1 / 42

Security Implications of IPv6

Security Implications of IPv6. Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist ,. Welcome to WatchGuard’s IPv6 Webinar Series!. 2. 1. 4. 3. Security Implications of IPv6 v6 in a v4 world v6 security advantages/disadvantages.

alfreda-reynolds
Download Presentation

Security Implications of IPv6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist ,

  2. Welcome to WatchGuard’s IPv6 Webinar Series! 2 1 4 3 • Security Implications of IPv6 • v6 in a v4 world • v6 security advantages/disadvantages

  3. You’re here because v6 matters to you

  4. Part 1: Security Implications of IPv6 in a (mostly) IPv4 World

  5. I’m Running IPv4…Does This Affect Me?

  6. Remember This?

  7. Tunnels In My v4? Holy Teredo!

  8. Talking Behind My Back? Within the confines of your network, many devices may be communicating over IPv6, even if they are not sending packets to and from the Internet!

  9. Remember... …Which means...

  10. Spotting and Controlling Rogue IPv6

  11. Part 2: Security Implications of IPv6

  12. The Big IPv6 Security Question Does IPv6 help or hinder network security? The Answer is not that simple!

  13. IPv6 Offers:

  14. IPv6 Security: The Good

  15. Built-In IPSec Offers Better Security… Right? First, a quick but relevant digression IPSec is a mandatory part of the IPv6 Protocol

  16. What’s IPSec Again? Internet Protocol Security (IPSec) is a standard for adding strong authentication, message integrity, antireply, and encryption (confidentiality) to IP packets, thus providing secure and private communications. • Among other things, IPSec consists of: • Authentication Headers (AH) – Provides data origin authentication and integrity (protects against replay attacks) • Encapsulating Security Payloads (ESP) – Adds encryption to the mix to provide confidentiality

  17. What are IPv6 Extension Headers? • Ext. headers may include: • Hop-by-hop options • Destination Options • Routing • Fragmentation • AH Header • ESP Header • Etc… Dropped options need to go somewhere… IPv4 Header (20 bytes) IPv6 Header (40 bytes) Version IHL Type of Service Total Length Version Traffic Class Flow Label Identification Flags Fragment Offset Payload Length Next Header Hop Limit Time to Live Protocol Header Checksum Source Address Source Address Destination Address Destination Address Options Padding Remember IPv6 header simplification?

  18. Built-In IPSec Offers Better Security… Right? • What does this really mean? • Part of IPv6 protocol stack, not an optional add-on • Implemented with AH and ESP Extension Headers • Follows one standard (less interop issues) • Every IPv6 device can do IPSec • However, IPSec usage is still OPTIONAL! Where were we? IPSec is a mandatory part of the IPv6 Protocol

  19. Wait! Doesn’t IPv4 Offer IPSec too? So is this really a security benefit? • Short term – probably no measureable advantage over IPv4 IPSec • Long term – More applications will leverage it now that it’s mandatory! • Some truths about IPv6’s additional IPSec Security: • IPv4 has it too (though, not “natively”) • You don’t have to use it, and most don’t • Still complex • May require PKI Infrastructure

  20. So Long NAT! Hello, End-2-End Addressing

  21. Vast Address Space Naturally Thwarts Certain Attacks IPv6 Address space is unimaginably huge (340 unidecillion) Too big for automated reconnaissance and attack:

  22. IPv6 Security: The Bad

  23. Immature Protocols = Increased Vulnerability & Risk • During the creation life-cycle of new standards and protocols: • Security is often an after-thought • Unexpected problems happen due to complex interactions • Many issues don’t surface until the tech receives wider usage • These concepts have proven themselves with many new network protocols in the past. Most experts suspect there are many security issues in IPv6, and related protocols, that we have yet to uncover. Complexity Security

  24. Unfamiliarity Causes Misconfigurations Many network administrators and IT practitioners are still relatively unfamiliar with all IPV6’s “ins and outs” • Common issues: • Not realizing IPv6 is already in their network • Ignorance of Tunneling Mechanisms • Lack of ACL policy for IPv6 multi-homing • Unawareness of potential privacy issues • Over permissiveness, just to get it to work

  25. Automatic Addressing May Pose Privacy Concerns MAC Address: 90-3A-2B-06-2C-D1 Split in half: 90-3A-2B 06-2C-D1 Insert FFFE: 90:3A:2B:FF:FE:06:2C:D1 Change 7th bit to 1: 92:3A:2B:FF:FE:06:2C:D1

  26. A Look Back at IPv4 ARP Poisoning I also have 192.168.20.1 Hey Everyone. I have 192.168.20.34 And 192.168.20.2, And ….. Who has 192.168.20.34? I Do. Here’s my MAC No authentication or security Problem: Remember ARP? ARP Poisoning

  27. Neighborhood Discovery Suffers from Similar Issues Neighbor Solicitation I Do. Send traffic to me Neighbor Advertisement ND Spoofing Who has 2001::3/64? Who has 2001::3/64? I Do. Here’s my Layer 2 address No authentication or security Again: ND Address Resolution ND Spoofing

  28. Many Other Neighbor and Router Discovery Issues • Other ND related attacks: • Duplicate Address Detection (DAD) DoS attack • ND spoofing attack for router (allows for MitM) • Neighbor Unreachability Detection (NAD) DoS attack • Last Hop Router spoofing (malicious router advertisements) • And many more… (http://rfc-ref.org/RFC-TEXTS/3756/chapter4.html) • Solution: SEcure Neighbor Discovery (SEND) – RFC 3971 • Essentially adds IPSec to ND communications • Requires PKI Infrastructure • Not available in all OSs yet. • 802.1X also an option

  29. New Multicast Protocol Helps with Reconnaissance In the first webinar, we introduced IPv6 multicast addresses: IPv6 multicast includes a ton of reserved addresses. Here’s a few: Attackers can use these multicast addresses to enumerate your network.  Note: RFC 2375

  30. IPv6 Security Controls Lagging Hacking Arsenal/Tools THC-IPv6 Attack Suite Unfortunately, IPv6 security controls and products seems to be a bit behind. • Attackeralready have many IPv6 capable tools:

  31. IPv6 Security: The Different

  32. Neutral IPv6 Differences of Concern Some of IPv6’s differences have security connotations that you should know about. However, they aren’t necessarily inherently good or bad

  33. Typical IPv6 Devices Have Multiple Addresses You will probably need MULTIPLE Firewall or ACL policies for these extra networks within your organization

  34. Extra Security Can Cause Insecurity IPv6 IPSec is end-to-end Internet In-line content filters can’t filter

  35. Firewalls (and Admins) Must Learn New Tricks

  36. EXTRA: The Same There are some security issues that IPv6 has little effect on:

  37. IPv6 Security: Conclusion

  38. So… Does/Will IPv6 Provide More Security?

  39. Wrapping It Up

  40. Coming Up Next…(1 month from now) 3 1 4 2 • What To Expect from IPv6 • ISP activities • Connecting the Islands

  41. Major References • IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation • http://www.cisco.com/web/about/security/security_services/ciag/documents/v6-v4-threats.pdf • IPv6 Security Challenges https://www.cs.siue.edu/~wwhite/CS447/TopicalPaper/Originals/Bridges_IPv6SecurityChallenges.pdf • IPv6 Security Challenges by Samuel Sotillo http://www.infosecwriters.com/text_resources/pdf/IPv6_SSotillo.pdf • IPv6 Security Best Practices http://www.cisco.com/web/SG/learning/ipv6_seminar/files/02Eric_Vyncke_Security_Best_Practices.pdf • IPv6 Security Considerations and Recommendations • http://technet.microsoft.com/en-us/library/bb726956.aspx • NIST: Guidelines for the Secure Deployment of IPv6 • http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf • IPv6 Transition/Coexistence Security Considerations (RFC 4942) • http://www.ietf.org/rfc/rfc4942.txt • And many more….

  42. Thank You!

More Related