Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,

Published byElla Carlson Modified over 10 years ago

Similar presentations

Presentation on theme: "Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,"— Presentation transcript:

1 Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,

2 Welcome to WatchGuards IPv6 Webinar Series! 1 3 4 2 Security Implications of IPv6 v6 in a v4 world v6 security advantages/disadvantages

3 Youre here because v6 matters to you Were here to help!Things well answer: What are the security implications of IPv6 in my IPv4 network (Transition)? What are the inherent security advantages and disadvantages of IPv6?

4 Part 1: Security Implications of IPv6 in a (mostly) IPv4 World

5 Im Running IPv4…Does This Affect Me? Your network may be IPv4… …but your devices may be another story!

6 Remember This?

7 Tunnels In My v4? Holy Teredo! Teredo: IPv6 Tunneling Protocol ISATAP: Windows v6 Transition Tool 6in4 6over4 Freenet6 Others Abound…

8 Talking Behind My Back? Within the confines of your network, many devices may be communicating over IPv6, even if they are not sending packets to and from the Internet!

9 Remember... Visibility is Security Invisibility is Insecurity! …Which means...

10 Spotting and Controlling Rogue IPv6 Spotting: ipconfig and ifconfig Firewall logs SEIM Controlling: Egress Filtering Application Control

11 Part 2: Security Implications of IPv6

12 The Big IPv6 Security Question

13 IPv6 Offers: Security Benefits (The Good) Security Drawbacks (The Bad) Differences of Concern (The Ugl... Uh, Different)

14 IPv6 Security: The Good

15 Built-In IPSec Offers Better Security… Right? IPSec is a mandatory part of the IPv6 Protocol

16 Whats IPSec Again? Among other things, IPSec consists of: Authentication Headers (AH) – Provides data origin authentication and integrity (protects against replay attacks) Encapsulating Security Payloads (ESP) – Adds encryption to the mix to provide confidentiality Internet Protocol Security (IPSec) is a standard for adding strong authentication, message integrity, antireply, and encryption (confidentiality) to IP packets, thus providing secure and private communications.

17 What are IPv6 Extension Headers? Remember IPv6 header simplification? VersionIHL Type of Service Total Length Identification Flags Fragment Offset Time to Live ProtocolHeader Checksum Source Address Destination Address OptionsPadding IPv4 Header (20 bytes) Version Traffic Class Flow Label Payload Length Next Header Hop Limit Source Address Destination Address IPv6 Header (40 bytes) Dropped Dropped options need to go somewhere… IPv6 Header Payload IPv6 Header Extension Header Payload IPv6 Header Extension Header Payload Ext. headers may include: Hop-by-hop options Destination Options Routing Fragmentation AH Header ESP Header Etc…

18 Built-In IPSec Offers Better Security… Right? IPSec is a mandatory part of the IPv6 Protocol What does this really mean? Part of IPv6 protocol stack, not an optional add-on Implemented with AH and ESP Extension Headers Follows one standard (less interop issues) Every IPv6 device can do IPSec However, IPSec usage is still OPTIONAL!

19 Wait! Doesnt IPv4 Offer IPSec too? Some truths about IPv6s additional IPSec Security: IPv4 has it too (though, not natively) You dont have to use it, and most dont Still complex May require PKI Infrastructure So is this really a security benefit? Short term – probably no measureable advantage over IPv4 IPSec Long term – More applications will leverage it now that its mandatory!

20 So Long NAT! Hello, End-2-End Addressing NAT does NOT provide security! End-2-End (public) addressing increases accountability

21 Vast Address Space Naturally Thwarts Certain Attacks (340 unidecillion) Too big for automated reconnaissance and attack: Average network port scans would take decadesAutomated worm propagation would slow to a crawl

22 IPv6 Security: The Bad

23 Immature Protocols = Increased Vulnerability & Risk During the creation life-cycle of new standards and protocols: Security is often an after-thought Unexpected problems happen due to complex interactions Many issues dont surface until the tech receives wider usage These concepts have proven themselves with many new network protocols in the past. Most experts suspect there are many security issues in IPv6, and related protocols, that we have yet to uncover.

24 Unfamiliarity Causes Misconfigurations Many network administrators and IT practitioners are still relatively unfamiliar with all IPV6s ins and outs Common issues: Not realizing IPv6 is already in their network Ignorance of Tunneling Mechanisms Lack of ACL policy for IPv6 multi-homing Unawareness of potential privacy issues Over permissiveness, just to get it to work

25 Automatic Addressing May Pose Privacy Concerns In the first webinar, we showed one way SLAAC could automatically created a EUI-64 address. However, this makes your MAC public, which you may consider a privacy issue. Privacy Enhanced Addresses [RFC 3041] Cryptographically Generated Addresses (CGA) [RFC 3972] There are options to rectify this issue: 1.MAC Address: 90-3A-2B-06-2C-D1 2.Split in half: 90-3A-2B 06-2C-D1 3.Insert FFFE: 90:3A:2B:FF:FE:06:2C:D1 4.Change 7 th bit to 1: 92:3A:2B:FF:FE:06:2C:D1

26 I also have 192.168.20.1 A Look Back at IPv4 ARP Poisoning Who has 192.168.20.34? Who has 192.168.20.34? I Do. Heres my MAC Hey Everyone. I have 192.168.20.34 And 192.168.20.2, And ….. And 192.168.20.2, And ….. No authentication or security

27 I Do. Send traffic to me I Do. Send traffic to me Neighborhood Discovery Suffers from Similar Issues Who has 2001::3/64? Who has 2001::3/64? I Do. Heres my Layer 2 address Who has 2001::3/64? Who has 2001::3/64? Neighbor Solicitation Neighbor Advertisement ND Spoofing No authentication or security

28 Many Other Neighbor and Router Discovery Issues Solution: SEcure Neighbor Discovery (SEND) – RFC 3971 Essentially adds IPSec to ND communications Requires PKI Infrastructure Not available in all OSs yet. 802.1X also an option Other ND related attacks: Duplicate Address Detection (DAD) DoS attack ND spoofing attack for router (allows for MitM) Neighbor Unreachability Detection (NAD) DoS attack Last Hop Router spoofing (malicious router advertisements) And many more… (http://rfc-ref.org/RFC-TEXTS/3756/chapter4.html)

29 New Multicast Protocol Helps with Reconnaissance In the first webinar, we introduced IPv6 multicast addresses:IPv6 multicast includes a ton of reserved addresses. Heres a few: Multicast AddressReservation FF02::1All Host Address FF02::2All Router Address (LL) FF02::9RIP Routers FF02::AEIGRP Routers FF02::BMobile-Agents FF02::1:2All DHCP Agents FF05::2All Router Address (SL) FF05::1:3All DHCP Servers FF05::1:4ALL DHCP Relays FF0X::101NTP FF0X::106Name Service Server Attackers can use these multicast addresses to enumerate your network. Note: RFC 2375

30 IPv6 Security Controls Lagging Hacking Arsenal/Tools Attackeralready have many IPv6 capable tools: THC-IPv6 Attack SuiteUnfortunately, IPv6 security controls and products seems to be a bit behind.

31 IPv6 Security: The Different

32 Neutral IPv6 Differences of Concern Some of IPv6s differences have security connotations that you should know about. However, they arent necessarily inherently good or bad

33 Typical IPv6 Devices Have Multiple Addresses At least a Link-Local Address (FE80::/10) Likely a Unique Global Address (2000::/3) Possibly a Site-Local Address (FC00::/7) You will probably need MULTIPLE Firewall or ACL policies for these extra networks within your organization

34 Extra Security Can Cause Insecurity Internet

35 DHCPv6

36 Firewalls (and Admins) Must Learn New Tricks How to filter ICMPv6? Handling new extension headers Filtering Multicast and Anycast Hosts w/multiple addresses

37 EXTRA: The Same There are some security issues that IPv6 has little effect on: Application-layer attacks Sniffing Rogue Devices Man-in-the-Middle Attacks Flooding/DoS Attacks

38 IPv6 Security: Conclusion

39 So… Does/Will IPv6 Provide More Security? Probably Not. Few will adopt/use the IPv6 related security additions early on. Furthermore, the protocols newness and administrators unfamiliarity may result in more vulnerabilities at first. That said, IPv6 security is NOT worse than IPv4. Short Term Yes. If leveraged, some IPv6 additions can increase our overall network security. As we become more familiar with it, and more network services begin to leverage advanced options, IPv6 should prove slightly more security than IPv4. Long Term

40 Wrapping It Up

41 Coming Up Next…(1 month from now) 1 2 4 3 What To Expect from IPv6 ISP activities Connecting the Islands

42 Major References IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation http://www.cisco.com/web/about/security/security_services/ciag/documents/v6-v4-threats.pdf IPv6 Security Challenges https://www.cs.siue.edu/~wwhite/CS447/TopicalPaper/Originals/Bridges_IPv6SecurityChallenges.pdf https://www.cs.siue.edu/~wwhite/CS447/TopicalPaper/Originals/Bridges_IPv6SecurityChallenges.pdf IPv6 Security Challenges by Samuel Sotillo http://www.infosecwriters.com/text_resources/pdf/IPv6_SSotillo.pdf http://www.infosecwriters.com/text_resources/pdf/IPv6_SSotillo.pdf IPv6 Security Best Practices http://www.cisco.com/web/SG/learning/ipv6_seminar/files/02Eric_Vyncke_Security_Best_Practices.pdf http://www.cisco.com/web/SG/learning/ipv6_seminar/files/02Eric_Vyncke_Security_Best_Practices.pdf IPv6 Security Considerations and Recommendations http://technet.microsoft.com/en-us/library/bb726956.aspx NIST: Guidelines for the Secure Deployment of IPv6 http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf IPv6 Transition/Coexistence Security Considerations (RFC 4942) http://www.ietf.org/rfc/rfc4942.txt And many more….

43 Thank You!

Download ppt "Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,"

Similar presentations

Security Assessment of Neighbor Discovery for IPv6

Security Assessment of Neighbor Discovery for IPv6
IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
IPv6 Transition Roque Gagliano What is transition? IPv4 only.IPv4 Only 1996 - 6Bone is borned IPv4 Only Experimental IPv6. Majority:

IPv6 Transition Roque Gagliano What is transition? IPv4 only.IPv4 Only Bone is borned IPv4 Only Experimental IPv6. Majority:
IPv6 Addressing Details LAC NIC VII October 26, 2004 Wilfried

IPv6 Addressing Details LAC NIC VII October 26, 2004 Wilfried
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
IP security over ATM CS 329 Hwajung Lee Computer and Communications Security The George Washington University.

IP security over ATM CS 329 Hwajung Lee Computer and Communications Security The George Washington University.
Christophe Jelger – CS221 Network and Security - Universität Basel - 20051 Christophe Jelger Post-doctoral researcher IP Multicasting.

Christophe Jelger – CS221 Network and Security - Universität Basel Christophe Jelger Post-doctoral researcher IP Multicasting.
Ch. 23, 25 Q and A (NAT and UDP) Victor Norman IS333 Spring 2014.

Ch. 23, 25 Q and A (NAT and UDP) Victor Norman IS333 Spring 2014.
ARP Caching Christopher Avilla. What is ARP all about? Background Packet Structure Probe Announcement Inverse and Reverse Proxy Tools Poisoning MAC Flooding.

ARP Caching Christopher Avilla. What is ARP all about? Background Packet Structure Probe Announcement Inverse and Reverse Proxy Tools Poisoning MAC Flooding.
Introduction to IPv6 Presented by: Minal Mishra. Agenda IP Network Addressing IP Network Addressing Classful IP addressing Classful IP addressing Techniques.

Introduction to IPv6 Presented by: Minal Mishra. Agenda IP Network Addressing IP Network Addressing Classful IP addressing Classful IP addressing Techniques.
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
Future Directions For IP Architectures Ipv6 Cs686 Sadik Gokhan Caglar.

Future Directions For IP Architectures Ipv6 Cs686 Sadik Gokhan Caglar.
IPv6 The New Internet Protocol Integrated Network Services Almerindo Graziano.

IPv6 The New Internet Protocol Integrated Network Services Almerindo Graziano.
CS 265 – Project IPv6 Security Aspects Surekha Shinde.

CS 265 – Project IPv6 Security Aspects Surekha Shinde.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
IPv6: The Next Generation Internet Protocol CEOS WGISS 18: Beijing, China September 2004 Dave Hartzell Computer Sciences Corp, NASA Ames

IPv6: The Next Generation Internet Protocol CEOS WGISS 18: Beijing, China September 2004 Dave Hartzell Computer Sciences Corp, NASA Ames
December 5, 2007 CS-622 IPv6: The Next Generation 1 IPv6 The Next Generation Saroj Patil Nadine Sundquist Chuck Short CS622-F2007 University of Colorado,

December 5, 2007 CS-622 IPv6: The Next Generation 1 IPv6 The Next Generation Saroj Patil Nadine Sundquist Chuck Short CS622-F2007 University of Colorado,
IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.

IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.
EE 545 – BOGAZICI UNIVERSITY. Agenda Introduction to IP What happened IPv5 Disadvantages of IPv4 IPv6 Overview Benefits of IPv6 over IPv4 Questions -

EE 545 – BOGAZICI UNIVERSITY. Agenda Introduction to IP What happened IPv5 Disadvantages of IPv4 IPv6 Overview Benefits of IPv6 over IPv4 Questions -

Similar presentations

Ads by Google