1 / 22

Security features in IPv6

Security features in IPv6. By M au, Morgan A rora, Pankaj D esai, Kiran. Agenda. Large address space Briefing on IPsec IPsec implementation IPsec operational modes Authentication Header in IPv6 ESP in IPv6 Security Issues in IPv6. Large Address Space.

lidia
Download Presentation

Security features in IPv6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security features in IPv6 By Mau, Morgan Arora, Pankaj Desai, Kiran

  2. Agenda • Large address space • Briefing on IPsec • IPsec implementation • IPsec operational modes • Authentication Header in IPv6 • ESP in IPv6 • Security Issues in IPv6

  3. Large Address Space A (Poor) Representation of Relative IPv4 and IPv6 Address Space Sizes[1]

  4. Large Address Space • With IPv4 a typical Class C network has 8 bits for host addressing. • If we scan at the rate of 1 host/sec • 2exp8 hosts X 1sec/host X1 minute/60secs = 4.2 mins • Takes us ~4 minutes to completely scan the C network • With IPv6 the subnets use 64 bits for host addressing. • If we scan at the rate of 1 host/sec • 2exp64 hosts X 1sec/host X 1yr/31536000secs = 584 billion yrs • Takes us ~584billion yrs to completely scan the network

  5. Large Address Space..contd • Advantages • Port scanning attacks become an arduous task • Well organized IP address assignment, helps track down issues • Disadvantages • Increased overhead, since every datagram header or other place where IP addresses are referenced must use 16bytes for each address instead of 4bytes

  6. IPsec • IPsec is a set of cryptographic protocols that secure data communication and provide for secure exchange of keys during initial negotiation • Although IPsec has been there for quite some time now, it was optional in IPv4. • IPv6 mandates the use of IPsec

  7. IPsec…contd IPsec overview [1]

  8. IPsec Implementation • Integrated architecture • Integrated in IP layer itself • Example: IPv6 • Most elegant but would not be possible with IPv4 as the IP implementation in each device needs to be changed

  9. IPsec Implementation…contd BITS architecture or Bump In The Stack BITS architecture [1]

  10. IPsec Implementation…contd BITW architecture or Bump In The Wire BITW architecture [1]

  11. IPsec Operational modesTransport Mode As its name suggests, in transport mode, the protocol protects the message passed down to IP from the transport layer.

  12. IPsec Operational modes..contdTunnel Mode In this mode, IPSec is used to protect a complete encapsulatedIP datagram after the IP header has already been applied to it.

  13. IPsec Operational modes..contd • Thus to generalize, the order of headers are as below • Transport Mode: IP header, IPSec headers (AH and/or ESP), IP payload (including transport header). • Tunnel Mode: New IP header, IPSec headers (AH and/or ESP), old IP header, IP payload. • For IPv6, there are 2 variables and 4 combinations. Thus 2 protocols(AH& ESP) and 2 modes(Transport and Tunnel) could be combined in different ways.

  14. Authentication Header • AH is one among the two core security protocols in IPsec • AH is intended to guarantee connectionless integrity and data origin authentication IPsec AH packet [2]

  15. Authentication Header..contd • The calculation of the authentication header is similar for both IPv4 and IPv6. • Difference is in placing the header into the datagram and for linking the headers together • The AH is inserted into the IP datagram as an extension header following normal rules of IPv6 extension header linking. • Each header field is linked to by the previous field by the Next header link. • Thus the headers could be chained one after the other. • The numbers indicated are a standard specified by IETF for each protocol.

  16. Authentication Header..contd Authentication Header Placement and Linking

  17. Encapsulating Security Payload • AH is not enough if we do not want the intermediate devices to change our datagrams. • ESP provides the privacy we seek by encrypting them. • ESP also supports its own authentication scheme. ESP headers without and with authentication [2]

  18. Encapsulating Security Payload..contd • Unlike AH, which provides a small header before the payload, ESP surrounds the payload it's protecting • The next hdr field gives the type (IP, TCP, UDP, etc.) of the payload in the usual way, though it can be thought of as pointing "backwards" into the packet rather than forward as we've seen in AH • Header Calculation and Placement • The ESP header placement works similar to AH. • It is inserted into the IP datagram as an extension header. • Trailer Calculation and Placement • The ESP Trailer is appended to the data to be encrypted. • The Next Header field in ESP appears in the trailer and not the header. • ESP Authentication Field Calculation and Placement • The authentication field is computed over the entire ESP datagram.

  19. Encapsulating Security Payload..contd ESP in Transport and Tunnel Mode [1]

  20. Security Issues in IPv6 • IPv6-IPv4 stack issues • Dual stacks during migration always bring in security vulnerabilities • Extension Header issues • Large size of extension headers will overwhelm certain nodes. • Multicast flooding • New features like multicast address would increase the smurf attacks

  21. Q&A

  22. References [1]“TCPIP Guide”, http://www.tcpipguide.com, Web resource retrieved on Oct 13th 2008 [2]“An illustrated guide to IPsec”, http://unixwiz.net/techtips/iguide-ipsec.html, Web resource retrieved on Oct 13th 2008

More Related