Role of IPv6 to Secure Wireless Sensor-Update IPv6 Workshop in Taiwan, 2006 Date: 10/26/06 kevin.cheng@wiborne.com

We boost airborne wireless: innovative, reliable, and secure.

Year 2004 – IPv6 Seminar Our Direction Security – Wired and WirelessWiFi CitywideIPv6 and RFIDQ & A

Agenda

Year 2004

We boost airborne wireless: innovative, reliable, and secure.

IPv6 IPSec Routers (Yr 2004)

• 6WIND• FreeBSD/KAME (www.kame.net)

Hiroshi Esaki, Fujitsu, Hitachi, NEC, Yamaha, Toshiba

• OpenBSD/ISAKMPD – WiBorne’s Wireless AWG-60

• IOS – Cisco IPv6 Router• JUNOS – Juniper Networks• Linux – FreeS/WAN (www.freeswan.org),

USAGI/Japan (www.linux-ipv6.org)

• etc.

• Our efforts emphasize portability, standardization, correctness, proactive security and integrated cryptography

• IPv6 from release 2.6 to latest 3.9• Complete IPv6 since 2.7

• comfortable and constant operation over all WiBorne products

• extensive and identic feature set over all WiBorne products

• Webconfig – configuration via browser, SSH, console, terminal

• free, regular software updates• firmsafe – backup for remote

software updates

WiBorne OS for Appliance Products: OpenBSD- the Ultra Secure OS

• OpenBSD = Security• Stateful Packet Filter (pf)• IPSec/AES• OpenSSH• HostAP• IPv6 since 2.6 to 3.9

• FreeBSD = Stability• More drivers

• Linux = Embedded• SoHo Applications• Commercial

Only one remote hole in the default install, in more than 10 years!

/sbin/route add -inet6 default 3ffe:b00:c18:1fff:0:0:0:2d9

WiBorne Wireless Management Tools

• extensive, user friendly set for the administration of WiBone products and solutions

• simple configuration and controlling of the products

• usability in look-and-feel design

• simultaneous manangement of several hardware

• security relevant data on demand

• Accounting information (cost control) on demand

• free, regular software updates

Wireless IPv6 IPSec Router (AWG-60, 2004)

Wireless IPv6 IPSec Router (AWG-60, 2004)

The AWG-60 facilitates IPSec-based VPN-over-broadband with next generation Internet Protocol version 6 (IPv6) infrastructure solutions. It is capable of fulfilling future demands on address space, encryption, authentication, and mobility. This allows full, unconstrained IP connectivity for today's IP-based machines as well as upcoming mobile devices like PDAs and wireless phones – all will benefit from full IP access through GPRS and UMTS.

Key features include:• AES, DES, 3DES encryption• Dual Stack for both IPv4 and IPv6 IPSec tunnels, IKE/ISAKMP protocols.

Configurable site-to-site or site-to-clients VPN.• VLAN Technology• Dynamic routing performance• Security policies can be set on a per-host or per-network basis, not per

application/service. • BGP4, RIP, RIP2, RIPng, OSPF (v4/v6)• Single Sign-On with external authentication servers (Kerberos, LDAP, and RADIUS)• OS fingerprinting with packet frame captured to small footprint database • Comprehensive firewall for wired and wireless subnets• QoS (packet shaping functions)• SSH remote configuration, console mode.

The only potential client: Tinker AFB, OK (www.tinker.af.mil)

Wireless Sensors - Security Threads

Year 2004 Seminar• Digital signatures for authentication are impractical for sensor networks: improved by

SPINS and µTESLA (the micro version of the Timed, Efficient, Streaming, Loss-tolerant Authentication protocol)

• Assume individual sensors are untrusted, compromising the base station can render the entire sensor network to be useless.

• Insertion of malicious code – spread to all nodes• Interception of the messages containing the physical locations of sensor nodes allows an

attacker to locate the nodes and destroy them.• an adversary can observe the application specific content of messages including message

IDs, time stamps and other fields.• inject false messages that give incorrect information about the environment to the user.• Inter-router authentication prior to the exchange of network control information• Spoofed, altered, or replayed routing information• Selective forwarding• Sinkhole attacks• Sybil attacks• Wormholes• Denial of Service (DoS), such as HELLO

flood attacks• Acknowledgement spoofing

www.tinyos.net

Wireless Sensors - Secure It!

Year 2004 Seminar• Security mechanisms: depends on network applications and

environmental conditions.• Resources of sensor nodes (CPU, memory, battery) make it

impractical to use secure algorithms designed for powerful workstations.

• Standard security: availability, confidentiality, integrity, authentication, and non-repudiation

• Wireless sensors: message freshness, intrusion detection, intrusion tolerance, or containment exists.

• Security policies defined by admin of sensor nodes. Define the system architecture and the trust requirements.

• SPINS: Security protocols for sensor networks.• 802.15.4/ZigBee with 128-bit AES encryption.

Vuln. In RFID – Year 2006

• Vulnerabilities in First-Generation RFID - Enabled Credit Cards: New York Times / ABC News 10/23/2006 • Names in the clear• Payment fraud (skimming)• Johnny Carson attacks

• Fixes: stronger data protections and cryptography (IPv6?)

http://www.rfid-cusp.org/blog/blog-23-10-2006.html

Vuln. In RFID – Year 2006

• Texas Instruments (TI) DST passive tag - ExxonMobil SpeedPass system

• More than 700M cryptographically - enabled keychain tags accepted at 10,000 locations worldwide.

• 40-bit key encryption in the early 1990's by TI

• when given the same challenge and key as an actual tag, would compute the same response. The 16-way parallel cracker, field programmable gate array (FPGA), was able to recover all 5 keys in well under 2 hours

• Fixes: AES, or better HMAC-SHA1 (IPv6?)

http://www.rfid-analysis.org

Our Direction

We boost airborne wireless: innovative, reliable, and secure.

P O S I T I O N I N G

innovative & secure communication solutionsfor the special business requirements consideration of customer requirements

technological authority by our own R & Dcomfortable & uniform operation of all productssimple configuration & maintenance

protection of investmentperformance reliabilityservice & support

S O L U T I O N S A N D P R O D U C T S

Wireless Access Controllers:

for enterprise or hot zone: security,

network, and billing

Long Range Wireless SolutionsWISPers, Tenders /

Projects Deployment

W-RFID Solutions

Enterprises SMB WISP

Short Range Wireless Solutions

Wireless RFID, Real Time Location

System

Solutions and Products

Applications

Wireless Internet from WiBorne

WWAN (3G, 3.5G)

Low throughput, short range

WLAN (WiFi)

WPAN

WMAN (WiMAX)

RFID(802.11, ZigBee)

High throughput, short range

Low throughput, Long range

IPv6

Security – wired & wireless

We boost airborne wireless: innovative, reliable, and secure.

Hotspot Gateway Wireless Switch IPv6 Router

Model No: HSG-200/HSG-1000• Authentication (Kerberos, LDAP, MAC authentication with anti-spoofing of MAC)• Authorization with Firewall • Accounting/Billing for instant Hotspot• Seamless IP roaming • Remote configuration with associated Access Points (APs)• Multiple platforms • Large number of APs• Up to 250 simultaneous users • Clientless (Bypass VPN) option • Guest/Role accounts

Model No: AWG-1000• Secures 802.11 WLANs (a, b, g), VoIP• Intrusion Detection / Prevention Systems (IDS/IPS)• Clients supported: 1000 clients• IPSec and SSL/TLS for strong client- to-gateway VPN and VLAN Security. • Centralized management f or any brands of associated Access Points, secure admin remotely.• Quality of Service (QoS) functions.• Secure single sign-on integrated with local and domain authentications (Kerberos, RADIUS, and LDAP).• 802.1x port-based authentication includes EAP, PEAP, TLS, TTLS, and MD5• comprehensive stateful packet filter• WLAN DHCP, NAT, DNS

Model No: AWG-60• AES, DES, 3DES encryption. •Both IPv4 and IPv6 IPSec tunnels, IKE/ISAKMP protocols. Configurable site-to-site or site-to-clients VPN. •VLAN Technology. •Dynamic routing performance •Security policies can be set on a per- host or per-network basis, not per application/service. •BGP4 •RIP, RIP2, RIPng •OSPF (v4/v6) •OS fingerprinting with packet frame captured to small footprint database •Comprehensive firewall for wired and wireless subnets •QoS (packet shaping functions) •SSH remote configuration, console mode.

WiBorne Products – Wireless Access Controllers

The “Old Net” (1980+) The “New Net” (10 GHz) – Internet 2 IPv6

P2PHomeland Security Advisory System

U.S. Homeland Security – The “Old Net” vs. The “New Net”

Cyberspace and physical space are becoming one

Critical Infrastructure Challenges – Reason for IPv6•Agriculture and Food

• 1.9 million farms• 87,000 food processing plants

•Water• 1,800 federal reservoirs• 1,600 treatment plants

•Public Safety & Health• 5,800 registered hospitals• 6,500 Emergency Operation Centers (911)

•Chemical Industry• 66,000 chemical plants

•Telecomm• 2 billion miles of cable

•Energy• 2,800 power plants• 300,000 production sites

•Transportation• 120,000 miles of railroad• 590,000 highway bridges• 2 million miles of pipeline• 300 ports

•Banking and Finance• 26,600 FDIC institutions

•Postal and Shipping• 137M delivery sites

•Key Assets• 5,800 historic buildings• 104 nuclear power plants• 80K dams• 3,000 government facilities• 460 skyscrapers

What the Watchdogs Tell Us

• CERT – Computer Emergency Response Team http://www.cert.org, http://www.cert.org.tw

• US-CERT – The U.S. Government’s version of CERT http://www. us-cert.gov

• CIS – Center for Internet Security http://www.cisecurity.org

• SANS – Internet Storm Center http://isc.incidents.org

• TrendMicro – World Map of Virus Attacks http://www.trendmicro.com/map

• OSVDB – Open Source Vulnerability Database http://www.osvdb.org/

Cyber Electronic Warfare

www.attrition.orgAttack Plan:• use a system vulnerability detected• gain the authorization level required• achieve the objectives• remove all the cluesDefense:Physical securityLogical security• Encryption• Network / System / Application security• Security monitoring / auditingOrganizational security

The most wanted Hacker Kevin Mitnick

Firewalls - Layered Defense

Internet

DB Server Office Server

Web ServerFTP Server E-Mail Server

DMZ

Back Office

Simple IPv6 firewall rules (OpenBSD packet filter)

extif = "xl0"intif = "xl1"extip6 = "fec0:2029:f001:128::20"intip6 = "fec0:2029:f001:192::1"intnet6 = "fec0:2029:f001:192::/64"ispdns6 = "{ fec0:2029:f001:1::1, fec0:2029:f001:128::3 }"admin_machines6 = .{ fec0:2029:f001:192::10, fec0:2029:f001:192::11 }.antispoof for lo0antispoof for xl0 inetantispoof for xl1 inetblock in log allblock return-rst in log on $extif inet6 proto tcp from any to any port = 113pass out on $extif inet6 proto udp from { $extip6, ::1, $intnet6 } to $ispdns6 port = 53 keep statepass out on $extif inet6 proto tcp from { $extip6, ::1, $intnet6 } to any port = 25 keep statepass out on $extif inet6 proto ipv6-icmp all ipv6-icmp-type { 128, 136 } keep statepass in on $extif inet6 proto ipv6-icmp all ipv6-icmp-type { 134, 135, 136 }pass in log on $intif inet6 proto tcp from $intnet6 to $intip6 port = 22 keep statepass in on $intif inet6 proto tcp from $intnet6 to any port { 80, 443, 110, 143, 993, 25 }pass out on $extif inet6 proto tcp from $intnet6 to any port { 80, 443, 110, 143, 993, 25 } keep statepass in on $intif inet6 proto ipv6-icmp all ipv6-icmp-type { 128, 129, 135, 136 }pass in on $intif inet6 proto udp from $intnet6 to $ispdns6 port = 53pass in on $intif inet6 proto tcp from $admin_machines6 to $intip6 port = 22

IDS Sensor Placement

Internet

DB Server Office Server

Web ServerFTP Server E-Mail Server DMZ

Back Office

Sniffer Servermonitoring/analysis

Sniffer Servermonitoring/analysis

Sniffer Servermonitoring/analysis

• IPv6 IDS systems in their infancy• No official support in free Snort (yet)• Available from NFR, ISS

• Some new attack types in IPv6• Due to new header format and protocols• In dual-stack/transitioning networks too• IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation

WLAN – Features for IDS

• Intelligent Analytical Engine• Performance & Infrastructure Monitoring• Security Monitoring• Wireless LAN Administration• Site Survey• Troubleshooting Connections• Packet Capture & Decodes• Windows XP SP2 and Windows 2003 SP1: limited

(in very few features) IPv6 support for Windows Firewall.

• Bypassing ISA Server 2004 with IPv6: http://www.securityfocus.com/archive/1/431593/30/ 0/threaded

WLAN IDS Signatures

• Spoofed MAC Address Detected• Device Probing With NULL SSID• Dictionary Attack in EAP Methods• Abnormal Authentication Failures• Denial of Service Attacks• Association Flood• Authentication Flood• EAPOL logoff• EAPOL start• EAPOL ID Flood• EAPOL Spoofed Success• Deauthentication Broadcast• Deauthentication Flood• Dis-association Broadcast• RF Jamming

Detects 16 Threats

• Life of IPv6 worms is harder for address-space scanners – Code Red / Slammer.

• worm can determine the address of other existing nodes in the same LAN via v6’s Neighbor Discovery

http://www.cs.columbia.edu/~smb/papers/v6worms. pdf

WiFi Citywide

We boost airborne wireless: innovative, reliable, and secure.

WiBorne Products – Long Range Wireless Solutions

Ahmedabad WiFi Project (AWP) Potential IPv6 Town

2-D Navigation

3-D Navigation

Scope of Works:

• Suggesting and Providing Cost Effective Wireless Solution for Ahmedabad for an area of almost 500 sq. kms. Covering about 1 lac probable customers including the existing Network of AMC.• Networking Solution using latest WiFi technology and Hardware Requirement• Implementation proposal and Maintenance of this wireless Network for minimum three year.

• The company should have installed similar project elsewhere using the latest technology and expertise.• The company will be responsible for setting up the infrastructure and O&M of the same for three years. Day to day operations and trouble shooting will be responsibility of the company.

Proposal Solution for AWP Alpha Bee – a Micro Cell Design

Benefit:

• Logical design – depends on users density, simply increase or decrease the size of individual cell for optimal coverage

• Data Rate for backhaul is 24 to 54 Mbps, depends on terrain

• Dense micro cell coverage which eliminate the need and costs for site surveys and on- going RF management.

• Met the technical and budgetary requirements and fit the needs of cost-effective approach.

•Each color presents not only area, but also specific channel which can be repeated at optimal channel separation

•Center of each area is the point of origination, and others depict spreading of coverage in logical methodology

Automated Meter Reading (AMR) IPv6 Applications

Electronic sensors paired with AWP wireless networks can collect meter data and send it instantly to the utility data center:• 130 Million wireless tags for 20KM squared of range• Reduce costs associated with manual meter reading• Reduce human error in data entry and collection• Perform quicker analysis on utility consumption• Set threshold limits that cannot be exceeded, avoid revenue loss• A single IPv6 subnet maps the entire RFID space whole community• Each RFID tag becomes addressable in the IPv6 network

(sample photos)

IPv6 & RFID

We boost airborne wireless: innovative, reliable, and secure.

• An RFID tag is a transponder• It is a microchip that can receive and respond to RF

queries from an RFID transceiver• A smart bar code

• Components includes tags, readers, processing software (RTLS, Logistics, Middleware), and servers.

• Tags can be active, semi-passive, or passive• Passive: very small since there is no battery• Semi-passive: power for environment, RF from reader• Active: larger due to the internal battery

• Operate on multiple frequencies and provide different reading ranges

RFID Technology

WLANWireless Switch

WLAN (802.11), RFID frequencies Communication

WLAN / RFIDAccess Ports

Asset Tracking & Location Software

Wi-Fi, UHF Tracking

Tags

Middleware for Error

Reduction

The solution combines Wireless LAN technology with location information to enable location-based applications for both

outdoor and indoor facilitiesLOC-100 could directly communicate with tagged devices

from anywhere within the IPv6 network

Secure Internet / Intranet

High Power W-RFID Tag for Outdoor

Tracking

WiBorne Products – LOC-1000 802.11 Active RFID

WiBorne Products – LOC-1000 802.11 Active RFID (cont)

RF-Locate Intelligent Software• continuous persecutions in both outdoor and indoor areas• real long range of tracking area for Wi-Fi Citywide • limitation of damage tough control of objects and high grade goods• integrated with Google Earth to present users at their exact position • workload optimization • improvement of resource availabilities • visualization and establishment of animation profiles• high investment-security through cross-platform open interface to video- monitoring

CAP-2409R Long-Range Wi-Fi CPE and ReaderCombines an 802.11 b / g RFID reader with a long-range CPE – Occurring disruptions can be compensated by the new model and the high accuracy is assured.

RF-T24 Asset Tags• continuously the measured WLAN-signal values to RF-locate• different energy modes• panic button• range of RF-T series tags, hundreds meters ~ 2 – 3 kilometers.• extensibilities: external antenna, belt, additional sensors,

customized PC board…

Each RFID tag becomes addressable in the IPv6 network - The reachable scope is defined by the IPv6 prefix used

• Accuracy • Integrity- issue alarm

in case of large estimation errors

• Availability (Coverage)• Continuity of service

(Location Estimation response time)

Requirements of positioning for indoor navigation (RTLS):

W-RFID Location Tracking

TRACK PDAs

TRACK Laptops

TRACK Voip Phones

TRACK Barcode/RFIDscanners

TRACK hospital wireless equipment

TRACK WiFi TAGs

Tracking Software (RTLS)

Tracking Wireless Tags and WLAN Enabled Devices

RFID + Access Control From RFID, Physical, Logical, Identity, Financial Access to Network

ACC

BPID™ Security Device

Wireless Radio Frequency ID (W-RFID) Information on MedicalAssets and LocationFor Collection in Combined ACCs/WiFiAsset Manager AccessPoint/Internet Servers(AP/ISs)

• RFID and Bluetooth

• Fingerprint sensing without centralized biometric database for privacy

• devices support physical (biometric) and logical (network) access

• Replacement of driver license, password, government or military IDs and other credentials

RFID RTLS and Tags

Horse Tracking

AirportOld Ages, Health Care

Military

Harbor

Hi Rise Buildings City Wide Communication

Entertainment

Construction Transportation

Law EnforcementMining

WiBorne W-RFID: Other Applications

RFID Code Structure

Header: identifies the EPC version number – allows for different lengths or types of EPC: Type I, Type II, Type III, Type IV.

EPC Manager: the manufacturer of the product the EPC is attached to: e.g. Coca Cola

Object Class: exact type of product, most often the SKU (Stock Keeping Unit): e.g. Diet Coke US Version

Serial Number: unique id to the item tells exactly which Diet Coke

EPC Manager Serial NumberObject ClassHeader

28 36248Bits

Element

• IPv6• IPv6 addresses are 128 bits in length• The first 64 bits are the subnet portion • This is how routers determine location• The last 64 bits are the interface ID portion • This uniquely identifies a device on a subnet• 64-bits = ~18 quintillion unique devices

• RFID • Tags are 96 bits in length (Type 1)• Company-specific data (unique identity) is 60 bits• a 28 bit object class and a 32 bit serial number• only ~1.1 quintillion unique identities available

• Migration: powerline communication, WiFi, WiMAX, ZigBee, Unlicensed Mobile Access(UMA)

Integration for IPV6 and RFID Long-Term Solutions

The Integrated Address• The RFID Object Class and Serial Number become the

IPv6 Interface ID• The local router assigns one or (likely) more IPv6

prefixes for local, site, global, and multicast reachable • The address formats fit nicely together without conflicts

or loss of functionality• IP addresses can be a bad choice as an ID: like URLs

they are not stable, whereas, using a code (like an EPC) persistently identifies a given object.

• in complex RFID applications, different instances or states of an object would require multiple IP addresses.

H EPC Manager Object Class Serial Number

Network/Subnet Host/Device

Unique IDRFID Tag (EPC)

IPv6 Address

• A single IPv6 subnet maps the entire RFID space for a company. That subnet would be a wireless subnet that stretches wherever

• Each RFID tag becomes addressable in the IPv6 network. The reachable scope is defined by the IPv6 prefix used

• Location computation software could directly communicate with tagged devices from anywhere within the IPv6 network

• Disclaimer: Although active and passive RIFD tags will coexist in the future, many of the currently passive RFID tags will subsequently evolve towards active tags, which have networking capabilities. This will mean that a large number of tags will need network addresses for communications. IPv6 will play an important role here. But tags themselves do not necessarily have be equipped with IPv6 addresses until needed

Integration Mapping

Pros & Cons from IPv6 with RFID

Pros • More suitable for higher density, More efficient air interfaces and spectrum use,

much higher bit rates, ubiquitous coverage• No NAT necessary (adds extra cost to the cost prohibitive WSN)• Possibility of adding innovative techniques such as location aware addressing• Increases scalability - Connect a trillion of devices including machine-to-machine

(M2M) and sensor networks• All-IP coverage and beyond, can accept a range of IP addresses• Wireless devices that Eliminate the need for SSIDs (own unique IPs, No NAT)• Minimizes hackers/crackers ability to penetrate networksCons • Larger address width (Having efficient address compression schemes may alleviate

this con)• Complying to IPv6 node requirements (IPSec is mandated)• Cost of Change Over - Current infrastructure cannot be used unless it is already IPv6

compliant, New hardware required• Network Changes - Re-addressing of current IPv4 hardware/clients. Compatibility

with existing wireless infrastructure• www.6lowpan.org battery power. limited packet size – compress IPv6 headers

Conclusion

• An IP address on a RFID device makes it reachable - require implementation of an entire network stack

• Sensor networks and RFID may be the final impetus to push adoption of IPv6

• Roadmap for RFID/IPv6: Mid-2008 / 2009

Resource: IT Roadmap Toward 2010, Noruma Research Institute, Japan.

We boost airborne wireless: innovative, reliable, and secure.

Thank youKevin.cheng@wiborne.com