Security Implications of IPv6
-
Upload
alfreda-reynolds -
Category
Documents
-
view
80 -
download
1
description
Transcript of Security Implications of IPv6
Security Implications of IPv6
Tim HelmingDirector of Product Management
Corey, Nachreiner, CISSP, Sr. Network Security Strategist,
Welcome to WatchGuard’s IPv6 Webinar Series!1 3 42
Security Implications of IPv6• v6 in a v4 world• v6 security advantages/disadvantages
You’re here because v6 matters to you
Part 1: Security Implications of IPv6 in a (mostly) IPv4 World
I’m Running IPv4…Does This Affect Me?
Remember This?
Tunnels In My v4? Holy Teredo!
Talking Behind My Back?
Within the confines of your network, many devices may be communicating over IPv6, even if they are not sending packets to and from the Internet!
Remember...
…Which means...
Spotting and Controlling Rogue IPv6
Part 2: Security Implications of IPv6
The Big IPv6 Security Question
•IPv6 Offers:
IPv6 Security: The Good
Built-In IPSec Offers Better Security… Right?
IPSec is a mandatory part of the IPv6 Protocol
What’s IPSec Again?
Among other things, IPSec consists of:
• Authentication Headers (AH) – Provides data origin authentication and integrity (protects against replay attacks)
• Encapsulating Security Payloads (ESP) – Adds encryption to the mix to provide confidentiality
Internet Protocol Security (IPSec) is a standard for adding strong authentication, message integrity, antireply, and encryption (confidentiality) to IP packets, thus providing secure and private communications.
What are IPv6 Extension Headers?
Remember IPv6 header simplification?
Version IHL Type ofService Total Length
Identification FlagsFragment
Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Options Padding
IPv4 Header (20 bytes)
Version Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
IPv6 Header (40 bytes)
Dropped options need to go somewhere…
Ext. headers may include:
•Hop-by-hop options•Destination Options•Routing•Fragmentation•AH Header •ESP Header•Etc…
Built-In IPSec Offers Better Security… Right?
IPSec is a mandatory part of the IPv6 Protocol
What does this really mean?
•Part of IPv6 protocol stack, not an optional add-on•Implemented with AH and ESP Extension Headers•Follows one standard (less interop issues)•Every IPv6 device can do IPSec•However, IPSec usage is still OPTIONAL!
Wait! Doesn’t IPv4 Offer IPSec too?
Some truths about IPv6’s additional IPSec Security:• IPv4 has it too (though, not “natively”)• You don’t have to use it, and most don’t• Still complex• May require PKI Infrastructure
So is this really a security benefit?• Short term – probably no measureable advantage over
IPv4 IPSec• Long term – More applications will leverage it now that it’s
mandatory!
So Long NAT! Hello, End-2-End Addressing
Vast Address Space Naturally Thwarts Certain Attacks
(340 unidecillion)
Too big for automated reconnaissance and attack:
IPv6 Security: The Bad
Immature Protocols = Increased Vulnerability & Risk
During the creation life-cycle of new standards and protocols:•Security is often an after-thought•Unexpected problems happen due to complex interactions•Many issues don’t surface until the tech receives wider usage
These concepts have proven themselves with many new network protocols in the past. Most experts suspect there are many security issues in IPv6, and
related protocols, that we have yet to uncover.
Unfamiliarity Causes Misconfigurations
Many network administrators and IT practitioners are still relatively unfamiliar with all
IPV6’s “ins and outs”
Common issues:
• Not realizing IPv6 is already in their network•Ignorance of Tunneling Mechanisms•Lack of ACL policy for IPv6 multi-homing•Unawareness of potential privacy issues•Over permissiveness, just to get it to work
Automatic Addressing May Pose Privacy Concerns
1. MAC Address: 90-3A-2B-06-2C-D12. Split in half: 90-3A-2B 06-2C-D13. Insert FFFE: 90:3A:2B:FF:FE:06:2C:D14. Change 7th bit to 1: 92:3A:2B:FF:FE:06:2C:D1
I also have 192.168.20.1
I also have 192.168.20.1
A Look Back at IPv4 ARP Poisoning
Who has 192.168.20.34?
I Do. Here’s my MAC
I Do. Here’s my MAC
Hey Everyone. I have 192.168.20.34
Hey Everyone. I have 192.168.20.34And 192.168.20.2,
And …..And 192.168.20.2,
And …..
No authentication or securityNo authentication or security
I Do. Sendtraffic to meI Do. Send
traffic to me
Neighborhood Discovery Suffers from Similar Issues
Who has 2001::3/64?
I Do. Here’s my Layer 2 addressI Do. Here’s my Layer 2 address
Who has 2001::3/64?
Neighbor SolicitationNeighbor Solicitation
Neighbor AdvertisementNeighbor Advertisement
ND SpoofingND Spoofing
No authentication or securityNo authentication or security
Many Other Neighbor and Router Discovery Issues
Solution: SEcure Neighbor Discovery (SEND) – RFC 3971
•Essentially adds IPSec to ND communications•Requires PKI Infrastructure•Not available in all OSs yet. •802.1X also an option
Other ND related attacks:
•Duplicate Address Detection (DAD) DoS attack•ND spoofing attack for router (allows for MitM)•Neighbor Unreachability Detection (NAD) DoS attack•Last Hop Router spoofing (malicious router advertisements)•And many more… (http://rfc-ref.org/RFC-TEXTS/3756/chapter4.html)
New Multicast Protocol Helps with Reconnaissance
In the first webinar, we introduced IPv6 multicast addresses:IPv6 multicast includes a ton of reserved addresses. Here’s a few:
Multicast Address Reservation
FF02::1 All Host Address
FF02::2 All Router Address (LL)
FF02::9 RIP Routers
FF02::A EIGRP Routers
FF02::B Mobile-Agents
FF02::1:2 All DHCP Agents
FF05::2 All Router Address (SL)
FF05::1:3 All DHCP Servers
FF05::1:4 ALL DHCP Relays
FF0X::101 NTP
FF0X::106 Name Service Server
Attackers can use these multicast
addresses to enumerate your
network.
Attackers can use these multicast
addresses to enumerate your
network.
Note: RFC 2375
IPv6 Security Controls Lagging Hacking Arsenal/Tools
Attackeralready have many IPv6 capable tools:
THC-IPv6 Attack Suite
Unfortunately, IPv6 security controls and products seems to be
a bit behind.
IPv6 Security: The Different
Neutral IPv6 Differences of Concern
Some of IPv6’s differences have security connotations that you should know about. However, they aren’t necessarily
inherently good or bad
Typical IPv6 Devices Have Multiple Addresses
You will probably need MULTIPLE Firewall or ACL policies for these
extra networks within your organization
You will probably need MULTIPLE Firewall or ACL policies for these
extra networks within your organization
Extra Security Can Cause Insecurity
InternetInternet
Firewalls (and Admins) Must Learn New Tricks
EXTRA: The Same
There are some security issues that IPv6 has little effect on:
IPv6 Security: Conclusion
So… Does/Will IPv6 Provide More Security?
Wrapping It Up
Coming Up Next…(1 month from now)1 2 43
What To Expect from IPv6• ISP activities• Connecting the Islands
Major References
• IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation http://www.cisco.com/web/about/security/security_services/ciag/documents/v6-v4-threats.pdf
•IPv6 Security Challenges https://www.cs.siue.edu/~wwhite/CS447/TopicalPaper/Originals/Bridges_IPv6SecurityChallenges.pdf
• IPv6 Security Challenges by Samuel Sotillo http://www.infosecwriters.com/text_resources/pdf/IPv6_SSotillo.pdf
•IPv6 Security Best Practices http://www.cisco.com/web/SG/learning/ipv6_seminar/files/02Eric_Vyncke_Security_Best_Practices.pdf
•IPv6 Security Considerations and Recommendations•http://technet.microsoft.com/en-us/library/bb726956.aspx
•NIST: Guidelines for the Secure Deployment of IPv6http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf
•IPv6 Transition/Coexistence Security Considerations (RFC 4942)http://www.ietf.org/rfc/rfc4942.txt
•And many more….
Thank You!