Security features in IPv6
description
Transcript of Security features in IPv6
![Page 1: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/1.jpg)
By Mau, Morgan
Arora, PankajDesai, Kiran
![Page 2: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/2.jpg)
Large address space Briefing on IPsec IPsec implementation IPsec operational modes Authentication Header in IPv6 ESP in IPv6 Security Issues in IPv6
![Page 3: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/3.jpg)
A (Poor) Representation of Relative IPv4 and IPv6 Address Space Sizes[1]
![Page 4: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/4.jpg)
With IPv4 a typical Class C network has 8 bits for host addressing.◦ If we scan at the rate of 1 host/sec ◦ 2exp8 hosts X 1sec/host X1 minute/60secs =
4.2 mins◦ Takes us ~4 minutes to completely scan the C
network With IPv6 the subnets use 64 bits for host
addressing.◦ If we scan at the rate of 1 host/sec ◦ 2exp64 hosts X 1sec/host X 1yr/31536000secs
= 584 billion yrs◦ Takes us ~584billion yrs to completely scan
the network
![Page 5: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/5.jpg)
Advantages◦ Port scanning attacks become an arduous task◦ Well organized IP address assignment, helps track
down issues Disadvantages
◦ Increased overhead, since every datagram header or other place where IP addresses are referenced must use 16bytes for each address instead of 4bytes
![Page 6: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/6.jpg)
IPsec is a set of cryptographic protocols that secure data communication and provide for secure exchange of keys during initial negotiation
Although IPsec has been there for quite some time now, it was optional in IPv4.
IPv6 mandates the use of IPsec
![Page 7: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/7.jpg)
IPsec overview [1]
![Page 8: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/8.jpg)
Integrated architecture◦ Integrated in IP layer itself◦ Example: IPv6◦ Most elegant but would not be possible with IPv4
as the IP implementation in each device needs to be changed
![Page 9: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/9.jpg)
BITS architecture or Bump In The Stack
BITS architecture [1]
![Page 10: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/10.jpg)
BITW architecture or Bump In The Wire
BITW architecture [1]
![Page 11: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/11.jpg)
As its name suggests, in transport mode, the protocol protects the message passed down to IP from the transport layer.
![Page 12: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/12.jpg)
In this mode, IPSec is used to protect a complete encapsulated IP datagram after the IP header has already been applied to it.
![Page 13: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/13.jpg)
Thus to generalize, the order of headers are as belowo Transport Mode: IP header, IPSec headers (AH and/or ESP), IP payload
(including transport header). o Tunnel Mode: New IP header, IPSec headers (AH and/or ESP), old IP
header, IP payload.
For IPv6, there are 2 variables and 4 combinations. Thus 2 protocols(AH& ESP) and 2 modes(Transport and Tunnel) could be combined in different ways.
![Page 14: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/14.jpg)
AH is one among the two core security protocols in IPsec
AH is intended to guarantee connectionless integrity and data origin authentication
IPsec AH packet [2]
![Page 15: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/15.jpg)
The calculation of the authentication header is similar for both IPv4 and IPv6.
Difference is in placing the header into the datagram and for linking the headers together
The AH is inserted into the IP datagram as an extension header following normal rules of IPv6 extension header linking.
Each header field is linked to by the previous field by the Next header link.
Thus the headers could be chained one after the other.
The numbers indicated are a standard specified by IETF for each protocol.
![Page 16: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/16.jpg)
Authentication Header Placement and Linking
![Page 17: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/17.jpg)
AH is not enough if we do not want the intermediate devices to change our datagrams.
ESP provides the privacy we seek by encrypting them.
ESP also supports its own authentication scheme.
ESP headers without and with authentication [2]
![Page 18: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/18.jpg)
Unlike AH, which provides a small header before the payload, ESP surrounds the payload it's protecting
The next hdr field gives the type (IP, TCP, UDP, etc.) of the payload in the usual way, though it can be thought of as pointing "backwards" into the packet rather than forward as we've seen in AH
Header Calculation and Placement◦ The ESP header placement works similar to AH.◦ It is inserted into the IP datagram as an extension header.
Trailer Calculation and Placement◦ The ESP Trailer is appended to the data to be encrypted.◦ The Next Header field in ESP appears in the trailer and not the
header. ESP Authentication Field Calculation and
Placement◦ The authentication field is computed over the entire ESP
datagram.
![Page 19: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/19.jpg)
ESP in Transport and Tunnel Mode [1]
![Page 20: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/20.jpg)
IPv6-IPv4 stack issues◦ Dual stacks during migration always bring in
security vulnerabilities Extension Header issues
◦ Large size of extension headers will overwhelm certain nodes.
Multicast flooding◦ New features like multicast address would
increase the smurf attacks
![Page 21: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/21.jpg)
![Page 22: Security features in IPv6](https://reader035.fdocuments.net/reader035/viewer/2022062322/56815196550346895dbfce39/html5/thumbnails/22.jpg)
[1]“TCPIP Guide”, http://www.tcpipguide.com, Web resource retrieved on Oct 13th 2008
[2]“An illustrated guide to IPsec”, http://unixwiz.net/techtips/iguide-ipsec.html, Web resource retrieved on Oct 13th 2008