RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date: 2007.6.25.

Slides:



Advertisements
Similar presentations
Future Directions For IP Architectures Ipv6 Cs686 Sadik Gokhan Caglar.
Advertisements

IPv6 Introduction What is IPv6 Purpose of IPv6 (Why we need it)Purpose of IPv6 IPv6 Addressing Architecture IPv6 Header ICMP v6 Neighbor Discovery (ND)
Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.
TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.
Implementing IPv6 Module B 8: Implementing IPv6
1 Teredo - Tunneling IPv6 through NATs Date: Speaker: Quincy Wu National Chiao Tung University.
IPv4 & IPv6 Coexistence & Migration Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Network Localized Mobility Management using DHCP
資 管 Lee Lesson 12 IPv6 Mobility. 資 管 Lee Lesson Objectives Components of IPv6 mobility IPv6 mobility messages and options IPv6 mobility data structures.
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Chapter 8b Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Describe the structure of an IPv4 address.  Describe.
Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.
Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.
Examining IP Header Fields
Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 1.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
IPv6 – part I. FUNDAMENTALS AND PROTOCOLS / ICND 1.
Asymmetric Extended Route Optimization (AERO)
資 管 Lee Lesson 11 Coexistence and Migration. 資 管 Lee Lesson Objectives Coexistence and migration overview Coexistence mechanisms ◦ Dual Stack ◦ Tunneling.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
CSIS 4823 Data Communications Networking – IPv6
Summary of Certification Process (part 1). IPv6 Client IPv6 packets inside IPv4 packets.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implementing IP Addressing Services Accessing the WAN – Chapter 7.
9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
IPv6 Mobility Milo Liu SW2 R&D ZyXEL Communications, Inc.
Module 3: Designing IP Addressing. Module Overview Designing an IPv4 Addressing Scheme Designing DHCP Implementation Designing DHCP Configuration Options.
SYSTEM ADMINISTRATION Chapter 8 Internet Protocol (IP) Addressing.
Addressing IP v4 W.Lilakiatsakun. Anatomy of IPv4 (1) Dotted Decimal Address Network Address Host Address.
The InetAddress Class Nipat J.. public class InetAddress  This class represents an Internet Protocol (IP) address.  An IP address is either a 32-bit.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
IPv6 Routing Milo Liu SW2 R&D ZyXEL Communications, Inc.
1 RFC Transmission of IPv6 Packets over IEEE Networks Speaker: Li-Wen Chen Date:
1 Mobility Support in IPv6 (MIPv6) Chun-Chuan Yang Dept. Computer Science & Info. Eng. National Chi Nan University.
Understanding IPv6 Slide: 1 Lesson 12 IPv6 Mobility.
Introduction to Mobile IPv6
W&L Page 1 CCNA CCNA Training 3.5 Describe IPv6 addresses Jose Luis Flores / Amel Walkinshaw Aug, 2015.
ICMPv6 Error Message Types Informational Message Types.
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
IPv6 Host IP Addressing Julian CPE SW1 ZyXEL March 14, 2008.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
DHCP Vrushali sonar. Outline DHCP DHCPv6 Comparison Security issues Summary.
1 Objectives Identify the basic components of a network Describe the features of Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6)
6to4
+ Lecture#4 IPV6 Addressing Asma AlOsaimi. + Topics IPv4 Issues IPv6 Address Representation IPv6 Types.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv6 Transition Mechanisms, their Security and Management Georgios Koutepas National Technical.
Network Layer IP Address.
Source-Specific Multicast (RFC4607) Author: H. Holbrook, Arastra, Inc. B. Cain, Acopia Networks Speaker: Wu Zhi Yu.
© 2006 Cisco Systems, Inc. All rights reserved. BSCI v3.0—8-1 Implementing IPv6 Defining IPv6 Addressing.
Routing Loop Attack Using IPv6 Automatic Tunnels: Problem Statement and Proposed Mitigations (RFC 6324) Po-Kang Chen Oct 19,
Presentation on ip spoofing BY
03 Jun 2011There's no place like ::1 Introduction to IPv6 Protocol part 2 George Kargiotakis oss-unipi: Event #27.
CIS 116 IPv6 Fundamentals 2 – Primer Rick Graziani Cabrillo College
Ingress Filtering, Site Multihoming, and Source Address Selection
Defending Against DDoS
Stateless Source Address Mapping for ICMPv6 Packets
Defending Against DDoS
* Essential Network Security Book Slides.
Chapter 15. Internet Protocol
Intrusion Detection and Hackers Exploits IP Spoofing Attack
Presentation transcript:

RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date:

Outline Abstract Introduction 6to4 Router & Relay Router 6to4 Router 6to4 Relay Router Threat Analysis Attacks with Neighbor Discovery (ND) Messages Spoofing traffic to 6to4 nodes Reflecting traffic from 6to4 nodes Local IPv4 broadcast attack Reference

Abstract The IPv6 interim mechanism 6to4 (RFC3056) uses automatic IPv6-over-IPv4 tunneling to interconnect IPv6 networks This characteristic enables a number of security threats, mainly Denial of Service It also makes it easier for nodes to spoof IPv6 addresses This document discusses these issues in more detail and suggests enhancements to alleviate the problems.

Introduction (1/3)

Introduction (2/3) All 6to4 routers must accept and decapsulate IPv4 packets from every other 6to4 router, and from 6to4 relays. 6to4 relay routers must accept traffic from any native IPv6 node. The IPv4 and IPv6 headers may be spoofed => Denial of Service attacks

Introduction (3/3) 2001:db8:: Spoofed Address Who!?

6to4 Router & Relay Router (1/2) 6to4 Router The 6to4 routers act as the border routers of a 6to4 domain 6to4 Relay Router The 6to4 relay router acts as a relay between all 6to4 domains and native IPv6 networks

6to4 Router & Relay Router (2/2) 6to4 relay router 6to4 router

6to4 Router (1/6) Provide IPv6 connectivity to local clients and routers. Forward packets sent to locally configured 6to4 addresses to the 6to4 network. Tunnel packets sent to foreign 6to4 addresses to the destination 6to4 router using IPv4. Tunnel packets sent to non-6to4 addresses to the configured/ closest-by-anycast 6to4 relay router. 6to4 addresses 6to4 router 6to4 relay router

6to4 Router (2/6) Decapsulate directly received IPv4 packets from foreign 6to4 addresses. Decapsulate IPv4 packets received via the relay closest to the native IPv6 sources. Note that it is not easily distinguishable whether the packet was received from a 6to4 relay router or from a spoofing third party. Foreign Relay

6to4 Router (3/6) Security Checks Disallow traffic: The private, broadcast, reserved IPv4 addresses From 6to4 routers in which IPv4 tunnel source does not match the 6to4 prefix The destination (IPv6) is not a global address Other 6to4 domains through 6to4 relay router or via some third party 6to4 router

6to4 Router (4/6) Security Checks IPv /8(the system has no address assigned yet) /8 (private) /8 (loopback) /12 (private) /16 (private) /16 (IANA Assigned DHCP link-local) o /4 (multicast) /4 (reserved and broadcast)

6to4 Router (5/6) Security Checks IPv6 0::/16(compatible, mapped addresses, loopback, unspecified,...) fe80::/10 (link-local) fec0::/10 (site-local) ff00::/8 (any multicast)

6to4 Router (6/6) Security Checks Discard traffic received: From other 6to4 domain via a 6to4 relay router For other prefixes other than one’s own 6to4 prefix.

6to4 Relay Router (1/2) Decapsulates and forwards packets received from 6to4 addresses through tunneling, by using normal IPv6 routing (IPv6)  [Relay Router]  (6to4 address) Tunnels packets received through normal IPv6 routing from native addresses (IPn6)  [Relay Router]  (6to4 address)

6to4 Relay Router (2/2) Security Checks Disallow traffic: The private, broadcast, reserved IPv4 addresses From 6to4 routers in which IPv4 tunnel source does not match the 6to4 prefix The destination (IPv6) is not a global address Discard traffic received: From from 6to4 routers with the destination as a 6to4 prefix (IPv6)  [Relay Router]  [6to4 Router]

Threat Analysis (1/2) Types of threats Denial-of-Service (DoS) A malicious node prevents communication between the node under attack and other nodes Reflection Dos A malicious node reflects the traffic off unsuspecting nodes to a particular node (node under attack) Service theft A malicious node/site/operator may make unauthorized use of service

Threat Analysis (2/2) Type of attacks based on target Attacks on 6to4 networks. Attacks on IPv6 networks. Attacks on IPv4 networks. Attacks on the 6to4 nodes Attacks with Neighbor Discovery (ND) Messages Spoofing traffic to 6to4 nodes Reflecting traffic from 6to4 nodes Local IPv4 broadcast attack

Attacks with Neighbor Discovery (ND) Messages (1/2) ND message Dst_6 (fe80::1)Src_6 (fe80::2) Dst_4 ( )Src_4 ( ) forged address 6to4 pseudo-interface

Attacks with Neighbor Discovery (ND) Messages (2/2) MITIGATION METHODS The usage of ND messages could be prohibited It would prohibit any sort of ND message and thus close the doors on development and use of other ND options The 6to4 pseudo-interface could be insulated from the other interfaces using a separate neighbor cache If ND messages are needed either IPsec or an extension of SEND could be used to secure packet exchange using the link-local address

Spoofing traffic to 6to4 nodes (1/3) The attacker - a malicious IPv4 or IPv6 node can send packets that are difficult to trace to a 6to4 node 2001:db8:: Spoofed Address Who!?

Spoofing traffic to 6to4 nodes (2/3) EXTENSIONS - Reflection DoS :db8::1 Spoofed Address :db8::2 2001:db8::1 TCP SYN ACK, TCP RST, ICMPv6 Echo Reply, input sent to UDP echo service, ICMPv6 Destination Unreachable …

Spoofing traffic to 6to4 nodes (3/3) MITIGATION METHODS Ingress filtering in the native IPv6 networks to prevent packets with spoofed IPv6 sources from being transmitted Unfortunately, it would depend on significant (or even complete) ingress filtering everywhere in other networks Security checks in the 6to4 relay This has very little cost

Reflecting Traffic to 6to4 nodes (1/3) Reflection DoS Spoof source Traffic off target node Relay router seem to be a attacker

Reflecting Traffic to 6to4 nodes (2/3) EXTENSIONS - distributed Reflection DoS A large number of nodes are involved in sending spoofed traffic with the same src_v6

Spoofing traffic to 6to4 nodes (3/3) MITIGATION METHODS Implementation of ingress filtering by the IPv4 service providers Distributed Reflection DoS Legitimate user to be a illegitimate user Many IPv4 service providers don’t implement Implementation of ingress filtering by all IPv6 Expecting this to happen may not be practical Security Checks It would eliminate an attack launched from an IPv4 node, except when the IPv4 source address was also spoofed Rate limiting traffic at the 6to4 relays

Local IPv4 broadcast attack (1/5) First kind of attack 2002:0900:00ff::bbbb If is the router’s broadcast address

Local IPv4 broadcast attack (2/5) First kind of attack Broadcast!Response!

Local IPv4 broadcast attack (3/5) Second kind of attack 2002:0900:00ff::bbbb

Local IPv4 broadcast attack (4/5) Second kind of attack Broadcast!

Local IPv4 broadcast attack (5/5) Second kind of attack The attack is based on the premise that the 6to4 router has to send a packet that embeds an invalid IPv4 address to an IPv6 address Such an attack is easily thwarted by ensuring that the 6to4 router does not transmit packets to invalid IPv4 addresses. Specifically, traffic should not be sent to broadcast or multicast IPv4 addresses

Reference RFC 3056 DoS DRDos _Denial_of_Service _Denial_of_Service

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.