IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

Slides:

Advertisements

Similar presentations

IPv6 at NCAR 8/28/2002. Overview What is IPv6? What’s wrong with IPv4? Features of IPv6 IPv6 will soon be available at NCAR How to use IPv6.

Advertisements

TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.

1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.

Implementing IPv6 Module B 8: Implementing IPv6

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

Computer Networks21-1 Chapter 21. Network Layer: Address Mapping, Error Reporting, and Multicasting 21.1 Address Mapping 21.2 ICMP 21.3 IGMP 21.4 ICMPv6.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.

IPv6 Network Security.

2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

思科网络技术学院理事会. 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

Configuring and Troubleshooting Network Connections

1 Navaneethan C. Arjuman Phd Candidate and MyBrain Fellow National Advanced IPv6 Centre February 2012.

21.1 Chapter 21 Network Layer: Address Mapping, Error Reporting, and Multicasting Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing & Switching.

Module 4: Configuring Network Connectivity

IPv6 Transition : Why a new security mechanisms model is necessary?

Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.

1 IPv6 Address Management Rajiv Kumar. 2 Lecture Overview Introduction to IP Address Management Rationale for IPv6 IPv6 Addressing IPv6 Policies & Procedures.

1 Chapter Overview IP (v4) Address IPv6. 2 IPv4 Addresses Internet Protocol (IP) is the only network layer protocol with its own addressing system and.

Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;

Chapter 4: Managing LAN Traffic

Summary of Certification Process (part 1). IPv6 Client IPv6 packets inside IPv4 packets.

7 IPv6: transition and security challenges Selected Topics in Information Security – Bazara Barry.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implementing IP Addressing Services Accessing the WAN – Chapter 7.

Common Devices Used In Computer Networks

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Basic Transition Mechanisms for IPv6 Hosts and Routers -RFC 4213 Kai-Po Yang

Module 3: Designing IP Addressing. Module Overview Designing an IPv4 Addressing Scheme Designing DHCP Implementation Designing DHCP Configuration Options.

Connecting to a Network Lesson 5. Objectives Understand the OSI Reference Model and its relationship to Windows 7 networking Install and configure networking.

Chapter 22 Next Generation IP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.

1 Objectives Identify the basic components of a network Describe the features of Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6)

Ch 6: IPv6 Deployment Last modified Topics 6.3 Transition Mechanisms 6.4 Dual Stack IPv4/IPv6 Environments 6.5 Tunneling.

CSC 600 Internetworking with TCP/IP Unit 7: IPv6 (ch. 33) Dr. Cheer-Sun Yang Spring 2001.

RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date:

An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring Presented by: Dedicated Instructor: Hiteshkumar Thakker.

1/28/2010 Network Plus IP Addressing Review. IP Address Classes.

W&L Page 1 CCNA CCNA Training 3.5 Describe IPv6 addresses Jose Luis Flores / Amel Walkinshaw Aug, 2015.

© Cengage Learning 2014 How IP Addresses Get Assigned A MAC address is embedded on a network adapter at a factory IP addresses are assigned manually or.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public BSCI Module 8 Lesson 3 1 BSCI Module 8 Lesson 3 Implementing Dynamic IPv6 Addresses.

Module 6: IPv6 Fundamentals. Introduction to IPv6 Unicast IPv6 Addresses Configuring IPv6.

Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://

Bjorn Landfeldt, The University of Sydney 1 NETS 3303 IPv6 and migration methods.

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Network Layer NAT, IPv6.

DHCP Vrushali sonar. Outline DHCP DHCPv6 Comparison Security issues Summary.

1 Objectives Identify the basic components of a network Describe the features of Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6)

ITP 457 Network Security Networking Technologies III IP, Subnets & NAT.

Chapter 8: IP Addressing

Submitted to: Submitted by: Mrs. Kavita Taneja Jasleen kaur (lect.) Hitaishi verma MMICT & BM MCA 4 th sem.

CHAPTER 10: DHCP Routing & Switching. Objectives 10.0 Introduction 10.1 Dynamic Host Configuration Protocol v Dynamic Host Configuration Protocol.

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv6 Transition Mechanisms, their Security and Management Georgios Koutepas National Technical.

ITMT Windows 7 Configuration Chapter 5 – Connecting to a Network ITMT 1371 – Windows 7 Configuration 1.

Network Layer IP Address.

IPv6: Passing on Lessons Learned from My Journey BRKARC-2002 Denise “Fish” Fishburne Customer Proof of Concept Team Lead CCIE #2639, CCDE 2009:0014.

Lecture 13 IP V4 & IP V6. Figure Protocols at network layer.

Introduction Wireless devices offering IP connectivity

IPv6 Overview Address space Address types IPv6 and Tunneling.

Chapter 6 Exploring IPv6.

Internet Protocol, Version 6 (IPv6)

Presentation transcript:

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004

IPv6 Security Issues New Security Issues in IPv6 Many of the new protocol’s characteristics can be utilized to accomplish attacks to systems and networks IPv6 deployment calls for deep understanding of the protocol, its requirements and security issues. Careful planning is necessary to lessen the possibility of malicious exploitation

IPv6 Security Issues IPv6 Security Characteristics Based upon IPv4 experiences the new protocol incorporates a number of elements that address known security problems. Support for some IPsec features: –Authentication headers –Encryption headers –These can be used to implement specific security policies. Separate implementation allows for a degree of flexibility when implementing a particular policy.

IPv6 Security Issues Network Reconnaissance Big number of possible IPs complicates the task of discovery of operating systems and services using host and port scanning –Default network size is 2 64 IPs – very difficult to cover it by packet probes Weaknesses: –Usually main systems get assigned “easy to remember” addresses –DNS servers keep system data –IPv6 neighbor-discovery data –Special multicast addresses for various types of network recourses (routers, DHCP servers etc.)

IPv6 Security Issues Access Control One Interface may simultaneously have various addresses –Link local, site local, global unicast –The administrator may enable global unicast addresses only for devices that must access the internet. Extension Headers in IPv6 may be used to bypass the security policy –E.g. routing headers have to be accepted at specific devices (IPv6 endpoints) In IPv6 some ICMP and (link-local) Multicast messages are required for the correct operation of the protocol –The firewalls should be appropriately configured only to allow the right messages of these types –The IPv4 ICMP security policy must be appropriately adapted for ICMPv6 messages

IPv6 Security Issues Packet Spoofing Possible for levels 3 and (particularly) 4 The address allocation method offers a new characteristic for the control of packets with spoofed source address –Globally aggregated nature of address allocation means that addresses are assigned from bigger to smaller groups. At different stages of the routing procedure filters can be set up to check and block wrong source addresses. –The big number of available IPv6 addresses allows an attacker to use spoofed, yet from valid sources, addresses

IPv6 Security Issues ARP and DHCP attacks Devices are mislead to take wrong IPs, or be configured with malicious settings IPv6 does not provide any extra security on this issue –The stateless autoconfiguration procedure (based on ICMPv6) automatically assigns addresses. However, DHCP servers could possibly be used in the future to provide extra service information –DHCPv6 is not considered “mature”, yet –The same process (stateless autoconfiguration) can be hijacked –ICMPv6 neighbor discovery replaces ARP, but suffers from the same problems

IPv6 Security Issues Amplification (DDoS) Attacks There are no broadcast addresses in IPv6 –This would stop any type of amplification/"Smurf" attacks that send ICMP packets to the broadcast address –Global multicast addresses fro special groups of devices, e.g. link-local addresses, site-local addresses, all site-local routers, etc. IPv6 specifications forbid the generation of ICMPv6 packets in response to messages to global multicast addresses. –Many popular operating systems follow the specification –Still uncertain on the danger of ICMP packets with global multicast source addresses

IPv6 Security Issues Mixed environments v4/v6 There are security issues with the transition mechanisms –Tunnels are extensively used to interconnect networks over areas supporting the “wrong” version of protocol –Tunnel traffic many times has not been anticipated by the security policies. It may pass through firewall systems due to their inability check two protocols in the same time –Such checks also set high demands for processing power and computing recourses –The problem is deteriorated by the fact that many tunneling mechanisms are operating automatically

IPv6 Security Issues Mixed environments v4/v6 – 6to4 6to4 provides the main mechanism for communications of IPv6 systems or networks over IPv4 –Automatic and dynamic connectivity between dual stack IPv6 systems within IPv4 networks (6to4 hosts) and native IPv6 areas –6to4 gateways acquire an IPv6 address with the prefix 2002: based on their IPv4 address

IPv6 Security Issues Mixed environments v4/v6 – 6to4 (2) One IPv6 network may send attack traffic to an IPv4 system by constructing packet with the appropriate IPv6/6to4 destination address. Corresponding tunnels are implemented dynamically. The same type of attack may be initiated from an IPv4 system concealing the source. The path is: System IPv4 - 6to4 router and removal of the IPv4 address – Target IPv4 system (its address described in IPv6/6to4) –DDoS attack posiblitty rather low due to resource limitations at the 6to4 router –It’s possible to use different 6to4 nodes for each direction –The mechanism may also be used for Reflection attacks

IPv6 Security Issues Viruses, Worms and automated attack tools The effect of the new protocol to the worms abilities to propagate is not know DDoS attack tools operating in IPv6 environment are already available, e.g. 6Τo4DDos. Some attack programs incorporate code that allows them to operate in IPv6 too –Such a worm has already been detected by the Honeynet project

IPv6 Security Issues Common IPv4 - IPv6 attacks Packet sniffing Application Layer Attacks Rogue devices “Man-in-the-middle” attacks DDoS traffic attacks

IPv6 Security Issues Security recommendations Automatic configuration security mechanisms that mask the MAC address may also be used to conceal and attacker. Assign global addresses only to systmes that require Internet connectivity Non-trivial addresses for critical systems Filter non necessary services at the firewall Selective ICMPv6 filtering Keep the systems and application security level current by deploying patches Careful selection of the cases when Extension Headers should be allowed

IPv6 Security Issues Security recommendations (2) The firewall should have the ability to check fragmented packets Filter packets with wrong source addresses Traceback procedures at levels 2 and 3 should be available to show concealed attackers –The big number of available addresses may be used to hide the attackers. Disallow packets with multicast source addresses It’s better to avoid “translation” mechanisms between IPv4 and IPv6 and use dual stack instead

IPv6 Security Issues Security recommendations (3) Preferably, static tunnel configuration Only authorized systems should be allowed as tunnel endpoints

Questions...;