ipv6 routing header security
play

IPv6 Routing Header Security. Philippe BIONDI Arnaud EBALARD - PowerPoint PPT Presentation

Nov 02, 2023 •284 likes •896 views

IPv6 prerequisite All about Routing Header extension Security implications Solutions and workaround IPv6 Routing Header Security. Philippe BIONDI Arnaud EBALARD phil(at)secdev.org / philippe.biondi(at)eads.net arno(at)natisbad.org /

  1. IPv6 prerequisite All about Routing Header extension Security implications Solutions and workaround IPv6 Routing Header Security. Philippe BIONDI Arnaud EBALARD phil(at)secdev.org / philippe.biondi(at)eads.net arno(at)natisbad.org / arnaud.ebalard(at)eads.net EADS Innovation Works — IW/SE/CS IT Sec lab Suresnes, FRANCE CanSecWest 2007 P. Biondi / A. Ebalard IPv6 Routing Header Security. 1/57

  2. IPv6 prerequisite All about Routing Header extension Security implications Solutions and workaround Outline IPv6 prerequisite 1 IPv6 : the protocol Think different, Think IPv6 All about Routing Header extension 2 Definition RH odds RH handling by IPv6 stacks Security implications 3 Advanced Network Discovery Bypassing filtering devices DoS Defeating Anycast Solutions and workaround 4 Filtering RH : problems and needs Practical filtering P. Biondi / A. Ebalard IPv6 Routing Header Security. 2/57

  3. IPv6 prerequisite All about Routing Header extension IPv6 : the protocol Security implications Think different, Think IPv6 Solutions and workaround Outline IPv6 prerequisite 1 IPv6 : the protocol Think different, Think IPv6 All about Routing Header extension 2 Definition RH odds RH handling by IPv6 stacks Security implications 3 Advanced Network Discovery Bypassing filtering devices DoS Defeating Anycast Solutions and workaround 4 Filtering RH : problems and needs Practical filtering P. Biondi / A. Ebalard IPv6 Routing Header Security. 3/57

  4. IPv6 prerequisite All about Routing Header extension IPv6 : the protocol Security implications Think different, Think IPv6 Solutions and workaround Structural differences with IPv4 New header format From 14 to 8 fields 32 bits 4 8 20 Version Traffic Class Flow Label 16 8 8 Payload Length Next Header Hop Limit 128 Source IPv6 Address 40 octets 128 Destination IPv6 Address 8 Next Header Extension Header Information Taille variable Payload P. Biondi / A. Ebalard IPv6 Routing Header Security. 4/57

  5. IPv6 prerequisite All about Routing Header extension IPv6 : the protocol Security implications Think different, Think IPv6 Solutions and workaround Structural differences with IPv4 Chaining and extensions Goodbye IP options, welcome IPv6 extensions! 1 IPv6 ICMPv6 ICMPv6 Next header IPv6 TCP Data 2 TCP Next header 3 IPv6 ESP UDP Data ESP UDP Next header Next header Routing Fragment IPv6 ICMPv6 Header Header Routing Fragment ICMPv6 Header Header Next header Next header Next header P. Biondi / A. Ebalard IPv6 Routing Header Security. 5/57

  6. IPv6 prerequisite All about Routing Header extension IPv6 : the protocol Security implications Think different, Think IPv6 Solutions and workaround Functional differences with IPv4 Forget all you knew about IPv4 Autoconfiguration Mechanisms ARP is gone. Replaced and extended by Neighbor Discovery Broadcast replaced by link-local scope multicast End-to-End principle Extended address space provides global addressing Releasing core routers from intensive computation. Fragmentation is performed by end nodes, Checksum computation is performed by end nodes at L4, IPv6 header fixed size simplifies handling (or not). NAT not needed under IPv6 = ⇒ less stateful devices = ⇒ less Single Points of Failure P. Biondi / A. Ebalard IPv6 Routing Header Security. 6/57

  7. IPv6 prerequisite All about Routing Header extension IPv6 : the protocol Security implications Think different, Think IPv6 Solutions and workaround Outline IPv6 prerequisite 1 IPv6 : the protocol Think different, Think IPv6 All about Routing Header extension 2 Definition RH odds RH handling by IPv6 stacks Security implications 3 Advanced Network Discovery Bypassing filtering devices DoS Defeating Anycast Solutions and workaround 4 Filtering RH : problems and needs Practical filtering P. Biondi / A. Ebalard IPv6 Routing Header Security. 7/57

  8. IPv6 prerequisite All about Routing Header extension IPv6 : the protocol Security implications Think different, Think IPv6 Solutions and workaround End-to-End is back !!! What is different ? NAT removal : replaced by pure routing Global addressing capabilities (result of extended @ space) Direct connectivity not only client → server or client → relay ← client Everything is done between source and destination (E2E) Mandatory L4 Checksum Fragmentation Extension header handling = ⇒ To limit core routers load, default case is easier to handle. P. Biondi / A. Ebalard IPv6 Routing Header Security. 8/57

  9. IPv6 prerequisite All about Routing Header extension IPv6 : the protocol Security implications Think different, Think IPv6 Solutions and workaround Filtering on end points ? Rationale Network is flat again (no more NAT) Move from client → relay ← client towards direct connections Pushed by new requirements : VoIP, IM, P2P, . . . Direct connectivity implies new security requirements IPsec implementation is mandatory in IPv6 stacks. IPsec works natively on IPv6 networks. Concern Are IPv6 stacks, applications and systems robust enough to handle global connectivity requirements ? P. Biondi / A. Ebalard IPv6 Routing Header Security. 9/57

  10. IPv6 prerequisite All about Routing Header extension IPv6 : the protocol Security implications Think different, Think IPv6 Solutions and workaround Cryptographic Firewall Merging IPsec and Firewall functions End-to-End implies new threats for clients Leveraging current 5-tuple filtering logic (src @, dst @, protocol, src port, dst port) to add cryptographic identity. Allowing access to that apps from that guy with that credential (X.509 Certificate, Kerberos Token, . . . ) Limiting the attack surface to the authentication (IKE[v2]) and protection (IPsec) functions . . . = ⇒ People outside your trust domain can only target IKE/IPsec. = ⇒ Your vicinity is no more geographical but cryptographical. P. Biondi / A. Ebalard IPv6 Routing Header Security. 10/57

  11. IPv6 prerequisite Definition All about Routing Header extension RH odds Security implications RH handling by IPv6 stacks Solutions and workaround Outline IPv6 prerequisite 1 IPv6 : the protocol Think different, Think IPv6 All about Routing Header extension 2 Definition RH odds RH handling by IPv6 stacks Security implications 3 Advanced Network Discovery Bypassing filtering devices DoS Defeating Anycast Solutions and workaround 4 Filtering RH : problems and needs Practical filtering P. Biondi / A. Ebalard IPv6 Routing Header Security. 11/57

  12. IPv6 prerequisite Definition All about Routing Header extension RH odds Security implications RH handling by IPv6 stacks Solutions and workaround Routing Header format An address container IPv6 specification [RFC2460] defines Routing Header extension as a mean for a source to list one or more intermediate nodes to be ”visited” on the way to packet’s destination . 0 8 16 24 31 Next Header Hdr Ext Len Routing Type Segments Left type-specific data P. Biondi / A. Ebalard IPv6 Routing Header Security. 12/57

  13. IPv6 prerequisite Definition All about Routing Header extension RH odds Security implications RH handling by IPv6 stacks Solutions and workaround Different types of Routing Header Type 0 : the evil mechanism we describe in this presentation, that provides an extended version of IPv4 loose source routing option. Type 1 : defined by Nimrod, an old project funded by DARPA. This type is unused. Type 2 : used by MIPv6 and only understood by MIPv6-compliant stacks. Defined to allow specific filtering against Type 0 Routing Header. Inoffensive extension. P. Biondi / A. Ebalard IPv6 Routing Header Security. 13/57

  14. IPv6 prerequisite Definition All about Routing Header extension RH odds Security implications RH handling by IPv6 stacks Solutions and workaround Type 0 Routing Header Equivalent to IPv4 lose source routing option 32 bits 8 8 8 8 Next Header Hdr Ext Len = N Routing Type = 0 Segments Left 32 Reserved 128 Address[1] 8 x N bytes 128 Address[N/2] P. Biondi / A. Ebalard IPv6 Routing Header Security. 14/57

  15. IPv6 prerequisite Definition All about Routing Header extension RH odds Security implications RH handling by IPv6 stacks Solutions and workaround Type 0 Routing Header mechanism example How a packets is modified during its travel src: 2001:7a:78d::1 src: 2001:7a:78d::1 src: 2001:7a:78d::1 src: 2001:7a:78d::1 src: 2001:7a:78d::1 dst: 2001:7a:78d::11 dst: 2001:7a:78d::21 dst: 2001:7a:78d::31 dst: 2001:7a:78d::41 dst: 2001:7a:78d::51 nh 8 0 4 nh 8 0 3 nh 8 0 2 nh 8 0 1 nh 8 0 0 reserved reserved reserved reserved reserved addr[1] 2001:7a:78d::21 addr[1] 2001:7a:78d::11 addr[1] 2001:7a:78d::11 addr[1] 2001:7a:78d::11 addr[1] 2001:7a:78d::11 Routing Header addr[2] 2001:7a:78d::31 addr[2] 2001:7a:78d::31 addr[2] 2001:7a:78d::21 addr[2] 2001:7a:78d::21 addr[2] 2001:7a:78d::21 addr[3] 2001:7a:78d::41 addr[3] 2001:7a:78d::41 addr[3] 2001:7a:78d::41 addr[3] 2001:7a:78d::31 addr[3] 2001:7a:78d::31 addr[4] 2001:7a:78d::51 addr[4] 2001:7a:78d::51 addr[4] 2001:7a:78d::51 addr[4] 2001:7a:78d::51 addr[4] 2001:7a:78d::41 2001:7a:78d::1 2001:7a:78d::11 2001:7a:78d::21 2001:7a:78d::31 2001:7a:78d::41 2001:7a:78d::51 packet source specified router non-specified router packet final destination P. Biondi / A. Ebalard IPv6 Routing Header Security. 15/57

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

Outline IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer Science and IPv6 Autoconfiguration Institute of Communications Engineering National Tsing Hua University jcchen@cs.nthu.edu.tw

783 views • 11 slides
1 IPv6 Packet Format IPv6 Packet Format 40 Byte minimum 0 8 16 31 Mandatory fields

1 IPv6 Packet Format IPv6 Packet Format 40 Byte minimum 0 8 16 31 Mandatory fields

IPv6 IPv6, MPLS History Next generation IP (AKA IPng) Intended to extend address space and routing limitations of IPv4 Requires header change Attempted to include everything new in one change IETF moderated Based

506 views • 5 slides
Measurement of IPv6 Extension Header Support Geoff Huston APNIC Labs IPv6 Extension Header The

Measurement of IPv6 Extension Header Support Geoff Huston APNIC Labs IPv6 Extension Header The

Measurement of IPv6 Extension Header Support Geoff Huston APNIC Labs IPv6 Extension Header The extension header sits between the IPv6 packet header and the upper level protocol header for the leading fragged packet, and sits between the

830 views • 21 slides
Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local

Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local

Interplay between routing and forwarding routing algorithm Routing Algorithms and Routing local forwarding table header value output link in the Internet 0100 3 0101 2 0111 2 1001 1 value in arriving packets header 1 0111 2 3

403 views • 8 slides
IPv6, MPLS IPv6 History Next generation IP (AKA IPng) Intended to extend address space

IPv6, MPLS IPv6 History Next generation IP (AKA IPng) Intended to extend address space

IPv6, MPLS IPv6 History Next generation IP (AKA IPng) Intended to extend address space and routing limitations of IPv4 Requires header change Attempted to include everything new in one change IETF moderated Based

775 views • 46 slides
IoT related MAC layers, header compression and routing protocols Netdev 2.1 2017-04-08,

IoT related MAC layers, header compression and routing protocols Netdev 2.1 2017-04-08,

IoT related MAC layers, header compression and routing protocols Netdev 2.1 2017-04-08, Montreal Stefan Schmidt stefan@osg.samsung.com Samsung Open Source Group Agenda Intro IPv6 over Bluetooth (Luiz Von Dentz / Stefan Schmidt)

593 views • 35 slides
NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security Required: authenticity and integrity of routing information o Link state routing: LSAs are originated by the routing process authorized to do so

345 views • 10 slides
Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions Security of IPv6

625 views • 33 slides
1 Problems with IPv4: Header Limitations Problems with IPv4: Header Limitations Problems with

1 Problems with IPv4: Header Limitations Problems with IPv4: Header Limitations Problems with

Outline Outline IPv6: An Introduction IPv6: An Introduction Problems with IPv4 Problems with IPv4 Basic IPv6 Protocol Basic IPv6 Protocol IPv6 features IPv6 features Dheeraj Sanghi Dheeraj Sanghi Auto

512 views • 7 slides
IPv4 REVIEW AND IPv6 ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 07 NOVEMBER 2016

IPv4 REVIEW AND IPv6 ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 07 NOVEMBER 2016

IPv4 REVIEW AND IPv6 ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 07 NOVEMBER 2016 TELECOMMUNICATION SYLLABUS Principles of Telecom (IP Telephony and IP TV) - Key Issues to remember 1. IPv4 Header and how it is used for routing packets 2.

703 views • 23 slides
IPv6 Introduction by Harald Welte <laforge@rfc2460.org> IPv6 Introduction What? Why?

IPv6 Introduction by Harald Welte <laforge@rfc2460.org> IPv6 Introduction What? Why?

IPv6 Introduction by Harald Welte <laforge@rfc2460.org> IPv6 Introduction What? Why? What is IPv6? Successor of currently used IP Version 4 Specified 1995 in RFC 2460 Why? Address space in IPv4 too small Routing tables too large

476 views • 19 slides
IPv6 (RFC 2460) Expanded addressing capabilities (128 bits). Header format simplification.

IPv6 (RFC 2460) Expanded addressing capabilities (128 bits). Header format simplification.

IPv6 (RFC 2460) Expanded addressing capabilities (128 bits). Header format simplification. Improved support for extensions and options. Flow labeling capability. Authenitication and privacy capabilities. 18 UTD, CS 6390 Ravi

506 views • 11 slides
IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer fmajstor@cisco.com Cisco Systems, Inc. 1 fmajstor@cisco.com, IPv6 Security Agenda IPv6 Primer IPv6 Protocol

241 views • 21 slides
IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction to WLCG & IPv6 IPv6 security & threats IPv6 protocol attacks Issues for site network & security teams Issues for sys admins

501 views • 34 slides
IPv6 - The Next Generation Internet Subnetting and Classless Inter-domain Routing (CIDR)

IPv6 - The Next Generation Internet Subnetting and Classless Inter-domain Routing (CIDR)

IPv6 - The Next Generation Internet Subnetting and Classless Inter-domain Routing (CIDR) improve utilization of IP address space and slow growth of routing information, but at some point, they will not be sufficient more than 32 bits

579 views • 18 slides
Chapter 8 Communication Networks and Services 1. IPv6 2. Internet Routing Protocols: OSPF,

Chapter 8 Communication Networks and Services 1. IPv6 2. Internet Routing Protocols: OSPF,

Chapter 8 Communication Networks and Services 1. IPv6 2. Internet Routing Protocols: OSPF, RIP, BGP 3. Other protocols: DHCP, NAT, and Mobile IP Chapter 8 Communication Networks and Services IPv6 Fall 2012 Prof. Chung-Horng Lung 2 IPv6

552 views • 52 slides
Introduction Introduction Nils Gruschka University Kiel (Diploma in Computer Science)

Introduction Introduction Nils Gruschka University Kiel (Diploma in Computer Science)

Network and Communications Security (IN3210/IN4210) Introduction Introduction Nils Gruschka University Kiel (Diploma in Computer Science) T-Systems, Hamburg University Kiel (PhD in Computer Science) Nils Gruschka NEC

767 views • 33 slides
Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure

Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure

IN3210 Network Security Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure Computer Security Security of computers and networks Protection of digital assets Axioms of Computer Security:

240 views • 23 slides
traffic confirmation attacks despite noise Jamie Hayes University College London

traffic confirmation attacks despite noise Jamie Hayes University College London

traffic confirmation attacks despite noise Jamie Hayes University College London j.hayes@cs.ucl.ac.uk anonymous communication We kill people based on the metadata. - Michael Hayden (Former NSA Director) - Sometimes encryption isnt

720 views • 29 slides
Authorizing Network Control at Software Defined Exchange Points Arpit Gupta Princeton University

Authorizing Network Control at Software Defined Exchange Points Arpit Gupta Princeton University

Authorizing Network Control at Software Defined Exchange Points Arpit Gupta Princeton University http://sdx.cs.princeton.edu Nick Feamster, Laurent Vanbever Internet Exchange Points (IXPs) Route Server BGP Session IXP Switching Fabric AS

363 views • 20 slides
Steps Towards a DoS-resistant Internet Architecture Mark Handley Adam Greenhalgh University

Steps Towards a DoS-resistant Internet Architecture Mark Handley Adam Greenhalgh University

Steps Towards a DoS-resistant Internet Architecture Mark Handley Adam Greenhalgh University College London Denial-of-Service Attacker attempts to prevent the victim from doing any useful work. Flooding Attacks Exploiting Software

806 views • 27 slides
Highly Secure and Efficient Routing Arvind Krishnamurthy Ioannis Avramopoulos, Hisashi Kobayashi

Highly Secure and Efficient Routing Arvind Krishnamurthy Ioannis Avramopoulos, Hisashi Kobayashi

Highly Secure and Efficient Routing Arvind Krishnamurthy Ioannis Avramopoulos, Hisashi Kobayashi Randolph Wang Dept. of Computer Science Dept. of Electrical Engineering Dept. of Computer Science School of Engineering and Applied Science Yale

307 views • 12 slides
Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of

Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of

ITS335 DoS Attacks DoS Attacks Classic DoS Flooding & DDoS Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013

409 views • 26 slides
CS-527 Software Security Web security Asst. Prof. Mathias Payer Department of Computer Science

CS-527 Software Security Web security Asst. Prof. Mathias Payer Department of Computer Science

CS-527 Software Security Web security Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Command injection Table of Contents Command

705 views • 23 slides

More recommend