Draft-ietf-v6ops-scanning-implications-00 IPv6 Implications for Network Scanning Tim Chown University of Southampton (UK) IETF 66,

Slides:

Advertisements

Similar presentations

1IETF57 DNSOP WG IPv6 Router Advertisement based DNS Autoconfiguration Jaehoon Paul Jeong ETRI 14 th.

Advertisements

Implementing IPv6 Module B 8: Implementing IPv6

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Transitioning to IPv6.

Draft-ietf-dhc-stateless-dhcpv6- renumbering-01 Tim Chown dhc WG, IETF 60, San Diego, August 2, 2004.

By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.

1IETF59 DNSOP WG IPv6 DNS Discovery Issues Jaehoon Paul Jeong ETRI 1st March th IETF – Seoul,

1 DNS Name Service based on Secure Multicast DNS for IPv6 Mobile Ad-hoc Network Jaehoon Jeong, ETRI ICACT.

Multicast DNS Draft-aboba-dnsext-mdns-00.txt. Outline Goals and objectives Scope of the multicast DNS DNS server discovery Non-zeroconf behavior Zeroconf.

IAB/IESG Recommendations on IPv6 Address Allocation Bob Hinden at RIPE Sept Brian Carpenter at ARIN Oct Alain Durand at APNIC Oct

1 DNSOPS / Vienna IETF / July 2003 / Bob Hinden IPv6 DNS Discovery, and why it is important Bob Hinden.

1 IPv6 Address Management Rajiv Kumar. 2 Lecture Overview Introduction to IP Address Management Rationale for IPv6 IPv6 Addressing IPv6 Policies & Procedures.

DHCPv6 and other IPv6 docs Ralph Droms IETF 55, Atlanta.

IAB/IESG Recommendations on IPv6 Address Allocation Bob Hinden at RIPE Sept Brian Carpenter at ARIN Oct Alain Durand at APNIC Oct

IPv6 Site Renumbering Gap Analysis draft-liu-6renum-gap-analysis-01 draft-liu-6renum-gap-analysis-01 Bing Liu Sheng Jiang IETF July

DHCP: Dual-Stack Issues draft-ietf-dhc-dual-stack-01 Tim Chown dhc WG, IETF 60, San Diego, August 2, 2004.

IPv6 RADIUS attributes for IPv6 access networks draft-lourdelet-radext-ipv6-access-01 Glen Zorn, Benoit Lourdelet Wojciech Dec, Behcet Sarikaya Radext/dhc.

IPv6 Address autoconfiguration stateless & stateful.

IPv6 Autoconfiguration Stateless and Stateful. Copy... Rights This slide set is the ownership of the 6DISS project via its partners The Powerpoint version.

7 IPv6: transition and security challenges Selected Topics in Information Security – Bazara Barry.

IPv6 Home Networking Architecture - update IETF homenet WG Interim meeting Philadelphia, 6 th Oct 2011 draft-chown-homenet-arch-00.

IPv6 Renumbering Tim Chown Alan Ford Mark Thompson Stig Venaas University of Southampton (UK)

Module 3: Designing IP Addressing. Module Overview Designing an IPv4 Addressing Scheme Designing DHCP Implementation Designing DHCP Configuration Options.

Draft-chown-v6ops-campus-transition-00 Tim Chown v6ops WG, IETF 60, San Diego, August 2, 2004.

CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration IPv6.

Draft-chown-v6ops-renumber-thinkabout-05 Things to think about when Renumbering an IPv6 network Tim Chown IETF 67, November 6th, 2006.

Prefix Delegation Protocol Selection T.J. Kniveton MEXT Working Group IETF 70 - December ’07 - Vancouver.

Recommendations of Unique Local Addresses Usages draft-ietf-v6ops-ula-usage-recommendations-02 draft-ietf-v6ops-ula-usage-recommendations-02 Bing Liu(speaker),

Draft-vandevelde-v6ops-addcon-00.txt IPv6 Unicast Address Assignment Considerations Gunter Van de Velde (editor) Tim Chown Ciprian Popoviciu IETF 65, March.

IPv6 Address Accountability Considerations draft-chown-v6ops-address-accountability-01 IETF81, Quebec Tim Chown, July 28 th, 2011.

Network Virtualization Overlay Use Cases Lucy Yong, Mehmet Toy, Aldrin Isaac, Vishwas Manral, Linda Dunbar July 2013 Berlin Germany draft-ietf-nvo3-use-case-02.

1 RFC Transmission of IPv6 Packets over IEEE Networks Speaker: Li-Wen Chen Date:

Draft-chown-v6ops-port-scanning-implications-02 IPv6 Implications for TCP/UDP Port Scanning Tim Chown IETF 65, March 23rd 2006 Dallas,

Wes George, Chris Donley, Christopher Liljenstolpe, Lee Howard.

Address planning. Introduction Network-Level Design Considerations Factors affecting addressing scheme Recommended practices Case studies 6/4/20162.

IPv6 WORKING GROUP March 2002 Minneapolis IETF Bob Hinden / Nokia Steve Deering / Cisco Systems Co-Chairs.

Draft-ietf-v6ops-addcon-02.txt IPv6 Unicast Address Assignment Considerations Olaf Bonness, Tim Chown, Christian Hahn, Ciprian Popoviciu, Gunter Van de.

Managing the Use of Privacy Extensions for SLAAC in IPv6 (draft-gont-6man-managing-privacy- extensions-01.txt) Fernando Gont (UTN/FRH) Ron Broersma (DREN)

DHCP Options for Configuring Tenant Identifier and Multicast Addresses in Overlay Networks Behcet Sarikaya Frank Xia.

Draft-chown-v6ops-campus-transition-03 IPv6 Campus Transition Scenario Description and Analysis Tim Chown University of Southampton (UK)

Network Architecture Protection (draft-vandevelde-v6ops-nap-01.txt) Brian Carpenter, Ralph Droms, Tony Hain, Eric L Klein, Gunter Van de Velde.

Engineering Workshops 56 Allocation Schemes CIDR representation and IPv6 allocations.

V6OPS WG – IETF #85 IPv6 for 3GPP Cellular Hosts draft-korhonen-v6ops-rfc3316bis-00 Jouni Korhonen, Jari Arkko, Teemu Savolainen, Suresh Krishnan.

Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://

Bjorn Landfeldt, The University of Sydney 1 NETS 3303 IPv6 and migration methods.

1 ipv6-node-02.PPT/ 18 November 2002 / John Loughney IETF 55 IPv6 Working Group IPv6 Node Requirements draft-ietf-ipv6-node-requirements-02.txt John Loughney.

APAN 24, August 28, 2007, Xi’an IPv6Deployment in European Academic Networks Tim Chown School of Electronics and Computer Science University of Southampton.

1 ipv6-node-02.PPT/ 18 November 2002 / John Loughney IETF 55 IPv6 Working Group IPv6 Node Requirements draft-ietf-ipv6-node-requirements-02.txt John Loughney.

6renum Chairs: Tim Chown, Wes George IETF81 Quebec July 27 th, 2011.

464XLAT : Combination of Stateful and Stateless Translation draft-mawatari-softwire-464xlat IETF Taipei 2011 / 11 / 15 Japan Internet.

Slide title minimum 48 pt Slide subtitle minimum 30 pt Tunnel Security Concerns draft-ietf-v6ops-tunnel-security-concerns-02 James Hoagland Suresh Krishnan.

IPv6 Neighbor Discovery over Syam Madanapalli Samsung ISO IETF 64 – Vancouver, Canada November 8 th 2005.

Draft-chown-v6ops-vlan-usage-01 Tim Chown v6ops WG, IETF 60, San Diego, August 2, 2004.

1/7 zerouter BoF Problem Statement 19 th Nov th IETF - Atlanta, Georgia, USA

DHCPv4 option for PANA Authentication Agents draft-suraj-dhcpv4-paa-option-00.txt DHC/PANA WG IETF-63 France, Paris.

Draft-ietf-v6ops-addcon-01.txt IPv6 Unicast Address Assignment Considerations Gunter Van de Velde (editor), Tim Chown, Ciprian Popoviciu, Olaf Bonness,

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

CHAPTER 10: DHCP Routing & Switching. Objectives 10.0 Introduction 10.1 Dynamic Host Configuration Protocol v Dynamic Host Configuration Protocol.

Dhc WG 3/2/2004, IETF 59, Seoul. 3/2/2004dhc WG - IETF 59, Seoul2 Agenda Administrivia, Agenda bashing Ralph Droms 05 minutes DHCP Option for Proxy Server.

Boot Camp IP Addressing These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (

If we don’t subnet and use as our subnet mask then we use all of our IP addresses on one network. This is not an efficient use of our Class.

CIS 116 IPv6 Fundamentals 2 – Primer Rick Graziani Cabrillo College

GRE-in-UDP Encapsulation

IETF 55 IPv6 Working Group IPv6 Node Requirements

6lo Privacy Considerations

Link Model Analysis for based Networks

RIPE IPv6-wg and Renumbering

IPv6 part deux References: Andrew Daviel

Chapter 26 IPv6 Addressing

Logical Interface Support for IP Hosts

M. Boucadair, J. Touch, P. Levis and R. Penno

Presentation transcript:

draft-ietf-v6ops-scanning-implications-00 IPv6 Implications for Network Scanning Tim Chown University of Southampton (UK) IETF 66, July 12th 2006 Montreal

draft-ietf-v6ops-scanning-implications-00 Purpose of document Document different properties of IPv6 networks for network scanning Suggest possible new attack vectors for discovery of host addresses to target By the usual scanning method Recommend measures that network administrators may take to mitigate these

draft-ietf-v6ops-scanning-implications-00 Recent changes In a past life this document used to be draft-chown-port-scanning-implications-02 Adopted by WG Received a number of comments Improvements: Addressed comments Changed to a new structure based on comments

draft-ietf-v6ops-scanning-implications-00 Comments addressed Avoided any suggestion that IPv6 subnet size makes networks resilient to network scanning Because other methods to harvest addresses exist Attackers will scan addresses that they can learn Restructured to 3 sections: IPv6 subnet size ‘problem statement’ Alternative address harvesting methods Recommendations/suggestions for admins

draft-ietf-v6ops-scanning-implications-00 Subnet size implications Problem space for IPv6 scanning Huge subnet size (64 bits) But can be reduced by heuristics Systems numbered ::1, ::2, etc Autoconfiguration uses fixed ‘fffe’ stuffing Well-known vendor NIC prefixes Sequential NIC IDs in batches of systems Dual-stack systems still ‘vulnerable’ via IPv4 May wish to perform defensive scanning

draft-ietf-v6ops-scanning-implications-00 Alternatives for attackers ‘New’ ways to harvest IPs On-link methods Multicast (including site scope) Logged or recorded Ips DNS advertised hosts DNS zone transfers Application participation Transition methods

draft-ietf-v6ops-scanning-implications-00 Measures for admins? Consider using Privacy Addresses (RFC3041) Reduces ‘useful lifetime’ of address to attacker who has harvested the address by some means Adds complexity for network management Consider DHCPv6 address pools Don’t allocate from ::1 upwards Avoid using sequential addresses Consider rolling server IP addresses e.g. change advertised MX addresses over time

draft-ietf-v6ops-scanning-implications-00 Next Steps Comments? Any anecdotal evidence of (mis)behaviour seen at site firewalls? Author sees port scanning on advertised IPs Cited by three(?) other current IDs WGLC?