IPv Implementation - The Naked Truth By Dr. Omar Amer - - PowerPoint PPT Presentation

IPv Implementation - The Naked Truth

By

• Dr. Omar Amer Abouabdalla

IPv6 Global Sdn. Bhd.

• mar@ipv6global.my

Things to Connect to Internet

Why IPv6???

No more room in IPv4 Quite empty in IPv6

IPv6 Implementation

Where to start???

to to CORE CORE to to EDGE EDGE

Core to Edge Edge to Core

• Core devices usually

the safest to add IPv6.

• Address more difficult

issues such as security and management.

• Gain operational

experience before going to the edge.

• Consider the best when

using dual stack strategy.

• More difficult.
• Relies more on

tunneling.

• Faster when need to

connect endpoints to Data Centers and apps that are IPv6- enabled.

• When older devices

in core cannot support IPv6.

Talking Behind My Back? Within the confines of your network, many devices may be communicating

• ver IPv6, even if they are

not sending packets to and from the Internet!

Unfamiliarity Causes Misconfigurations

Automatic Addressing May Pose Privacy Concerns

Stateless Address Autoconfiguration SLAAC could automatically created a EUI-64 address. However, this makes your MAC public, which you may consider a privacy issue.

• Privacy Enhanced Addresses [RFC 3041]
• Cryptographically Generated Addresses

(CGA) [RFC 3972]

There are options to rectify this issue:

1. MAC Address: 90-3A-2B-06-2C-D1 2. Split in half: 90-3A-2B 06-2C-D1 3. Insert FFFE: 90:3A:2B:FF:FE:06:2C:D1 4. Change 7th bit to 1: 92:3A:2B:FF:FE:06:2C:D1

IPv6 Security Controls Lagging Hacking Arsenal/Tools

• Attackeralready have many IPv6 capable tools:

THC-IPv6 Attack Suite

Alive6 Parasite6 Redir6 Fake_Router6 Detect-New-IPv6 DoS-New-IPv6 Smurf6 rSmurf6 TooBig6 Fake_MIPv6 Fake_mld6 Fake_Advertiser6 SendPees6 DNSDict6 Trace6 Flood_Router6 Flood_Advertise6 Fuzz_IP6 etc…

Unfortunately, IPv6 security controls and products seems to be a bit behind.

THC-IPv6 Attack Suite Nmap Wireshark Multi-Generator (MGEN) IPv6 Security Scanner (vscan6) Halfscan6 Strobe Netcat6 Imps6-tools Relay6 6tunnel NT6tunnel VoodooNet Scapy6 Metasploit (etc.) Web Browsers (XSS & SQLi) TCPDump COLD Spak6 Isic6 Hyenae SendIP Packit 4to6ddos 6tunneldos

IPv6 Tunnels Concerns

• Tunnels often interconnect networks over

areas supporting the “wrong” version of protocol.

• Tunnel traffic often not anticipated by the

security policies.

• It may pass through firewall systems due to

their inability to check two protocols in the same time.

Dual-stack (RFC 4213)

• Dual stack nodes interoperate directly with both IPv4

and IPv6 nodes.

• Must provide a DNS resolver library capable of

dealing with the IPv4 A records as well as the IPv6 AAAA records.

Dual Stack

IPv6 Dual Stack Implementation

• The primary concerns are in hardware and

software.

• Hardware must be evaluated in the network

infrastructure to see if there is proper memory for route tables and the switch forwarding tables to handle IPv6 routes and packets.

• Software on the network infrastructure must

support IPv6 configuration and routing protocols, while operating systems on the host side must also be IPv6 capable.

IPv6 Dual-Stack Implementation Requirements

• Maintaining the same service-level and security

posture for the dual-stack environment (IPv4 and IPv6) at the same level as for IPv4 alone

• Keeping costs down.
• Scheduling equipment and software upgrades.
• Making sure that Internet service providers and

software vendors (for monitoring, content distribution, and more) could work with IPv6.

IPv6 Dual-Stack Implementation

The

• Do we have the skill and knowledge?
• Do we need to build a non-production

IPv6 network with dual-stack servers?

Risks of Dual-stack Configurations

• Device simultaneously supports IPv4 and IPv6.
• Network management tools designed for an IPv4

network may not work the same way in an IPv6 environment.

• Many existing host and network security and

administration tools may not provide full-fledged support for IPv6.

• Firewall rule sets and other security controls that

stop unwanted IPv4 traffic are unlikely to be effective at stopping any IPv6 traffic.

• Need parallel security rules to address IPv6 traffic.

IPv6 ACLs are different

• IPv6 supports only extended ACLs.
• No wildcard masking in IPv6 ACLs.
• To prevent subnet A from reaching subnet B over IPv4.

deny 192.168.12.0 0.0.0.255

• To prevent subnet A from reaching subnet B over IPv6.

deny ipv6 2001:db8:0:12::/64 any

Other Problems with Dual-stack

• Manage and monitor 2 layer 3 stacks.
• Every interface requires both an IPv4 address and

an IPv6 address.

• It does not make sense in environments where

IPv6 is being implemented specifically because IPv4 addresses cannot be acquired.

• The router contains two independent routing

tables.

• One for IPv4 addressing, the other for IPv6

addressing.

IPv6 Dual-Stack Implementation

• Most effective transition mechanism.
• Allows for migrating devices on a more

gradual basis, rather than all at once.

The

What is good about Dual-stack?

• Implementation of IPv6 using dual stacks is the

simplest approach.

• The change is driven by DNS.
• At the upper protocol layers, an application can use

either IPv4 or IPv6 to communicate.

• Both IPv4-only and IPv6-only devices can

communicate with a dual stacked node.

• Is simplest approach to adding IPv6 support to a

group of interconnected routers .

• Integrated routing protocol (IS-IS and BGP).
• Version-specific routing protocols (OSPF).

What is good about Dual-stack? Cont..

• The approach is transparent to the end users.
• Fewer pieces of equipment need to be

converted.

• In this approach, only the backbone or core

routers need to be converted first.

• No tunneling mechanisms in the internal

network are required, nor are the headaches that can occur when using them.

The Big IPv6 Security Question

Readiness Assessment Implementation Strategy & Framework Implementation Conformance Audit

IPv6 Deployment Pre-deployment Deployment Post-deployment

4 Steps for Proper Migration