ipv6 security awareness
play

IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC - PowerPoint PPT Presentation

Sep 09, 2022 •449 likes •822 views

IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC Stephen.honlue@afrinic.net 1 04/12/2015' Presentation Objectives ! Create awareness of IPv6 Security implications. ! Highlight technical concepts on IPv6 weaknesses ! Describe

  1. IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC Stephen.honlue@afrinic.net 1 04/12/2015'

  2. Presentation Objectives ! Create awareness of IPv6 Security implications. ! Highlight technical concepts on IPv6 weaknesses ! Describe strengthening technics. 2

  3. Threats'and'mi9ga9on.' Agenda' Intro.'to'IPv6'and'Security.'

  4. The 128 bits IP address IPv6'Addresses' Unicast' Mul9cast' Anycast' Assigned' Solicited'Node' FF02::1:FF00:0000/104' FF00::/8' Global Embedded Link-local Loopback Unspecified Unique Local Unicast IPv4 FE80::/64' ::/80' ::1/128' FEC0::/7' 2000::/3' ::/128' Sk Skills ills block locks s 4

  5. The 128 bits IP address |------------------------------128 bits-----------------------------| N'bits' 64.N'bits' 64'bits' Interface ID Global Routing prefix Subnet ID ! 2^128 ~ 304,282,366,920,938,463,463,374,607,431,768,211,456 trillion trillion trillion possible IP addresses. ! Simplified base header compared to IPv4 ! Plug n play with SLAAC ! Most of IPv4 functions (DHCP, DNS, routing …) Sk Skills ills block locks s 5

  6. Protocols Similarities APPLICATION(DNS,'HTTP,'IMAP,'SMTP,'POP,'NFS)' ' ' TRANSPORT(TCP,'UDP)' ' ' NETWORK(IPv4/IPv6) ' IPv4'(ICMP,'IGMP,'IPSec,'NAT,' IPv6(ICMPv6,'IPSec,'ND,'MLD,' OSPF,'ISVIS,'mob.'IP)' OSPFv3,'ISVIS,'mob.'IP)' ' ' DATA'LINK(Ethernet'&'co.,'NBMA,'ATM,'PPP,'WiMAX,'3GPP)' Sk Skills ills block locks s 6

  7. Any Similarity? Total'length' Version' IHL' Type'of'Service' Flags' Fragment'Offset' Iden9fica9on' Header'Checksum' Time'to'Live' Protocol' Source'Address' Des9na9on'Address' Op9ons' Padding' Fields Removed Fields removed from IPv6 base header Fields renamed in IPv6 Fields kept Sk Skills ills block locks s 7

  8. IPv6 is a network-layer replacement for IPv4 Sk Skills ills block locks s 8

  9. Attacking tools sophistication 120" 100" 80" Technical"knowledge"neede" 60" 40" Sophis:ca:on"of"tools" 20" 0" 1985" 1990" 1995" 2000" 2005" 2010" 2015" Sk Skills ills block locks s 9

  10. IPv6 attack tools? A0acks' Tools' Reconnaissance'' Alive6'and'Nmap' Amplifica9on'' Smurf6,'Rsmurf6'' Covert'Channel,'Tunnel'Injec9on,'RH0'' Scapy'' Router'Alert'' Scapy,'denial6'' Tiny'Fragments,'Large'Fragments'' Scapy,'thcping6'' RA'Spoofing'' fake_router26,'kill_router6,' flood_router26' NA'Spoofing'' parasite6,'fake_adver9se6,' flood_adver9se6' NS'Spoofing,'NS'Flooding'Remote'' flood_solicitate6,'ndpexhaust6'' DAD'Spoofing,'Redirect'Spoofing'' dosVnewVip6,'redir6'' DHCPv6'Spoofing'' flood_dhcpc6,'fake_dhcps6' Sk Skills ills block locks s 10

  11. Myth or reality? Is IPv6 is more secured than IPv4? ! IPSec is incorporated ! There is a large space not easy to scan Sk Skills ills block locks s 11

  12. Myth or reality? I don’t care IPv6 not on my network Really? All modern OS have IPv6 activated by default # ./flood_router6 iface Sk Skills ills block locks s 12

  13. Myth or reality? IPv6 is just a successor of IPv4, so similar Think twice!!! IPv6 is new and most of the functionalities Sk Skills ills block locks s 13

  14. Myth or reality? IPv6 is not secured, NAT is missing Who told you NAT is security? NAT was meant to save address space Any how check with your vendor: ! CISCO – NPTv6 ! Juniper – basic-nat66 ! Iptables – t nat66 ! Use of proxy Sk Skills ills block locks s 14

  15. Reconnaissance in IPv6 ! Starting point for network attacks. ! /64 subnets, 1M tests/sec => 1400 Mbps => 28 yrs to discover 1 st active IPv6 address. ! With IPv6, new technics: " Hints: DN, OIDs, logs, whois, flow, well known addresses, transition mechs… Sk Skills ills block locks s 15

  16. Reconnaissance in IPv6 " Site multicast: FF05::2, FF05::FB, FF05::1:3 " Link multicast : FF02::1, FF02::2, … " Deprecated site local fec0:0:0:ffff::1 " Van Hauser found 2000 active IPv6 addresses in 20 secondes. Sk Skills ills block locks s 16

  17. Use your border router ! Filter all site multicast at border router Ipv6 access-list NO-SITE-MCAST deny any FEC0::/10 (deprecated site local) permit any FF02::/16 (link multicast) permit any FF0E::/16 (global multicast) deny any FF00::/16 (all other multicast) Sk Skills ills block locks s 17

  18. A look at ICMPv6 ICMPv6 is crucial to IPv6 NDP(RS, RA, NS, NA, Redirect) Signalisation (Destination Unreachable, Time Exceeded, Packet too big, Redirections) Diagnostic (Ping, traceroute) Sk Skills ills block locks s 18

  19. Some LAN Attacks ! Neighbor cache spoofing (works like ARP spoof) ! DoS on DAD (Answer to all DAD requests) ! Neighbor cache overload (Fake NAs) ! Fake Router Advertisement ! Fake DHCPv6 server Sk Skills ills block locks s 19

  20. Solutions against spoofing ! CISCO – SeND (RFC 3971), encrypts ND. ! RA-Guard (RFC 6101), drop RAs on access port. ! SAVI(draft), complex solution to solve fake RA, DHCPv4, and DHCPv6. ! RAGuards bypass with fragmentation. Sk Skills ills block locks s 20

  21. VPN Exfiltration Insertion of IPv6 fake router and DNS64 to Network. IPv6 Internet 21

  22. Some Protocol problems ! SLAAC doesn’t give DNS by default, DHCP doesn’t give default router. ! Need to use both, so think security twice. ! TCP reassembly problem. Sk Skills ills block locks s 22

  23. Extensions Headers ! New mechanism in IPv6, used to encrypt optional inter-layer information. ! RH0 – deprecated by RFC 5095 ! Fragmentation VRF ! EH manipulation (long chain, reorder) ! Block any unknown EH, and make sure to update list. Sk Skills ills block locks s 23

  24. Implementations problems ! Bugs have been found in nearly all implementations, some examples follow: ! Windows vista Teredo filter bypass; ! CISCO IPv6 Source Routing Remote memory corruption; ! Linux kernel multiple packet filtering bypass Sk Skills ills block locks s 24

  25. Is IPv6 more secured? Sk Skills ills block locks s 25

  26. Creating an IPv6 Security Policy Sk Skills ills block locks s 26

  27. Network perimeter policy ! Issues with ICMPv6 messages at perimeter. ! Issues with Mobile IPv6 at the perimeter network. ! IPv6 bogon addresses at network perimeters. ! Only send packets sourced with your allocated IPv6 block or LLA in the case of NDP. ! Only receive packets to your allocated IPv6 or for NDP. Sk Skills ills block locks s 27

  28. Network perimeter policy ! Perform uRPF filtering at the network perimeter and throughout the interior of the network. ! Your firewalls should support IPv6 and ICMPv6 messages SPI and parsing the complete EHs. ! Use IPv6-capable host-based firewalls. ! Use IPS that can deeply inspect IPv6 packets. ! Filter multicast packets at your perimeter based on their scope. Sk Skills ills block locks s 28

  29. Extensions Headers policy " Only use operating systems with RH0 disabled. " Drop RH0 packets and unknown EHs at perimeter firewall and throughout interior of the network. Sk Skills ills block locks s 29

  30. LAN policy " No unauthorized access is permitted. All Network guests MUST follow a network access permission policy. " Explicitly prohibit the spoofing of any IPv6 packet on LAN(RS, RA, NA, NS, redirect) and on the WAN (multicast, spoofed Layer 3/4 info). " Use randomly determined node identifiers for all IPv6 nodes at the expense of increasing the OPEX. " Determine whether the use of privacy/temporary addresses is strictly prohibited in your organization. Sk Skills ills block locks s 30

  31. LAN Policy " DHCPv6 is preferred, and EUI-64, if DHCPv6 is not available. " Keep track of IPv6 addresses all hosts are using. " Use IPv6-capable NAC solutions, and SEND when available in the network equipment and host OS. " Disable node-information queries on all hosts. Sk Skills ills block locks s 31

  32. Host & device hardening ! Hosts and devices related policies: " Harden all IPv6 Nodes (routers, servers, …). " Strictly control the use of multicast. " Only use OS that do not send ICMPv6 error messages in response to a packet destined for a multicast address. " Use OS that use integrated HIPS and IPv6-capable firewalling. Sk Skills ills block locks s 32

  33. Host & device hardening ! Hosts and devices related policies: " Keep OS/software patched for any IPv6 known vulnerability or recommended by the vendor. " Proactively monitor the security posture of hosts and remediate them AQAP. " Secure any routing adjacency or peer to the fullest extent possible(packet/prefix filtering on interfaces, passwords, MD5, or IPsec) . Sk Skills ills block locks s 33

  34. Transition mechanisms policy ! Prefer DS, and secure each protocol equally. ! Use manual tunnels only ( using Ipsec preferred ) and perform filtering on the tunnel endpoints. ! Avoid 6to4 if not required. ! Prevent Teredo on Windows unless a special security policy waiver has been signed. ! No IPv6-in-IPv4 (IP protocol 41) tunnels through the perimeter unless required. 34 Sk Skills ills block locks s

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions Security of IPv6

625 views • 33 slides
IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer fmajstor@cisco.com Cisco Systems, Inc. 1 fmajstor@cisco.com, IPv6 Security Agenda IPv6 Primer IPv6 Protocol

241 views • 21 slides
IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction to WLCG & IPv6 IPv6 security & threats IPv6 protocol attacks Issues for site network & security teams Issues for sys admins

501 views • 34 slides
INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

Leading a Secured Digital Life. INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC Hyderabad keeping yourself and your family safe in a tech driven world Toll Free No : 1800 425 6235 Ministry of

291 views • 10 slides
INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

Leading a Secured Digital Life. INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC Hyderabad keeping yourself and your family safe in a tech driven world Toll Free No : 1800 425 6235 Ministry of

460 views • 8 slides
INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

Leading a Secured Digital Life. INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC Hyderabad keeping yourself and your family safe in a tech driven world Free No : 1 1800 0 425 6 6235 Toll F

264 views • 24 slides
INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

Leading a Secured Digital Life. INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC Hyderabad keeping yourself and your family safe in a tech driven world Free No : 1 1800 0 425 6 6235 Toll F

357 views • 12 slides
eDocument Security Awareness Model 2. eDocument Security Awareness Model THE EDOCUMENT SECURITY

eDocument Security Awareness Model 2. eDocument Security Awareness Model THE EDOCUMENT SECURITY

eDocument Security Awareness Model 2. eDocument Security Awareness Model THE EDOCUMENT SECURITY AWARENESS MODEL (ESAM) IS A SELF-ASSESSMENT TOOL GOAL OF THE EDOCUMENT SECURITY AWARENESS MODEL: Help governments with their secure document

579 views • 28 slides
INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

Leading a Secured Digital Life. INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC Hyderabad keeping yourself and your family safe in a tech driven world Ministry of Electronics & Information

510 views • 11 slides
Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi,

Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi,

Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi, G. Leclanche, E. Vyncke, R. Anfinsen Status -00 posted on 25 January 2013 Some comments on the list (see later) Problem Statement

378 views • 10 slides
Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security

Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security

A Comparative Security Evaluation for IPv4 and IPv6 Addresses Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security Scanning the Internet for profit, ethically. 2 Why do we need to know this? IPv6

279 views • 16 slides
Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The

Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The

Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The University of Tokyo / Laboratoire dInformatique de Paris 6 Summary IPv6 Mobile IPv6 Security and Mobile IPv6 Protections by

669 views • 50 slides
The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich,

The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich,

The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich, Ph.D. jullrich@sans.edu 1 Housekeeping This presentation consists of slides and audio. If you are experiencing any problems/ issues,

1.12k views • 56 slides
Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension Headers Antonios Atlasis antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science Bio Independent IT Security

689 views • 66 slides
v6ops and security IPv6 Transition/Co-existence Security Considerations

v6ops and security IPv6 Transition/Co-existence Security Considerations

v6ops and security IPv6 Transition/Co-existence Security Considerations draft-savola-v6ops-security-overview-00.txt Pekka Savola, CSC/FUNET Overview Overview Look at different kinds of issues IPv6 protocol Transition mechanisms in general

853 views • 10 slides
IPv6 Security Concerns Introduction to Integralis Garry Sidaway SVP Security Strategy Agenda

IPv6 Security Concerns Introduction to Integralis Garry Sidaway SVP Security Strategy Agenda

IPv6 Security Concerns Introduction to Integralis Garry Sidaway SVP Security Strategy Agenda Introduction to Integralis IPv6 Security Concerns Questions Private & Confidential Continuous Secure Service Delivery Governance,

336 views • 21 slides
IoT, SDR, and Car Security Aaron Luo Who am I Aaron Luo Come from Taiwan Start

IoT, SDR, and Car Security Aaron Luo Who am I Aaron Luo Come from Taiwan Start

IoT, SDR, and Car Security Aaron Luo Who am I Aaron Luo Come from Taiwan Start security research since 15 th Community Experience CHROOT/HITCON (security group) - member III,CSIST (government organizations) - training course

1.36k views • 110 slides
NuFirewall Open-source authenticating firewall NuFirewall - RMLL 2010 NuFirewall - RMLL 2010

NuFirewall Open-source authenticating firewall NuFirewall - RMLL 2010 NuFirewall - RMLL 2010

NuFirewall Open-source authenticating firewall NuFirewall - RMLL 2010 NuFirewall - RMLL 2010 Who's that guy ? Eric Leblond CTO EdenWall Technologies NuFW project leader Netfilter developper Ulogd2 maintener Regit

1.06k views • 24 slides
Atlan?cWave-SDX: An Interna?onal SDX to Support Science Data Applica?ons Jeronimo A. Bezerra and

Atlan?cWave-SDX: An Interna?onal SDX to Support Science Data Applica?ons Jeronimo A. Bezerra and

Atlan?cWave-SDX: An Interna?onal SDX to Support Science Data Applica?ons Jeronimo A. Bezerra and Joaqun Chung <jbezerra@fiu.edu>, <joaquin.chung@gatech.edu> Outline Introducing LSST as an Use Case Presen?ng LSST

371 views • 18 slides
ARP Address Resolu,on Protocol Security Joo Paulo Barraca

ARP Address Resolu,on Protocol Security Joo Paulo Barraca

ARP Address Resolu,on Protocol Security Joo Paulo Barraca jpbarraca@ua.pt 1 Networking Basics Communica,on in packet networks rely on several

319 views • 20 slides
Shadow MACs: Scalable Label-switching for Commodity Ethernet Kanak Agarwal, Colin Dixon*, Eric

Shadow MACs: Scalable Label-switching for Commodity Ethernet Kanak Agarwal, Colin Dixon*, Eric

Shadow MACs: Scalable Label-switching for Commodity Ethernet Kanak Agarwal, Colin Dixon*, Eric Rozner, John Carter IBM Research, Austin, TX * now at Brocade 1 SDN: The Future! Rose-colored glasses: Fine-grained, dynamic control

719 views • 19 slides
Packet Sniffing and Spoofing 1 Shared Networks Every network packet reaches every computer's

Packet Sniffing and Spoofing 1 Shared Networks Every network packet reaches every computer's

Packet Sniffing and Spoofing 1 Shared Networks Every network packet reaches every computer's network Interface card, which then filters packets based on the MAC address. A network packet has multiple concatenated components. 2 How Packets

625 views • 39 slides
CSE 127: Introduction to Security Lecture 11: Network Attacks Nadia Heninger and Deian Stefan

CSE 127: Introduction to Security Lecture 11: Network Attacks Nadia Heninger and Deian Stefan

CSE 127: Introduction to Security Lecture 11: Network Attacks Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Stefan Savage, David Wagner, and Nick Weaver Threat Modeling for Network Attacks Basic security goals:

804 views • 31 slides
Case Studies - Case Studies - Eduroam in Slovenia Eduroam in Slovenia Rok Pape ARNES -

Case Studies - Case Studies - Eduroam in Slovenia Eduroam in Slovenia Rok Pape ARNES -

1 Akademska in raziskovalna mrea Slovenije Case Studies - Case Studies - Eduroam in Slovenia Eduroam in Slovenia Rok Pape ARNES - Academic and research network of Slovenia aaa-podpora@arnes.si Eurocamp, Ljubljana, April 2006 2 Start

1.25k views • 18 slides

More recommend