ipv6 protocol ipv6 protocol
play

IPv6 Protocol IPv6 Protocol Does it solve all the security - PowerPoint PPT Presentation

Feb 28, 2024 •31 likes •241 views

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer fmajstor@cisco.com Cisco Systems, Inc. 1 fmajstor@cisco.com, IPv6 Security Agenda IPv6 Primer IPv6 Protocol

  1. IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer fmajstor@cisco.com Cisco Systems, Inc. 1 fmajstor@cisco.com, IPv6 Security

  2. Agenda • IPv6 Primer • IPv6 Protocol Security • Dual stack approach • Q&A 2 fmajstor@cisco.com, IPv6 Security

  3. IPv4 & IPv6 Header Comparison IPv4 Header IPv6 Header Header IPv4 Header Version IHL Type of Service Total Length Version Traffic Class Flow Label Fragment Identification Flags Offset Next Payload Length Hop Limit Header Time to Live Protocol Header Checksum Source Address Source Address Destination Address Options Padding Legend - field’s name kept from IPv4 to IPv6 - fields not kept in IPv6 Destination Address - Name & position changed in IPv6 - New field in IPv6 3 fmajstor@cisco.com, IPv6 Security

  4. IPv6 Header Options (RFC 2460) IPv6 Header TCP Header Next Header + Data = TCP IPv6 Header Routing Header TCP Header Next Header Next Header = + Data = Routing TCP IPv6 Header Routing Header Fragment of Fragment Header Next Header Next Header = TCP Header Next Header = TCP = Routing Fragment + Data • Processed only by node identified in IPv6 Destination Address field => much lower overhead than IPv4 options exception: Hop-by-Hop Options header • Eliminated IPv4’s 40-octet limit on options in IPv6, limit is total packet size, or Path MTU in some cases 4 fmajstor@cisco.com, IPv6 Security

  5. IPv6 Security Options • All implementations required to support authentication and encryption headers (AH and ESP of IPsec) • Authentication separate from encryption for use in situations where encryption is prohibited or prohibitively expensive • Key distribution protocols are under development (independent of IP v4/v6) • Support for manual key configuration required 5 fmajstor@cisco.com, IPv6 Security

  6. Authentication Header (AH) Next Header Hdr Ext Len Reserved Security Parameters Index (SPI) Sequence Number Authentication Data • Destination Address + SPI identifies security association state (key, lifetime, algorithm, etc.) • Provides origin authentication origin authentication , data integrity data integrity and anti anti- - replay protection for all fields of IPv6 packet that do not replay protection change en-route • Default algorithms are MD5/SHA-1 6 fmajstor@cisco.com, IPv6 Security

  7. Encapsulating Security Payload (ESP) Security Parameters Index (SPI) Sequence Number Payload Padding Padding Length Next Header Authentication Data • Provides origin authentication origin authentication , data integrity data integrity , anti anti- - replay protection and confidentiality confidentiality of the IPv6 packet replay protection payload • Default algorithms are DES/3DES, MD-5,SHA-1 7 fmajstor@cisco.com, IPv6 Security

  8. What else does IPv6 for Security? • Security – Nothing IP4 doesn’t do - IPsec runs on both and IPv6 mandates mandates IPsec implementation. – Does a lot dynamically on L3 (via ICMP), hence remove part of L2 problems, right? – Supports “privacy” addressing scheme – Migration via dual stacks! 8 fmajstor@cisco.com, IPv6 Security

  9. IPv6 Security Exposures… • Autoconfiguration – stateless configuration and discovery, contradicting requirements with security • ICMPv6 protected by IPsec – security bootstrap problem • DAD – duplicate address detection mechanism 9 fmajstor@cisco.com, IPv6 Security

  10. Stateless autoconfiguration ICMP w/o IPsec AH � gives exactly same level of security 1. RS 2. RA 2. RA as ARP for IPv4 (none) 1. RS: 2. RA: Bootstrap security ICMP Type = 133 problem! ICMP Type = 134 Src = :: Potential solution: Src = Router Link-local Address 802.1x or CGA Dst = All-Routers multicast Address Dst = All-nodes multicast address query= please send RA Data= options, prefix, lifetime, autoconfig flag Router solicitation are sent by booting nodes to request Router solicitation are sent by booting nodes to request RAs for configuring the interfaces. RAs for configuring the interfaces. 10 10 10 fmajstor@cisco.com, IPv6 Security

  11. Neighbor Discovery - Neighbor Solicitation Security mechanisms A B built into discovery protocol � None. ICMP type = 135 Src = Bootstrap security A Dst = problem! Solicited-node multicast of B Data = Potential solution: link-layer address of A 802.1x or CGA Query = what is your link address? ICMP type = 136 Src = B Dst = A Data = link-layer address of B A and B can now exchange packets on this link 11 11 11 fmajstor@cisco.com, IPv6 Security

  12. DAD (Duplicate Address Detection) From RFC 2462: A B « If a duplicate @ is discovered … the address cannot be ICMP type = 135 Src = assigned to the 0 (::) Dst = interface…» Solicited-node multicast of A Data = � What if: Use link-layer address of A MAC@ of the node Query = what is your link address? you want to DoS and fabricate its IPv6 @ • Duplicate Address Detection (DAD) uses neighbor solicitation to verify the existence of an address to be configured. 12 12 12 fmajstor@cisco.com, IPv6 Security

  13. Neighbor Discovery - Redirect In IPv4: « no ip icmp redirect » A B R2 In IPv6: « no ipv6 redirect » Src = A Dst IP = 3FFE:B00:C18:2::1 Dst R1 Ethernet = R2 (default router) Redirect: Src = R2 Dst = A 3FFE:B00:C18:2::/64 Data = good router = R1 • Redirect is used by a router to signal the reroute of a packet to a better router. 13 13 13 fmajstor@cisco.com, IPv6 Security

  14. IPv4 Spoofing using Source Routing B is a friend allow access Rb B In IPv4: - router configurable command B - > « no ip source-route » solves A v i a C the problem, A , R Ra A c - R > B a v i a …what about IPv6? R a , R c , C B->A via C,Rc,Ra Rc C A->B via Ra, Rc,C B->A via C, Rc,Ra A->B via Ra, Rc,C Back traffic uses the same source route 14 14 14 fmajstor@cisco.com, IPv6 Security

  15. Mobile IP - security still work in progress Home Agent Destination Node Mobility and security elements of Not Possible in IPv4 mobile IPv6 still work in progress… Mobile Node ( MIPv6 draft authentication) . 2001:2:a010::5 2001:2:a010::5 • Mobility means: Mobile devices are fully supported while moving Built-in on IPv6 Any node can use it Efficient routing means performance for end-users 15 15 15 fmajstor@cisco.com, IPv6 Security

  16. IPv6/IPv4 Dual Stack Approach IPv6-enabled Application Application TCP UDP TCP UDP IPv4 IPv6 IPv4 IPv6 Frame 0x0800 0x86dd 0x0800 0x86dd Protocol ID Data Link (Ethernet) Data Link (Ethernet) • Dual stack node means: Both IPv4 and IPv6 stacks enabled Applications can talk to both Choice of the IPv4 or IPv6 is based on name lookup and app. preference 16 16 16 fmajstor@cisco.com, IPv6 Security

  17. Dual Stack Approach & VPN If the VPN policy 3ffe:b00::1 allows no split 192.168.x.z IPv4 tunneling, does the dual stack 192.168.x.y approach supports it? IPv6 3ffe:b00::1 • In a dual stack case & VPN tunnel with non-split tunneling policy: - All IPv4 traffic is non-split tunneled through VPN tunnel - All IPv6 traffic is going out (and in) in the clear as a policy violation(?) 17 17 17 fmajstor@cisco.com, IPv6 Security

  18. IPv6 vs. IPv4 Security Summary Service IPv4 Solution IPv6 Solution Service IPv4 Solution IPv6 Solution Router or end node can Router or end node can Only end nodes can Only end nodes can Fragmentation Fragmentation fragment fragment fragment fragment Routing Hdr required Routing Hdr required Could be disabled Could be disabled Source routing Source routing for Mobile IPv6 for Mobile IPv6 no ip icmp redirect no ipv6 redirect ICMP Redirection no ip icmp redirect no ipv6 redirect ICMP Redirection No protection No protection No protection Duplicate addressing No protection Duplicate addressing Layer 3 Layer 2-3 Layer 3 Layer 2-3 Privacy Privacy IPSec IPSec Mandated IPSec IPSec Mandated Integ/Auth/Confid. Integ/Auth/Confid. 18 18 18 fmajstor@cisco.com, IPv6 Security

  19. 19 19 19 Questions? fmajstor@cisco.com, IPv6 Security

  20. References Forums and test beds: www.6net.org www.6bone.net www.ipv6forum.com Vendor links: www.cisco.com/ipv6 www.microsoft.com/ipv6 Other useful links: www.kame.net www.bieringer.de/linux/IPv6 www.hs247.com www.ietf.org/internet-drafts/draft-ietf-send-psreq-03.txt www.ietf.org/internet-drafts/ draft-ietf-send-cga-01.txt 20 20 20 fmajstor@cisco.com, IPv6 Security

  21. Thank you! Thank you! IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? fmajstor@cisco.com 21 21 21 fmajstor@cisco.com, IPv6 Security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Internet Protocol Version 6 (IPv6): North American IPv6 Summit April 10, 2012 Steven Pirzchalski

Internet Protocol Version 6 (IPv6): North American IPv6 Summit April 10, 2012 Steven Pirzchalski

Department of Veterans Affairs Internet Protocol Version 6 (IPv6): North American IPv6 Summit April 10, 2012 Steven Pirzchalski Director, Enterprise Transport Services VA IPv6 Transition Manager Outreach Chair, Federal IPv6 Task Force Major

382 views • 13 slides
The Internet Protocol (IP) Part 2: IPv6 JeanYves Le Boudec Fall 2009 1 1 Contents 1. IPv6

The Internet Protocol (IP) Part 2: IPv6 JeanYves Le Boudec Fall 2009 1 1 Contents 1. IPv6

COLE POLYTECHNIQUE FDRALE DE LAUSANNE The Internet Protocol (IP) Part 2: IPv6 JeanYves Le Boudec Fall 2009 1 1 Contents 1. IPv6 2. NATs 3. Interworking IPv4 / IPv6 4. Routing Implications 5. Recap Some slides come from:

911 views • 73 slides
Outline The IP protocol 15-441/641: Computer Networks IPv4 The Internet Protocol IPv6

Outline The IP protocol 15-441/641: Computer Networks IPv4 The Internet Protocol IPv6

9/16/2019 Outline The IP protocol 15-441/641: Computer Networks IPv4 The Internet Protocol IPv6 Fall 2019 Profs Peter Steenkiste & Justine Sherry IP in practice Network address translation Tunnels ARP

90 views • 6 slides
Outline 15-441/641: Computer Networks The IP protocol IPv4 The Internet Protocol IPv6

Outline 15-441/641: Computer Networks The IP protocol IPv4 The Internet Protocol IPv6

9/6/2019 Outline 15-441/641: Computer Networks The IP protocol IPv4 The Internet Protocol IPv6 Fall 2019 Profs Peter Steenkiste & Justine Sherry IP in practice NATs Tunnels https://computer-networks.github.io/fa19/

431 views • 11 slides
Internet Protocol v6 October 25, 2016 v6@nkn.in Table of Content Why IPv6? Why IPv6?

Internet Protocol v6 October 25, 2016 v6@nkn.in Table of Content Why IPv6? Why IPv6?

Internet Protocol v6 October 25, 2016 v6@nkn.in Table of Content Why IPv6? Why IPv6? IPv6 Address Space IPv6 Address Space Customer LAN Migration Customer LAN Migration Why IPv6? Why IPv6? IPv6 Address Space IPv6

770 views • 58 slides
IPv6 (Internet Protocol version 6) APNIC meeting, 3 September 2002 Internet Initiative Japan,

IPv6 (Internet Protocol version 6) APNIC meeting, 3 September 2002 Internet Initiative Japan,

IPv6 (Internet Protocol version 6) APNIC meeting, 3 September 2002 Internet Initiative Japan, Inc. / KAME Project Keiichi SHIMA <keiichi@iij.ad.jp> Contents Why do we use IPv6? IPv6 Addresses Link-layer address resolution

1.55k views • 116 slides
IPv6 Deployment in the DNS Joo Damas ISC ICANN meeting, Lisboa March 2007 Outline Protocol

IPv6 Deployment in the DNS Joo Damas ISC ICANN meeting, Lisboa March 2007 Outline Protocol

IPv6 Deployment in the DNS Joo Damas ISC ICANN meeting, Lisboa March 2007 Outline Protocol Implementations Usage Protocol Finalised several years ago Final option selected is a simple extension of the IPv4 model Forward

327 views • 10 slides
IPv6 Tarik Cicic University of Oslo December 2001 Overview New generation IP protocol

IPv6 Tarik Cicic University of Oslo December 2001 Overview New generation IP protocol

IPv6 Tarik Cicic University of Oslo December 2001 Overview New generation IP protocol (IPv6): why do we need it support for new Internet services discussion 2 Internet technology Users Idea: exchange of information

422 views • 6 slides
1 Problems with IPv4: Header Limitations Problems with IPv4: Header Limitations Problems with

1 Problems with IPv4: Header Limitations Problems with IPv4: Header Limitations Problems with

Outline Outline IPv6: An Introduction IPv6: An Introduction Problems with IPv4 Problems with IPv4 Basic IPv6 Protocol Basic IPv6 Protocol IPv6 features IPv6 features Dheeraj Sanghi Dheeraj Sanghi Auto

512 views • 7 slides
IPv6 is an Innovation Opportunity Jordi Palet (jordi.palet@consulintel.es) European IPv6 Task

IPv6 is an Innovation Opportunity Jordi Palet (jordi.palet@consulintel.es) European IPv6 Task

IPv6 is an Innovation Opportunity Jordi Palet (jordi.palet@consulintel.es) European IPv6 Task Force & Steering Committee IPv6 Forum, Education & Promotion WG Co-chair Consulintel, CTO/CEO - 1 Why a New Internet Protocol? Only

613 views • 22 slides
Labcourse Routerlab Internet Protocol Version 6 (IPv6) IPv4 Shortcomings IPv4

Labcourse Routerlab Internet Protocol Version 6 (IPv6) IPv4 Shortcomings IPv4

Labcourse Routerlab Internet Protocol Version 6 (IPv6) IPv4 Shortcomings IPv4 addresses have 32 bits only not enough for 1 IP address per person dynamic IPs, NAT, Manual configuration time consuming (in larger

655 views • 16 slides
IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

Outline IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer Science and IPv6 Autoconfiguration Institute of Communications Engineering National Tsing Hua University jcchen@cs.nthu.edu.tw

783 views • 11 slides
IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction to WLCG & IPv6 IPv6 security & threats IPv6 protocol attacks Issues for site network & security teams Issues for sys admins

501 views • 34 slides
Resurection of the Internet: IPv6 support in FreeBSD Bkr EMRE emre@enderunix.org EnderUNIX

Resurection of the Internet: IPv6 support in FreeBSD Bkr EMRE emre@enderunix.org EnderUNIX

Resurection of the Internet: IPv6 support in FreeBSD Bkr EMRE emre@enderunix.org EnderUNIX Core Team Member www.enderunix.org/emre Introduction to IPv6 IPv6: New version of Internet Protocol Expanded Addressing Capabilities

419 views • 41 slides
SNMP Transition Tool Management of IPv6 Networks with IPv4/IPv6 SNMP Gateway Wiktor Procyk

SNMP Transition Tool Management of IPv6 Networks with IPv4/IPv6 SNMP Gateway Wiktor Procyk

SNMP Transition Tool Management of IPv6 Networks with IPv4/IPv6 SNMP Gateway Wiktor Procyk wiku@man.poznan.pl Zagreb, TERENA, May 2003 Wiktor Procyk <wiku@man.poznan.pl> 1 Introduction IPv6 is the next generation protocol designed

287 views • 18 slides
Internet Evolution and IPv6 Paul Wilson APNIC 1 Where are IPv6 addresses today? 2 IPv6

Internet Evolution and IPv6 Paul Wilson APNIC 1 Where are IPv6 addresses today? 2 IPv6

Internet Evolution and IPv6 Paul Wilson APNIC 1 Where are IPv6 addresses today? 2 IPv6 Global allocations by RIR APNIC 337 21% RIPENCC 737 45% ARIN 438 LACNIC AFRINIC 27% 87 37 5% 2% Unit: IPv6 pref i x 3 IPv6

603 views • 24 slides
Securely Moving Your Business Into the Cloud Alex Stamos Partner

Securely Moving Your Business Into the Cloud Alex Stamos Partner

Securely Moving Your Business Into the Cloud Alex Stamos Partner Takeaways Current conventional wisdom on cloud computing is missing the point You cannot

793 views • 37 slides
SIIT-DC: IPv4 Service Contjnuity for IPv6 Data Centres Tore Anderson Redpill Linpro AS UKNOF36,

SIIT-DC: IPv4 Service Contjnuity for IPv6 Data Centres Tore Anderson Redpill Linpro AS UKNOF36,

SIIT-DC: IPv4 Service Contjnuity for IPv6 Data Centres Tore Anderson Redpill Linpro AS UKNOF36, London, January 2017 Incremental IPv6 deployment in DC IPv4-only IPv4-only + IPv6 via NAT/proxy/etc Dual-stacked public frontend, IPv4 BE Full

550 views • 15 slides
Challenges in Mining Whole Software Universe Katsuro Inoue Osaka University Software

Challenges in Mining Whole Software Universe Katsuro Inoue Osaka University Software

Challenges in Mining Whole Software Universe Katsuro Inoue Osaka University Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Analyzing Evolution of

450 views • 19 slides
TMS Bobcats want to say... Ron Melton Anna Palumbos Grandpa Jeanie Melton Anna Palumbos

TMS Bobcats want to say... Ron Melton Anna Palumbos Grandpa Jeanie Melton Anna Palumbos

TMS Bobcats want to say... Ron Melton Anna Palumbos Grandpa Jeanie Melton Anna Palumbos Grandma Chad Solomon Anthony Solomons Family Ronald Palumbo Anna Palumbos Grandpa Adam Labotka Allison Labotkas Father Bradley Baker Family

537 views • 17 slides
The adventures of a Suricate in eBPF land . Leblond Stamus Networks Oct. 6, 2016 . Leblond

The adventures of a Suricate in eBPF land . Leblond Stamus Networks Oct. 6, 2016 . Leblond

The adventures of a Suricate in eBPF land . Leblond Stamus Networks Oct. 6, 2016 . Leblond (Stamus Networks) The adventures of a Suricate in eBPF land Oct. 6, 2016 1 / 41 Introduction to Suricata 1 Whats this ? A few words on

848 views • 56 slides
Centralized user management and Single Sign On for the WeNMR gateway through the WeNMR Virtual

Centralized user management and Single Sign On for the WeNMR gateway through the WeNMR Virtual

Centralized user management and Single Sign On for the WeNMR gateway through the WeNMR Virtual Research Community Marc van Dijk , Andrea Giachetti, Marco Verlato, Antonio Rosato, Alexandre Bonvin EGI Technical Forum 2012 zondag 16 september 12

413 views • 13 slides
Embracing Diversity: OS Support for Integra9ng High- Performance

Embracing Diversity: OS Support for Integra9ng High- Performance

Embracing Diversity: OS Support for Integra9ng High- Performance Compu9ng and Data Analy9cs Ron Brightwell Scalable System SoEware Department Workshop

411 views • 16 slides
regarding network meta-analysis A day with GRADing methods group: Whats new Romina

regarding network meta-analysis A day with GRADing methods group: Whats new Romina

Latest GRADE guidance regarding network meta-analysis A day with GRADing methods group: Whats new Romina Brignardello-Petersen November 19, 2020 Conflicts of interest None financial Member of GRADE working group and lead of GRADE

544 views • 25 slides

More recommend