Presentation is loading. Please wait.

Presentation is loading. Please wait.

Draft-ietf-v6ops-scanning-implications-00 IPv6 Implications for Network Scanning Tim Chown University of Southampton (UK) IETF 66,

Published byDiana Dixon Modified over 8 years ago

Similar presentations

Presentation on theme: "Draft-ietf-v6ops-scanning-implications-00 IPv6 Implications for Network Scanning Tim Chown University of Southampton (UK) IETF 66,"— Presentation transcript:

1 draft-ietf-v6ops-scanning-implications-00 IPv6 Implications for Network Scanning Tim Chown University of Southampton (UK) tjc@ecs.soton.ac.uk IETF 66, July 12th 2006 Montreal

2 draft-ietf-v6ops-scanning-implications-00 Purpose of document Document different properties of IPv6 networks for network scanning Suggest possible new attack vectors for discovery of host addresses to target By the usual scanning method Recommend measures that network administrators may take to mitigate these

3 draft-ietf-v6ops-scanning-implications-00 Recent changes In a past life this document used to be draft-chown-port-scanning-implications-02 Adopted by WG Received a number of comments Improvements: Addressed comments Changed to a new structure based on comments

4 draft-ietf-v6ops-scanning-implications-00 Comments addressed Avoided any suggestion that IPv6 subnet size makes networks resilient to network scanning Because other methods to harvest addresses exist Attackers will scan addresses that they can learn Restructured to 3 sections: IPv6 subnet size ‘problem statement’ Alternative address harvesting methods Recommendations/suggestions for admins

5 draft-ietf-v6ops-scanning-implications-00 Subnet size implications Problem space for IPv6 scanning Huge subnet size (64 bits) But can be reduced by heuristics Systems numbered ::1, ::2, etc Autoconfiguration uses fixed ‘fffe’ stuffing Well-known vendor NIC prefixes Sequential NIC IDs in batches of systems Dual-stack systems still ‘vulnerable’ via IPv4 May wish to perform defensive scanning

6 draft-ietf-v6ops-scanning-implications-00 Alternatives for attackers ‘New’ ways to harvest IPs On-link methods Multicast (including site scope) Logged or recorded Ips DNS advertised hosts DNS zone transfers Application participation Transition methods

7 draft-ietf-v6ops-scanning-implications-00 Measures for admins? Consider using Privacy Addresses (RFC3041) Reduces ‘useful lifetime’ of address to attacker who has harvested the address by some means Adds complexity for network management Consider DHCPv6 address pools Don’t allocate from ::1 upwards Avoid using sequential addresses Consider rolling server IP addresses e.g. change advertised MX addresses over time

8 draft-ietf-v6ops-scanning-implications-00 Next Steps Comments? Any anecdotal evidence of (mis)behaviour seen at site firewalls? Author sees port scanning on advertised IPs Cited by three(?) other current IDs WGLC?

Download ppt "Draft-ietf-v6ops-scanning-implications-00 IPv6 Implications for Network Scanning Tim Chown University of Southampton (UK) IETF 66,"

Similar presentations

1IETF57 DNSOP WG IPv6 Router Advertisement based DNS Autoconfiguration Jaehoon Paul Jeong ETRI 14 th.

1IETF57 DNSOP WG IPv6 Router Advertisement based DNS Autoconfiguration Jaehoon Paul Jeong ETRI 14 th.
Implementing IPv6 Module B 8: Implementing IPv6

Implementing IPv6 Module B 8: Implementing IPv6
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Transitioning to IPv6.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Transitioning to IPv6.
Draft-ietf-dhc-stateless-dhcpv6- renumbering-01 Tim Chown dhc WG, IETF 60, San Diego, August 2, 2004.

Draft-ietf-dhc-stateless-dhcpv6- renumbering-01 Tim Chown dhc WG, IETF 60, San Diego, August 2, 2004.
By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.

By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.
1IETF59 DNSOP WG IPv6 DNS Discovery Issues Jaehoon Paul Jeong ETRI 1st March 2004 59th IETF – Seoul,

1IETF59 DNSOP WG IPv6 DNS Discovery Issues Jaehoon Paul Jeong ETRI 1st March th IETF – Seoul,
1 DNS Name Service based on Secure Multicast DNS for IPv6 Mobile Ad-hoc Network Jaehoon Jeong, ETRI ICACT.

1 DNS Name Service based on Secure Multicast DNS for IPv6 Mobile Ad-hoc Network Jaehoon Jeong, ETRI ICACT.
Multicast DNS Draft-aboba-dnsext-mdns-00.txt. Outline Goals and objectives Scope of the multicast DNS DNS server discovery Non-zeroconf behavior Zeroconf.

Multicast DNS Draft-aboba-dnsext-mdns-00.txt. Outline Goals and objectives Scope of the multicast DNS DNS server discovery Non-zeroconf behavior Zeroconf.
IAB/IESG Recommendations on IPv6 Address Allocation Bob Hinden at RIPE Sept. 2000 Brian Carpenter at ARIN Oct. 2000 Alain Durand at APNIC Oct. 2000.

IAB/IESG Recommendations on IPv6 Address Allocation Bob Hinden at RIPE Sept Brian Carpenter at ARIN Oct Alain Durand at APNIC Oct
1 DNSOPS / Vienna IETF / July 2003 / Bob Hinden IPv6 DNS Discovery, and why it is important Bob Hinden.

1 DNSOPS / Vienna IETF / July 2003 / Bob Hinden IPv6 DNS Discovery, and why it is important Bob Hinden.
1 IPv6 Address Management Rajiv Kumar. 2 Lecture Overview Introduction to IP Address Management Rationale for IPv6 IPv6 Addressing IPv6 Policies & Procedures.

1 IPv6 Address Management Rajiv Kumar. 2 Lecture Overview Introduction to IP Address Management Rationale for IPv6 IPv6 Addressing IPv6 Policies & Procedures.
DHCPv6 and other IPv6 docs Ralph Droms IETF 55, Atlanta.

DHCPv6 and other IPv6 docs Ralph Droms IETF 55, Atlanta.
IAB/IESG Recommendations on IPv6 Address Allocation Bob Hinden at RIPE Sept. 2000 Brian Carpenter at ARIN Oct. 2000 Alain Durand at APNIC Oct. 2000.

IAB/IESG Recommendations on IPv6 Address Allocation Bob Hinden at RIPE Sept Brian Carpenter at ARIN Oct Alain Durand at APNIC Oct
IPv6 Site Renumbering Gap Analysis draft-liu-6renum-gap-analysis-01 draft-liu-6renum-gap-analysis-01 Bing Liu Sheng Jiang IETF July 2011 1.

IPv6 Site Renumbering Gap Analysis draft-liu-6renum-gap-analysis-01 draft-liu-6renum-gap-analysis-01 Bing Liu Sheng Jiang IETF July
DHCP: Dual-Stack Issues draft-ietf-dhc-dual-stack-01 Tim Chown dhc WG, IETF 60, San Diego, August 2, 2004.

DHCP: Dual-Stack Issues draft-ietf-dhc-dual-stack-01 Tim Chown dhc WG, IETF 60, San Diego, August 2, 2004.
IPv6 RADIUS attributes for IPv6 access networks draft-lourdelet-radext-ipv6-access-01 Glen Zorn, Benoit Lourdelet Wojciech Dec, Behcet Sarikaya Radext/dhc.

IPv6 RADIUS attributes for IPv6 access networks draft-lourdelet-radext-ipv6-access-01 Glen Zorn, Benoit Lourdelet Wojciech Dec, Behcet Sarikaya Radext/dhc.
IPv6 Address autoconfiguration stateless & stateful.

IPv6 Address autoconfiguration stateless & stateful.
IPv6 Autoconfiguration Stateless and Stateful. Copy... Rights This slide set is the ownership of the 6DISS project via its partners The Powerpoint version.

IPv6 Autoconfiguration Stateless and Stateful. Copy... Rights This slide set is the ownership of the 6DISS project via its partners The Powerpoint version.
7 IPv6: transition and security challenges Selected Topics in Information Security – Bazara Barry.

7 IPv6: transition and security challenges Selected Topics in Information Security – Bazara Barry.
IPv6 Home Networking Architecture - update IETF homenet WG Interim meeting Philadelphia, 6 th Oct 2011 draft-chown-homenet-arch-00.

IPv6 Home Networking Architecture - update IETF homenet WG Interim meeting Philadelphia, 6 th Oct 2011 draft-chown-homenet-arch-00.

Similar presentations

Ads by Google