IPv6 Security: Challenges and Countermeasures, Thesis of International Relations

An overview of ipv6 security issues and countermeasures. Topics include first-hop protocol vulnerabilities, denial-of-service attacks, user authentication and authorization, and routing security. The document also covers new considerations for ipv6 security, such as dual-stack-related exposures and tunneling-related exposures.

Typology: Thesis

2016/2017

Uploaded on 06/05/2017

manju-devaraj-1
manju-devaraj-1 🇮🇳

5

(1)

2 documents

1 / 71

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
IPv6 Security
Ivan Pepelnjak (@ioshints, [email protected])
NIL Data Communications
Eric Vyncke (@evyncke, evy[email protected])
Cisco Systems
This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47

Partial preview of the text

Download IPv6 Security: Challenges and Countermeasures and more Thesis International Relations in PDF only on Docsity!

IPv6 Security

Ivan Pepelnjak (@ioshints, [email protected]) NIL Data Communications Eric Vyncke (@evyncke, [email protected]) Cisco Systems This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars

2 © ipSpace.net / NIL Data Communications 2012 IPv6 Security

Revision history

2012 - 07 - 07 Early first draft 2012 - 10 - 02 Minor fixes Server RA exposure 2012 - 10 - 12 Included Eric Vyncke’s detailed explanations and Cisco-related material This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars

4 © ipSpace.net / NIL Data Communications 2012 IPv6 Security

Who is Eric Vyncke... In 30 seconds

Research Assistant at Univ Liège, Belgium Head of R&D at NRB, system integrator

  • First multi-protocol network in Belgium SW project manager at Siemens
  • Firewall, military X. Since 1997, Distinguished Engineer at Cisco Co-chair of www.ipv6council.be Main focus
  • Security and security and security ;-) (VoIP, IPsec, layer-2, ...)
  • IPv6 (see also www.vyncke.org/ipv6status) This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars

5 © ipSpace.net / NIL Data Communications 2012 IPv6 Security

The Bigger Picture: IPv6 Webinars

Availability

  • Live sessions
  • Recordings of individual webinars
  • Yearly subscription Other options
    • Customized webinars
    • ExpertExpress
    • On-site workshops More information @ http://www.ioshints.info/Webinars IPv6 Security Market Trends in SP Networks Building IPv6 Service Provider Networks Enterprise IPv6 – First Steps Upcoming Internet Challenges Service Provider IPv6 Introduction NAT64 and DNS Planned in 2012 This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

  • Application layer attacks The majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent
  • Rogue devices Rogue devices will be as easy to insert into an IPv6 network as in IPv
  • Man-in-the-Middle Attacks (MITM) Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv
  • Flooding Flooding attacks are identical between IPv4 and IPv
  • Sniffing IPv6 is no more or less likely to fall victim to a sniffing attack than IPv Good news IPv4 IPS signatures can be re- used This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

  • Viruses and email, IM worms: IPv6 brings no change
  • Other worms: IPv4: reliance on network scanning IPv6: not so easy (see reconnaissance) => will use alternative techniques  Worm developers will adapt to IPvIPv4 best practices around worm detection and mitigation remain valid This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

  • Public servers will still need to be DNS reachable More information collected by Google...
  • Increased deployment/reliance on dynamic DNS More information will be in DNS
  • Using peer-to-peer clients gives IPv6 addresses of peers
  • Administrators may adopt easy-to-remember addresses (::10,::20,::F00D, ::C5C0, :ABBA:BABE or simply IPv4 last octet for dual stack)
  • By compromising hosts in a network, an attacker can learn new addresses to scan
  • Transition techniques (see further) derive IPv6 address from IPv address  can scan again This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars

11 © ipSpace.net / NIL Data Communications 2012 IPv6 Security

First Hop Vulnerabilities

This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

  • Prevent Node-Node Layer- 2 communication by using: Private VLANs (PVLAN) where nodes (isolated port) can only contact the official router (promiscuous port) WLAN in ‘AP Isolation Mode’ 1 VLAN per host (SP access network with Broadband Network Gateway)
  • Link-local multicast (RA, DHCP request, etc) sent only to the local official router: no harm Isolated Port RA RA RA RA RA Promiscuous Port This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

  • Port ACL blocks all ICMPv6 RA from hosts interface FastEthernet0/ ipv6 traffic-filter ACCESS_PORT in access-group mode prefer port
  • RA-guard lite (12.2(33)SXI4 & 12.2(54)SG ): also dropping all RA received on this port interface FastEthernet0/ ipv6 nd raguard access-group mode prefer port
  • RA-guard (12.2(50)SY) ipv6 nd raguard policy HOST device-role host ipv6 nd raguard policy ROUTER device-role router ipv6 nd raguard attach-policy HOST vlan 100 interface FastEthernet0/ ipv6 nd raguard attach-policy ROUTER RA RA RA RA RA This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars

16 © ipSpace.net / NIL Data Communications 2012 IPv6 Security

Fake DHCPv6 Replies

Intruder responds to DHCPv6 requests

  • DNS IPv6 address injection (DNS interception)
  • Denial-of-service attack (bogus IPv6 address allocation) DHCPv6 Information Request DHCPv6 Reply Rtr First-Hop Vulnerabilities DHCPv6 Reply Countermeasure: DHCPv6 guard This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars

17 © ipSpace.net / NIL Data Communications 2012 IPv6 Security

Fake Neighbor Advertisement Messages

Intruder responds to ICMPv6 Neighbor Solicitation requests

  • Traffic interception
  • Denial-of-service attack ND NS ND NA Rtr First-Hop Vulnerabilities ND NA Countermeasures: DHCPv6 snooping, ND inspection, SEND This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

  • Certification paths Anchored on trusted parties, expected to certify the authority of the routers on some prefixes
  • Cryptographically Generated Addresses (CGA) IPv6 addresses whose interface identifiers are cryptographically generated
  • RSA signature option Protect all messages relating to neighbor and router discovery
  • Timestamp and nonce options Prevent replay attacks
  • Requires IOS 12.4(24)T This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

  • Each devices has a RSA key pair (no need for cert)
  • Ultra light check for validity
  • Prevent spoofing a valid CGA address

SHA- 1

RSA Keys Priv Pub Subnet Prefix Interface Identifier Crypto. Generated Address

Signature

SeND Messages

Modifier Public Key Subnet Prefix

CGA Params

This material is copyrighted and licensed for the sole use by Manju Devaraj ([email protected] [202.156.243.240]). More information at http://www.ipSpace.net/Webinars