Presentation is loading. Please wait.

Presentation is loading. Please wait.

Is Cyber Security IPv6-Ready? HEPiXX – Vancouver, BC Bob Cowles October, 2011.

Published byBarnaby Rogers Modified over 8 years ago

Similar presentations

Presentation on theme: "Is Cyber Security IPv6-Ready? HEPiXX – Vancouver, BC Bob Cowles October, 2011."— Presentation transcript:

1 Is Cyber Security IPv6-Ready? HEPiXX – Vancouver, BC Bob Cowles October, 2011

2 2 Quiz: What Happened to IPv5 Lost in space? Born out of TCP? Replaced by the iPod? Protocols are even numbers?

3 3 What happened to IPv4?

4 4 IPv6 Concepts Quiz (six-foo) Minimum MTU? You can get a logo if you are IPv6 ______? NIST guidelines for secure config 800-___ Number of address bits router examines? 2001:0db8:76ff:0000:dab4:0000:0000:da8c What are ::1/128? fe80::/10? fd00::/8? 2000::/3? ff02::1, ff02::2, ff02::fb ? Maximum jumbo packet size? # of IPv6 addresses for a host on the internet?

5 5 Are there Security Issues? Architecture Design Implementation Configuration Operation Co-Existence with IPv4 Tools

6 6 Architecture Multicast, IPsec, ICMPv6 required IP addresses impossible to remember –dead:beef –bebe Address mapping is now many to1 to many Fragmentation left to hosts

7 7 Design Routing Headers bring back source routing Too many things are suggestions and not strictly enforced –TCP can adjust MSS to prevent fragmentation –Order of Extension Headers Unused fields can be covert channels Mobility IP

8 8 Implementation Implementations are still partial –E.g. centos firewall accepts IPv6 – does nothing IPv4 errors will be repeated Error conditions will be undetected or handled in different ways Inconsistencies in specs are still being discovered SEcure Neighbor Discovery (SEND) not widely implemented – required for adequate security –Protects RA/RS and ND –RFC3971

9 9 Configuration Many additional or different issues to consider Explosion of IP addresses per host Considerations in subnet and IP address assignment –Non-obvious vs. easy to guess? –Based on MAC vs. privacy Use routing headers? IP mobility? DHCP?

10 10 Operation Everything has to be tested in detail –Devices IPv6-Ready but associated firmware is not available (e. g. printers) Host option controls –Autoconfig vs DHCPv6 –Mobile IP –IP address changing –Use of routing headers –Response to mDNS –Response to Neighbor Solicitations/Advertisements

11 11 Co-Existence with IPv4 Dual stacks add complexity Ability to send packets over two different protocols (evade packet inspection) Tunnels – 6-to-4, Teredo (shipworm) Interactions not fully understood but wiill be exploited Windows – can turn off IPv6 but not restore via registry entry

12 12 Tools Some new tools, some old tools with new options –traceroute6 (unix), tracert -6 (windows) –tcpdump extended with new options and functionality (e. g. “protochain to parse extension headers) –wireshark, nmap is OK, snort is not ready Passive asset discovery easier than active

13 13 Security? Attention to configuration guidelines –http://www.nsa.gov/ia/_files/routers/I33-002R-06.pdfhttp://www.nsa.gov/ia/_files/routers/I33-002R-06.pdf –http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdfhttp://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf Plan transition carefully – use experiences already published as guidelines –Join mailing lists, working groups Test, test –Everything works that is supposed to work –Nothing works that isn’t supposed to work

14 14 Get Prepared! Courtesy of xkdc.com Ethernet?

15 15 Liftoff!

Download ppt "Is Cyber Security IPv6-Ready? HEPiXX – Vancouver, BC Bob Cowles October, 2011."

Similar presentations

IPv6 at NCAR 8/28/2002. Overview What is IPv6? What’s wrong with IPv4? Features of IPv6 IPv6 will soon be available at NCAR How to use IPv6.

IPv6 at NCAR 8/28/2002. Overview What is IPv6? What’s wrong with IPv4? Features of IPv6 IPv6 will soon be available at NCAR How to use IPv6.
Future Directions For IP Architectures Ipv6 Cs686 Sadik Gokhan Caglar.

Future Directions For IP Architectures Ipv6 Cs686 Sadik Gokhan Caglar.
IPv6 Keith Wichman. History Based on IPv4 Based on IPv4 Development initiated in 1994 Development initiated in 1994.

IPv6 Keith Wichman. History Based on IPv4 Based on IPv4 Development initiated in 1994 Development initiated in 1994.
TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.

TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
1 May, 2007: American Registry for Internet Numbers (ARIN) “advises the Internet community that migration to IPv6 numbering resources is necessary for.

1 May, 2007: American Registry for Internet Numbers (ARIN) “advises the Internet community that migration to IPv6 numbering resources is necessary for.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
IPv6 Victor T. Norman.

IPv6 Victor T. Norman.
IPv6. Key Aspects Increased address space SLAAC Security Simplified router processing.

IPv6. Key Aspects Increased address space SLAAC Security Simplified router processing.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.0—2-1 IPv6 Operations Defining and Configuring Neighbor Discovery.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.0—2-1 IPv6 Operations Defining and Configuring Neighbor Discovery.
IPv6-The Next Generation Protocol RAMYA MEKALA UIN:01008672.

IPv6-The Next Generation Protocol RAMYA MEKALA UIN:
Implementing IPv6 Module B 8: Implementing IPv6

Implementing IPv6 Module B 8: Implementing IPv6
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Chapter 22 IPv6 (Based on material from Markus Hidell, KTH)

Chapter 22 IPv6 (Based on material from Markus Hidell, KTH)
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.

IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.
IPv6 Network Security.

IPv6 Network Security.
2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College

2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College

Similar presentations

Ads by Google