Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide title minimum 48 pt Slide subtitle minimum 30 pt Tunnel Security Concerns draft-ietf-v6ops-tunnel-security-concerns-02 James Hoagland Suresh Krishnan.

Published byMyles Kennedy Modified over 8 years ago

Similar presentations

Presentation on theme: "Slide title minimum 48 pt Slide subtitle minimum 30 pt Tunnel Security Concerns draft-ietf-v6ops-tunnel-security-concerns-02 James Hoagland Suresh Krishnan."— Presentation transcript:

1 Slide title minimum 48 pt Slide subtitle minimum 30 pt Tunnel Security Concerns draft-ietf-v6ops-tunnel-security-concerns-02 James Hoagland Suresh Krishnan Dave Thaler

2 Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./0123456789:; ?@ABCDEFGHIJKLMNOPQRSTU VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | 2010-03-22 | Page 2 History ›Originally targeted at documenting security concerns regarding Teredo ›Adopted as v6ops wg document in July 2007 ›Realized that the security concerns were applicable not only to Teredo but to tunnels in general ›Moved to intarea

3 Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./0123456789:; ?@ABCDEFGHIJKLMNOPQRSTU VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | 2010-03-22 | Page 3 Security Devices/Software ›Security devices/software often do packet inspection ›This draft takes no position on whether that is good or bad ›The fact is, they exist –and people use them and expect certain security properties ›If tunnels bypass them in some way, the tunnels are seen by such admins as a security/policy violation

4 Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./0123456789:; ?@ABCDEFGHIJKLMNOPQRSTU VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | 2010-03-22 | Page 4 Dealing With Security Devices ›Don’t automatically tunnel to the Internet from a “managed” network –But may be hard to tell if network is “managed” –Implementations should require explicit user consent to enable tunneling, at least for the first time ›Hosts should prefer native connectivity over tunnels –If tunnel address space is well-known, add to Prefix Policy Table [RFC3484] ›One incentive for a managed network to provide native IPv6 is to reduce demand for IPv6 transition tunnels ›If tunneling isn’t an acceptable risk, admins may block tunneling

5 Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./0123456789:; ?@ABCDEFGHIJKLMNOPQRSTU VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | 2010-03-22 | Page 5 Identifying tunneled data packets ›How can a tunneled data packet be identified? –By protocol number (MIP, 6to4, ISATAP, etc.) –By port number (L2TP, some Teredo, etc.) –By tunnel server address –Pretend you’re the destination for parsing purposes and see if it parses according to that protocol ›But this may incorrectly identify other packets too

6 Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./0123456789:; ?@ABCDEFGHIJKLMNOPQRSTU VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | 2010-03-22 | Page 6 Tunnels May Bypass In/Egress Filtering ›Ingress/egress filters in routers being tunneled over won’t see the inside IP addresses ›Could update routers to recognize tunnels (ugly) ›Tunnel servers can do filtering ›Can do checks in tunnel clients –If v4 addr embedded in v6 addr and supports peer-to-peer tunneling (e.g., 6to4, ISATAP, 6over4, etc), check if addrs correspond –If supports server-client tunneling, check if packet came from known server ›Implies some secure server discovery mechanism (manual config, secure DNS resolution, whatever)

7 Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./0123456789:; ?@ABCDEFGHIJKLMNOPQRSTU VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | 2010-03-22 | Page 7 Increased Attack Surface Area ›If tunnel allows inbound access from public Internet, this may bypass a network “firewall” –Host-based “firewall” may still drop eventually ›If tunnel allows inbound access from a private network (e.g., a VPN), this still increases the amount of attackable code, but not as much ›Additional Recommendations: –Activate tunnels only when needed

8 Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./0123456789:; ?@ABCDEFGHIJKLMNOPQRSTU VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | 2010-03-22 | Page 8 Exposure of a NAT Hole ›NAT mappings kept stable means more discoverable ›External address/port may be easy to learn from client’s inner address –Client’s inner address may be discoverable in DNS, p2p systems, etc –Tunnel packets are seen by more parties than native packets (e.g., due to longer paths) –Learning the external address/port provides access to the entire inner address –Not just the application port that’s communicating with the outside

9 Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./0123456789:; ?@ABCDEFGHIJKLMNOPQRSTU VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | 2010-03-22 | Page 9 Public Tunnels Widen Holes in Stateful Address Filters ›Some devices only allow inbound packets from destinations that have been sent packets ›Public tunnels bypass this and may eliminate need for attacker to spoof –Host-based “firewall” may still drop –Recommendations: –Activate tunnels only when needed –Consider whether tunnel server should do stateful filtering (TURN allows this for instance)

10 Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./0123456789:; ?@ABCDEFGHIJKLMNOPQRSTU VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | 2010-03-22 | Page 10 Guessing Addresses ›Some tunneling protocols make guessing addresses easier than an address scan especially for IPv6 (for IPv4 not so much) –Well-known or popular address prefix? –Embed popular server address? –Some address bits are constant?

11 Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./0123456789:; ?@ABCDEFGHIJKLMNOPQRSTU VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | 2010-03-22 | Page 11 Profiling Targets ›If a tunnel protocol is available on only a subset of host platforms, this helps attacker know what/how to attack ›Similarly if a specific tunnel server is used primarily by a subset of platforms ›Similarly for the client port (range) ›Information about the NAT type (e.g, cone NAT) can be used to target attacks ›If looking at an address reveals any of this information, this profiling can be done passively –Aside: This applies to MAC-based address generation too, not just tunnels

12 Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./0123456789:; ?@ABCDEFGHIJKLMNOPQRSTU VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | 2010-03-22 | Page 12 Securing the use of tunnels ›This document describes several security issues with tunnels. –This does not mean that tunnels need to be avoided at any cost. ›On the contrary, tunnels can be very useful if deployed, operated and used properly. ›Several measures can be taken in order to secure the operation of IPv6 tunnels. –Operating on-premise tunnel servers/relays so that the tunneled traffic does not cross border routers. –Setting up internal routing to steer traffic to these servers/relays –Setting up of firewalls to allow known and controllable tunneling mechanisms and disallow unknown tunnels.

13 Slide title minimum 32 pt (32 pt makes 2 rows Text and bullet level 1 minimum 24 pt Bullets level 2-5 minimum 20 pt !"#$%&'()*+,-./0123456789:; ?@ABCDEFGHIJKLMNOPQRSTU VWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~¡¢£¤¥¦§¨ ©ª«¬®¯°±²³´¶·¸¹º»¼½ÀÁÂÃÄÅÆÇÈËÌÍÎÏÐÑÒÓÔÕÖ× ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀā ĂăąĆćĊċČĎďĐđĒĖėĘęĚěĞğĠġĢģĪīĮįİıĶķĹĺĻļĽľŁłŃńŅ ņŇňŌŐőŒœŔŕŖŗŘřŚśŞşŠšŢţŤťŪūŮůŰűŲųŴŵŶŷŸŹ źŻżŽžƒˆˇ˘˙˚˛˜˝ẀẁẃẄẅỲỳ–—‘’‚“”„†‡…‰‹›⁄€™−≤≥fifl ĀĀĂĂĄĄĆĆĊĊČČĎĎĐĐĒĒĖĖĘĘĚĚĞĞĠĠĢĢĪĪĮĮİĶ ĶĹĹĻĻĽĽŃŃŅŅŇŇŌŌŐŐŔŔŖŖŘŘŚŚŞŞŢŢŤŤŪŪŮŮ ŰŰŲŲŴŴŶŶŹŹŻŻ ΆΈΉΊΌΎΏΐΑΒΓΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΪΫΆΈΉΊ ΰαβγδεζηθικλνξορςΣΤΥΦΧΨΩΪΫΌΎΏ ЁЂЃЄЅІЇЈЉЊЋЌЎЏАБВГДЕЖЗИЙКЛМНОПРСТУФ ХЦЧШЩЪЫЬЭЮЯАБВГДЕЖЗИЙКЛМНОПРСТУФХ ЦЧШЩЪЫЬЭЮЯЁЂЃЄЅІЇЈЉЊЋЌЎЏ ѢѢѲѲѴѴ ҐҐәǽ ẀẁẂẃẄẅỲỳ№ Do not add objects or text in the footer area Tunnel Security Concerns | Suresh Krishnan | IETF 77 | 2010-03-22 | Page 13 Way forward ›All comments received from v6ops mailing list and SECDIR review have been addressed ›Text has been added to describe secure use of tunnels ›Please take a look and send us comments ›Does this need to be WGLC-ed here?

Download ppt "Slide title minimum 48 pt Slide subtitle minimum 30 pt Tunnel Security Concerns draft-ietf-v6ops-tunnel-security-concerns-02 James Hoagland Suresh Krishnan."

Similar presentations

Slide title minimum 48 pt Slide subtitle minimum 30 pt Wordpress Help and support documentation Last updated: 2011-06-07.

Slide title minimum 48 pt Slide subtitle minimum 30 pt Wordpress Help and support documentation Last updated:
Slide title minimum 48 pt Slide subtitle minimum 30 pt PSAP Callback IETF#81, Quebec City, Canada draft-holmberg-ecrit-callback-00

Slide title minimum 48 pt Slide subtitle minimum 30 pt PSAP Callback IETF#81, Quebec City, Canada draft-holmberg-ecrit-callback-00
Slide title minimum 48 pt Slide subtitle minimum 30 pt AVTEXT WG Meeting IETF 80 Prague Keith Drage Magnus Westerlund.

Slide title minimum 48 pt Slide subtitle minimum 30 pt AVTEXT WG Meeting IETF 80 Prague Keith Drage Magnus Westerlund.
Slide title minimum 48 pt Slide subtitle minimum 30 pt MODEL BASED TEST DESIGN FOR PERFORMANCE TESTING AND OTHER NON-FUNCTIONAL REQUIREMENTS MATTIAS ARMHOLT.

Slide title minimum 48 pt Slide subtitle minimum 30 pt MODEL BASED TEST DESIGN FOR PERFORMANCE TESTING AND OTHER NON-FUNCTIONAL REQUIREMENTS MATTIAS ARMHOLT.
Slide title minimum 48 pt Slide subtitle minimum 30 pt FPGA design practices and optimization Gyula Istvan Nagy.

Slide title minimum 48 pt Slide subtitle minimum 30 pt FPGA design practices and optimization Gyula Istvan Nagy.
CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.

Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.
IPv6 Privacy Hannes Tschofenig, Tara Whalen. Agenda Privacy Threats Layering Addressing Policy Questionnaire.

IPv6 Privacy Hannes Tschofenig, Tara Whalen. Agenda Privacy Threats Layering Addressing Policy Questionnaire.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
Slide title minimum 48 pt Slide subtitle minimum 30 pt Communication and security – towards LTE Mats Nilsson.

Slide title minimum 48 pt Slide subtitle minimum 30 pt Communication and security – towards LTE Mats Nilsson.
Draft-vandevelde-v6ops-harmful-tunnels-01.txt 1 Are they the future of the Internet? Non-Managed Tunnels Considered Harmful Gunter Van de Velde, Ole Troan,

Draft-vandevelde-v6ops-harmful-tunnels-01.txt 1 Are they the future of the Internet? Non-Managed Tunnels Considered Harmful Gunter Van de Velde, Ole Troan,
Slide title minimum 48 pt Slide subtitle minimum 30 pt Conex IPv6 Destination Option Suresh Krishnan Mirja Kuehlewind Carlos Ralli Ucendo.

Slide title minimum 48 pt Slide subtitle minimum 30 pt Conex IPv6 Destination Option Suresh Krishnan Mirja Kuehlewind Carlos Ralli Ucendo.
Slide title minimum 48 pt Slide subtitle minimum 30 pt Conex IPv6 format Suresh Krishnan Mirja Kuehlewind Carlos Ralli Ucendo.

Slide title minimum 48 pt Slide subtitle minimum 30 pt Conex IPv6 format Suresh Krishnan Mirja Kuehlewind Carlos Ralli Ucendo.
Slide title minimum 48 pt Slide subtitle minimum 30 pt Experiences from Introduction and Deployment of MBT at Ericsson Håkan Fredriksson Ericsson AB

Slide title minimum 48 pt Slide subtitle minimum 30 pt Experiences from Introduction and Deployment of MBT at Ericsson Håkan Fredriksson Ericsson AB
Slide title minimum 48 pt Slide subtitle minimum 30 pt LICENSING AND TECH TRANSFER MAKING THE MOST OUT OF YOUR PATENT Gustav Brismark Vice President, Patent.

Slide title minimum 48 pt Slide subtitle minimum 30 pt LICENSING AND TECH TRANSFER MAKING THE MOST OUT OF YOUR PATENT Gustav Brismark Vice President, Patent.

Similar presentations

Ads by Google