Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring 20081 Presented by: Dedicated Instructor: Hiteshkumar Thakker.

Published byDortha Stone Modified over 8 years ago

Similar presentations

Presentation on theme: "An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring 20081 Presented by: Dedicated Instructor: Hiteshkumar Thakker."— Presentation transcript:

1 An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring 20081 Presented by: Dedicated Instructor: Hiteshkumar Thakker Prof. Richard Sinn Jimish Shah Network security Krunal Soni Department of CmpE Engg Kuldipsinh Rana Nghia Nguyen Sajjad Tabib 04/08/2008

2 Agenda Introduction to IPv6 ◦ IPv6 vs IPv4 IPsec Protocol IPv6 Deployment IPv6 Security Issues ◦ Recconnaissance ◦ Redirect Attacks ◦ Spoofing Attacks in Tunneling ◦ Dual-Stack Attacks ◦ Teredo Attacks Summary CmpE-209 / Spring 20082

3 Introduction to IPv6 What is IPv6 ??? ◦ Network layer protocol used for Internet which is replacing IPv4 Why IPv6 ??? Exhaustion of IPv4 Address Pool Larger Address Space (3.4 x 10 38 addresses) for global reachability and scalability Simplified header for Routing efficiency and performance Server-less auto-configuration, easier renumbering, multi- homing, and improved plug and play support Security with mandatory IP Security (IPSec) support CmpE-209 / Spring 20083

4 Simplified IPv6 Header CmpE-209 / Spring 20084

5 IPsec IPsec is a suite of protocols that provide network layer security. What it means to provide network layer security? ◦ Network Layer Confidentiality ◦ Source Authentication Main security goals ◦ Confidentiality ◦ Integrity ◦ Authentication CmpE-209 / Spring 20085

6 IPsec protocols Two protocols in IPsec that provide security. ◦ AH: Authentication Header protocol  Source authentication  Data Integrity  No confidentiality ◦ ESP: Encapsulation Security Payload  Authentication  Data Integrity  Confidentiality

7 Authentication Header Protocol Procedure 1. Host establishes Security Association (SA) with Destination. ◦ SA is a handshake which creates a logical connection between two machines and establishes a common secret key to be used for 2. Host send secure datagrams to desintation 3. Destination determines the SA from SPI field of the datagram. 4. Destination authenticates datagram based on SA and Authentication data field. 1.AH usews HMAC for authentication and integrity on Authentication data.

8 AH Protocol Diagram

9 ESP: Encapsulation Security Payload Authentication mechanism similar to AH – Establish SA, etc. Provides confidentiality by encrypting the TCP/UDP segment using DES-CBC.

10 ESP – Diagram

11 IPv6 Deployment Flag Day - x Dual-Stack: to allow IPv4 and IPv6 to co- exist in the same networks Tunneling: IPv6 node on sending side of tunnel puts its IPv6 datagram in data field of IPv4 datagram. Now more than 15 methods available for transition. CmpE-209 / Spring 200811

12 IPv6 Security Issues Reconnaissance in IPv6 Neighbor Discovery attacks Anycast and Addressing Security L3-L4 spoofing attacks in tunneling Attacks through teredo Routing header type-0 attack Attacks through header manipulation and fragmentation Dual-Stack Attack CmpE-209 / Spring 200812

13 Recconnaissance in IPv6 2 64 subnet addresses are in IPv6 So, harder to scan every address though scan million packets per second- It will take years to find the one host on the network. It is possible in IPv4 through NMAP, but IPv6 does not support NMAP. Pros and cons CmpE-209 / Spring 200813

14 Other Security Issues Addressing Security Effects of self-generated addresses ◦ Addresses can be “stolen” by others [DoS] ◦ Addresses cannot have pre-established IPsec ◦ IPsec hard to set up in advance as It requires SA and destination address No authorization mechanism exists for anycast destination addresses ◦ Spoofing is possible Attacks through Header manipulation and Fragmentation ◦ Routing Header Type - 0 mechanism issue ◦ Fragmentation ◦ Flow label CmpE-209 / Spring 200814

15 Neighbor Discovery Attacks Redirect Attacks: A malicious node redirects packets away from a legitimate receiver to another node on the link Denial of Service Attacks(DoS): A malicious node prevents communication between the node under attack and other nodes Flooding Attacks: A malicious node redirects other hosts’ traffic to a victim node creating a flood of bogus traffic at the victim host MIPv6 Challenges CmpE-209 / Spring 200815

16 Redirect Attacks CmpE-209 / Spring 200816

17 Spoofing Attacks in Tunneling CmpE-209 / Spring 200817

18 Solution on the way… CmpE-209 / Spring 200818

19 IPv6 Dual-stack Attack CmpE-209 / Spring 200819

20 Prevention using Multiple addresses CmpE-209 / Spring 200820

21 Attack by Teredo(UDP Port-3544) CmpE-209 / Spring 200821

22 Precautions to stop attacks Block protocol 41 Handle Teredo as a “dangerous UDP port” at IPv4 firewalls Look for Router Advertisements and Neighbor Discovery Packets (SEND) CmpE-209 / Spring 200822

23 Security Threats similar to IPv4 Sniffing: without IPsec, IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4 Application Layer Attack: Even with IPsec, the majority of vulnerabilities on the internet today are at the application layer, something that IPsec will do nothing to prevent. Rogue Devices will be as easy to insert into an IPv6 network as in IPv4. Man-in-the-middle-attacks(MITM): without IPsec, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4. Flooding attacks CmpE-209 / Spring 200823

24 Summary IPv6 makes some things better, other things worse, and most things are just different, but no more or less secure Better: Automated scanning and worm propagation is harder due to huge subnets Worse: Increased complexity in addressing and configuration Lack of familiarity with IPv6 among operators Vulnerabilities in transition techniques Dual-stack infrastructures require both IPv4 and IPv6 security rules CmpE-209 / Spring 200824

25 Conclusion Security in IPv6 is very much like in IPv4 IPsec is mandatory for the security of IPv6 IPv6(IP sec) are still emerging technologies IPv6 is a very complex protocol Its code is new and Untested, so while testing also there could be attack on existing network Research is going on to overcome threats by IETF Secure Transition is a major goal of IPv6 now. CmpE-209 / Spring 200825

26 References http://openloop.com/index.htm/education/classes/sjsu_engr/engr_networksecurity/spring2008/index. htm http://openloop.com/index.htm/education/classes/sjsu_engr/engr_networksecurity/spring2008/index. htm http://www.cs.rpi.edu/academics/courses/spring05/netprog/ipsec.pdf http://rfc.net/rfc2401.html http://www.6net.org/events/workshop-2003/marin.pdf http://technet.microsoft.com/en-us/library/bb726956.aspx http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf http://www.darkreading.com/document.asp?doc_id=123506 http://www.seanconvery.com/ipv6.html http://www.seanconvery.com/v6-v4-threats.pdf http://www.seanconvery.com/SEC-2003.pdf http://www.infosecwriters.com/text_resources/pdf/IPv6_SSotillo.pdf http://www.nav6tf.org/documents/nav6tf.security_report.pdf http://www.nav6tf.org/documents/arin-nav6tf-apr05/6.IPv6_Security_Update_JS.pdf http://www.nanog.org/mtg-0405/pdf/miller.pdf http://www.stindustries.net/IPv6/whitepapers.html http://paintsquirrel.ucs.indiana.edu/pdf/IPv6_and_Security.pdf CmpE-209 / Spring 200826

27 Thank You !! CmpE-209 / Spring 200827

28 Questions ??? CmpE-209 / Spring 200828

Download ppt "An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring 20081 Presented by: Dedicated Instructor: Hiteshkumar Thakker."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Secure Mobile IP Communication

Secure Mobile IP Communication
Internetworking II: MPLS, Security, and Traffic Engineering

Internetworking II: MPLS, Security, and Traffic Engineering
Introduction to IPv6 Presented by: Minal Mishra. Agenda IP Network Addressing IP Network Addressing Classful IP addressing Classful IP addressing Techniques.

Introduction to IPv6 Presented by: Minal Mishra. Agenda IP Network Addressing IP Network Addressing Classful IP addressing Classful IP addressing Techniques.
IPv6 The New Internet Protocol Integrated Network Services Almerindo Graziano.

IPv6 The New Internet Protocol Integrated Network Services Almerindo Graziano.
CS 265 – Project IPv6 Security Aspects Surekha Shinde.

CS 265 – Project IPv6 Security Aspects Surekha Shinde.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.

IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
IPv4 vs. IPv6 Anne-Marie Ethier Andrei Iotici This report was prepared for Professor L. Orozco- Barbosa in partial fulfillment of the requirements for.

IPv4 vs. IPv6 Anne-Marie Ethier Andrei Iotici "This report was prepared for Professor L. Orozco- Barbosa in partial fulfillment of the requirements for.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.

IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.
IPv6 Network Security.

IPv6 Network Security.
IP Version 6 (IPv6) Dr. Adil Yousif. Why IPv6?  Deficiency of IPv4  Address space exhaustion  New types of service  Integration  Multicast  Quality.

IP Version 6 (IPv6) Dr. Adil Yousif. Why IPv6?  Deficiency of IPv4  Address space exhaustion  New types of service  Integration  Multicast  Quality.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Similar presentations

Ads by Google