 (or UDP) on IPv4 Teredo, TSP, AYIYA, and OpenVPN (UDP) can bypass firewalls All tunnels should terminate at the firewall or security perimeter Unroll all encapsulations and pass IPv6 traffic natively Tunnels should be prohibited from within corporate networks 6to4 auto tunnels should be limited to external sites / clients Provide an external gateway for supported tunneling protocols

42 Irish IPv6 Task Force - Providing IPv6 To provide IPv6 to a network, you must support it Tunnels should be terminated security perimeters (firewalls) 6to4 / 6in4 should be prohibited within a corporate network Native IPv6 should be provided within the corporate network Router advertisements should be monitored for anomalies Prefixes should be monitored for unexpected changes Unusual router advertisements should be investigated IDS systems should detect rogue routers and prefixes EUI policy should be defined and enforced

43 Irish IPv6 Task Force - Avoiding IPv6 To avoid having IPv6 on a network, you must support it Tunneling protocols and transports should be blocked −At all security perimeters −At routers and subnet boundaries −All tunneling protocols must be recognized IDS / IPS systems should monitor for IPv6 link protocols −Neighbor discovery −Router advertisements NIDS systems should detect IPv6 – native and tunneled −Unroll all encapsulated traffic to get at core protocols −Watch for encrypted encapsulations Host systems should be monitored for IPv6

44 Irish IPv6 Task Force - Ignoring IPv6 If you don't provide or prevent IPv6, you will have IPv6 −You won't control it −You won't recognize it −You won't be managing it −It will still be globally addressable −It will still be fully routable (independent of IPv4 routing) −Others will be providing IPv6 routes and routers, not you Others providing IPv6 will not have your best interest at heart

45 Irish IPv6 Task Force - Summary IPv6 carries a number of advantages −Improved addressing −Improved security −Improved routing IPv6 advantages can be used against networks −Backdoors hidden −Communications channels hidden −Security mechanisms bypassed IPv6 is easier and cheaper to provide than prevent Time for ignoring IPv6 is past Time for understanding and using IPv6 is now

46 Irish IPv6 Task Force - Acknowledgements This presentation includes some material from these other sources: The 6DISS project “Security Implications of IPv6”, Micheal H. Warfield, Internet Security Systems

47 Irish IPv6 Task Force - Contact Mícheál Ó Foghlú Research Director Telecommunications Software & Systems Group Waterford Institute of Technology Cork Road Waterford Ireland +353 51 302963 (w) (Personal Blog)

48 Irish IPv6 Task Force - Further Information Web Sites: National Irish IPv6 Centre http://www.ipv6-ireland.org Irish IPv6 Task Force http://www.ipv6.ie IPv6 ePrints Server (Public Documents) IPv6 Dissemination (Public Training) Individual Documents/Presentations: (Iljitsch van Beijnum, 7th March 2007) (Geoff Huston APNIC, 2006) 6.pdf (IPv6 Forum Roadmap & Vision, 2006) 6.pdf 06_Advancing_Information_Sharing_And_Data_Architecture/IPV6/NIST%20ipv6-doc-eai- v4%2012062005.ppt (Doug Montgomery NIST, 2005) 06_Advancing_Information_Sharing_And_Data_Architecture/IPV6/NIST%20ipv6-doc-eai- v4%2012062005.ppt

49 Irish IPv6 Task Force - Thank you! Thank you! This presentation has been shared under the Creative Commons Attribution 2.0 UK: England & Wales Licence ( by the Irish IPv6 Task Force ( Please acknowledge this source if you use it for free or for profit

Download ppt "Irish IPv6 Task Force - Irish IPv6 Task Force IPv6 and Security."

Similar presentations

Ads by Google