1 / 14

Securing an IPv6 Network

Securing an IPv6 Network. Spring 2005 Internet2 Members Meeting Arlington, VA. Ron Broersma DREN Chief Engineer High Performance Computing Modernization Program ron@spawar.navy.mil. Context. Historical 2001 – DREN IPv6 testbed Wide area Dedicated hardware – 10 “core” nodes.

ross
Download Presentation

Securing an IPv6 Network

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Securing an IPv6 Network Spring 2005 Internet2 Members Meeting Arlington, VA Ron Broersma DREN Chief Engineer High Performance Computing Modernization Program ron@spawar.navy.mil IPv6 Security

  2. Context • Historical • 2001 – DREN IPv6 testbed • Wide area • Dedicated hardware – 10 “core” nodes. • Native IPv6 over partial ATM mesh • 2003 – DoD and IPv6 • DoD CIO issues memorandum to transition by 2008 • DREN chosen as the DoD “pilot implementation” • 2003/2004 – DoD “pilot” on DREN production network • dual stack, native, running on production DREN network • 2004/2005 – additional efforts • site deployment, multicast, DHCP/DNS, mobility • Within DoD… • Each of the services (Army, Navy, Air Force) developing their own transition plans for the “operational networks”. • Most will not begin implementation for a year or more • Most will not be complete until after 2008 • DREN is DoD’s “research network”, and is transitioning now. • Chartered to support the DoD HPC community, and other R&D organizations. IPv6 Security

  3. DREN Today • 10 “core nodes” on OC-192 backbone (CONUS), with OC-12 extensions to Hawaii and Alaska. • About 100 sites (“Service Delivery Points”), connected at DS-3 to OC-48 rates. • IPv4 unicast and multicast, IPv6 unicast, and ATM services now. • Dual IPv6 networks (“testbed”, and “production”) • “jumbo-clean” (i.e. 9K MTU everywhere) • Multiple security levels. • Both unclassified and classified networks IPv6 Security

  4. DREN “production” network IPv6 Security

  5. DRENv6 “testbed”Logical Topology Cisco AIX-v6 C&W Global Crossing 6TAP Abilene FIX-West Hurricane Electric Abilene LAVAnet TIC WPAFB Dayton NTTCom Verio ARL JITC HP Aberdeen Tunnel broker WCISD San Diego SD-NAP SDSC AOL SSC San Diego Wash D.C. SPRINT HICv6 (Hawaii) NRL Vicksburg Albuquerque SSC Charleston SSAPAC ERDC AFRL Kirtland AFB Stennis vBNS+ ATM PVC (OC-3) NAVO IXP Core Router tunnel IPv6 Security ISP or BGP Neighbor “site”

  6. DREN IPv6 philosophy • Push the “I believe” button, and turn on IPv6 everywhere to see what works (and what doesn’t) • Do it in a production environment • can get away with this in an R&D environment, but not on operational networks. • Go native. (no tunnels) • Even if the world doesn’t convert for years, R&D environments need it now. • Figure out how to deploy IPv6 to the rest of DoD in the future. IPv6 Security

  7. Unique Security Challenges • DoD networks are a big target • DoD has mandatory security requirements • Certification and Accreditation (DITSCAP) • DoD ports&protocols • Navy UTN Protect Policy • etc. • Defense in Depth model Goal: Try to achieve equivalent security to IPv4, so we can deploy IPv6 within DoD policy. IPv6 Security

  8. DoD Security Model • “Defense in Depth” • Protections at multiple levels • Problem: How to securely deploy IPv6 in DoD without these components. S Scanners LAN Firewall IDS ACL WAN ACL IDS Internet IPv6 Security

  9. Lack of Security Features (Examples) • Router Access Control Lists (ACLs) • Juniper doesn’t support “tcp established” • Vulnerability Assessment (Scanners) • ISS doesn’t support IPv6 and has no published plans to do so. • NESSUS doesn’t support IPv6 (yet) • Intrusion Detection Systems • If we want IPv6 support, we have to add it ourselves. • Juniper port mirroring doesn’t support IPv6 • IPSEC • Missing in most IPv6 implementations • Juniper ASPIC doesn’t support IPv6 (until much later) • Firewalls • Until recently, no production quality IPv6 support • Netscreen (Juniper): • no OSPFv3, only RIP • IPv6 support only available in certain products • “transparent mode” doesn’t work for IPv6 It is crucial that IPv6 products have equivalent functionality to the IPv4 world IPv6 Security

  10. Overcoming the security issue (workaround) • Use DRENv6 testbed for transit to Internet • use to peer with rest of IPv6 enable Internet and other testbeds • continue to operate as an “untrusted” IPv6 network • Enable IPv6 on new DREN2 (MCI) production network. • Dual stack everywhere. • Establish trusted gateways between v6 enabled DREN2 and the DRENv6 testbed • Upgrade HPC Network Intrusion Detection Systems (NIDS) to be v6-compliant, monitored by the HPC Computer Emergency Response Team (CERT), and install at the trusted gateways. • Install v6 version of standard DREN v4 Access Control Lists (ACLs) to protect pilot network to same level as IPv4 production network. • DREN customers receive “safe” native IPv6 service via existing service delivery point (SDP), in parallel with IPv4 service. IPv6 Security

  11. DREN IPv6 transition architecture – FY04 To 6bone, Abilene, and other IPv6 enabled ISPs IPv6 demonstrations (Moonv6) links run native IPv6 where possible, otherwise tunnelled in IPv4 DRENv6 (Testbed) Native IPv6 backbone ARL-APG SSCSD ERDC Testbed at DREN site Testbed at DREN site NIDSv6 NIDSv6 v6 ACL v6 ACL NIDSv6 v6 ACL sdp.erdc DREN2 (Production / Pilot) sdp.sandiego sdp.arlapg Dual stack IPv4 and IPv6 wide area infrastructure sdp sdp sdp Goal: As secure as the IPv4 backbone Type “A” (IP) production service to DREN sites IPv4 and IPv6 provided over the same interface IPv6 Security

  12. Site Security Solution(Example – SPAWAR) • SPAWAR Intrusion Detection System (IDS) modified to support IPv6 • Netscreen Firewall with IPv6 support in parallel with production firewall. DREN2 (Pilot) WAN IPv4 unicast and multicast services + IPv6 unicast SPAWAR Border router (Juniper M20) IDS IPv6 IPv4 Netscreen 2000 Firewall Netscreen 208 Firewall IPv6 Firewall Production Firewall switch to LAN IPv6 Security

  13. Other Security Issues • IPv6 tunnels crossing security domains • TCP and UDP port numbers aren’t in a fixed location, so how do you filter on them? • Privacy concerns of non-changing interface identifier (IID) • What issues haven’t we discovered yet? IPv6 Security

  14. Summary • With some work, it is possible to secure an IPv6 network. • There are still some missing pieces, but it is getting better. • IPv6 capability in products is good, but we cannot be satisfied unless all the security functions and features work just as well in IPv6 as they do in IPv4. IPv6 Security

More Related