IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi - - PowerPoint PPT Presentation

ipv6 security considerations future challenges
SMART_READER_LITE
LIVE PREVIEW

IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi - - PowerPoint PPT Presentation

Jan 27, 2023 40 likes •298 views

IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi Company Dept of Computer Sc. & Engg. LOGO Indian Institute of Technology Guwahati Agenda Outline Motivation for IPv6 Brief comparision between IPv6 and IPv4

slide-1
SLIDE 1

Company

LOGO

IPv6 Security Considerations: Future Challenges

  • Prof. Sukumar Nandi

Dept of Computer Sc. & Engg. Indian Institute of Technology Guwahati

slide-2
SLIDE 2

Agenda Outline

  • Motivation for IPv6
  • Brief comparision between IPv6 and IPv4
  • IPv6 Addressing Architecture
  • IPv6 Header Fields
  • IPv6 Extension Headers
  • IPv6 Options
  • Internet Control Message Protocol version 6

(ICMPv6)

  • Neighbor Discovery for IPv6
  • Address Resolution
  • Stateless Address Auto-configuration (SLAAC)
slide-3
SLIDE 3

If you use IPv4?

I’m Running IPv4…Does This Affect Me?

slide-4
SLIDE 4

What about all These?

slide-5
SLIDE 5

IPv4 vs IPv6 IPv4 IPv6

Addressing 32 bits 128 bits Address resolution ARP ICMPv6 NS/NA (+ MLD) Auto- configuration DHCP & ICMP RS/RA ICMPv6 RS/RA & DHCPv6 (optional) (+MLD) Fault Isolation ICMPv4 ICMPv6 IPsec support Optional Mandatory (to "optional") Fragmentation Both in hosts and routers Only in hosts

slide-6
SLIDE 6

Protocol Format

slide-7
SLIDE 7

Brief comparision of IPv4 and IPv6 (II)

Header formats:

slide-8
SLIDE 8

IPv6 header

Fixed-length (40-bytes) header

slide-9
SLIDE 9

The Big IPv6 Security Question Built-In IPSec Offers Better Security… Right?

IPSec is a mandatory part of the IPv6 Protocol

slide-10
SLIDE 10

First and foremost issue!

Unfamiliarity Causes Misconfigurations

slide-11
SLIDE 11

What is IPSec?

Among other things, IPSec consists of:

  • Authentication Headers (AH) – Provides data origin

authentication and integrity (protects against replay attacks)

  • Encapsulating Security Payloads (ESP) – Adds

encryption to the mix to provide confidentiality Internet Protocol Security (IPSec) is a standard for adding strong authentication, message integrity, antireply, and encryption (confidentiality) to IP packets, thus providing secure and private communications.

slide-12
SLIDE 12

What are IPv6 Extension Headers?

Remember IPv6 header simplification?

Version IHL Type of Service Total Length Identification

Flag s

Fragmen t Offset Time to Live Protocol Header Checksum Source Address Destination Address Options Padding

IPv4 Header (20 bytes)

Version Traffic Class Flow Label Payload Length Next Heade r Hop Limit Source Address Destination Address

IPv6 Header (40 bytes) Dropped

Dropped options need to go somewhere…

IPv6 Header

Payload

IPv6 Header Extension Header

Payload IPv6 Header Extension Header Extension Header Payload

  • Ext. headers may include:
  • Hop-by-hop options
  • Destination Options
  • Routing
  • Fragmentation
  • AH Header
  • ESP Header
  • Etc…
slide-13
SLIDE 13

Built-In IPSec Offers Better Security… Right? IPSec is a mandatory part of the IPv6 Protocol

What does this really mean?

  • Part of IPv6 protocol stack, not an optional add-on
  • Implemented with AH and ESP Extension Headers
  • Follows one standard (less interop issues)
  • Every IPv6 device can do IPSec
  • However, IPSec usage is still OPTIONAL!
  • Manual configuration of Security Associations (SA) and this can be a tedious or

impractical task considering the volume.

  • Even if SAs were established, it is not possible to verify the ownership of

dynamically generated IP addresses.

  • SAs can be created only through using the Internet Key Exchange (IKE). But IKE

requires a functional IP stack in order to function and this result in a bootstrapping problem.

slide-14
SLIDE 14

Wait! Doesn’t IPv4 Offer IPSec too?

Some truths about IPv6’s additional IPSec Security:

  • IPv4 has it too (though, not “natively”)
  • You don’t have to use it, and most don’t
  • Still complex
  • May require PKI Infrastructure

So is this really a security benefit?

  • Short term – probably no measureable advantage over IPv4 IPSec
  • Long term – More applications will leverage it now that it’s

mandatory!

slide-15
SLIDE 15

I also have 192.168.20.1

A Look Back at IPv4 ARP Poisoning

Who has 192.168.20.34? I Do. Here’s my MAC Hey Everyone. I have 192.168.20.34 And 192.168.20.2, And …..

No authentication or security

slide-16
SLIDE 16

I Do. Send traffic to me

Neighborhood Discovery Suffers from Similar Issues

Who has 2001::3/64? I Do. Here’s my Layer 2 address Who has 2001::3/64?

Neighbor Solicitation Neighbor Advertisement ND Spoofing

No authentication or security

slide-17
SLIDE 17

Many Other Neighbor and Router Discovery Issues

Solution: SEcure Neighbor Discovery (SEND) – RFC 3971

  • Essentially adds IPSec to ND communications
  • Requires PKI Infrastructure
  • Not available in all OSs yet.
  • 802.1X also an option

Other ND related attacks:

  • Duplicate Address Detection (DAD) DoS attack
  • ND spoofing attack for router (allows for MitM)
  • Neighbor Unreachability Detection (NAD) DoS attack
  • Last Hop Router spoofing (malicious router advertisements)
  • And many more… (http://rfc-ref.org/RFC-TEXTS/3756/chapter4.html)
slide-18
SLIDE 18

New Multicast Protocol Helps with Reconnaissance

IPv6 multicast addresses: IPv6 multicast includes a ton of reserved addresses. Here’s a few:

Multicast Address Reservation FF02::1 All Host Address FF02::2 All Router Address (LL) FF02::9 RIP Routers FF02::A EIGRP Routers FF02::B Mobile-Agents FF02::1:2 All DHCP Agents FF05::2 All Router Address (SL) FF05::1:3 All DHCP Servers FF05::1:4 ALL DHCP Relays FF0X::101 NTP FF0X::106 Name Service Server

Attackers can use these multicast addresses to enumerate your network.

slide-19
SLIDE 19

IPv6 Security Controls Lagging Hacking Arsenal/Tools

Attacker already have many IPv6 capable tools:

THC-IPv6 Attack Suite

Alive6 Parasite6 Redir6 Fake_Router6 Detect-New-IPv6 DoS-New-IPv6 Smurf6 rSmurf6 TooBig6 Fake_MIPv6 Fake_mld6 Fake_Advertiser6 SendPees6 DNSDict6 Trace6 Flood_Router6 Flood_Advertise6 Fuzz_IP6 etc…

Unfortunately, IPv6 security controls and products seems to be a bit behind.

THC-IPv6 Attack Suite Nmap Wireshark Multi-Generator (MGEN) IPv6 Security Scanner (vscan6) Halfscan6 Strobe Netcat6

Imps6-tools Relay6 6tunnel NT6tunnel VoodooNet Scapy6 Metasploit (etc.) Web Browsers (XSS & SQLi) TCPDump COLD Spak6 Isic6 Hyenae SendIP Packit 4to6ddos 6tunneldos

slide-20
SLIDE 20

Typical IPv6 Devices Have Multiple Addresses

At least a Link-Local Address (FE80::/10) Likely a Unique Global Address (2000::/3) Possibly a Site-Local Address (FC00::/7)

You will probably need MULTIPLE Firewall or ACL policies for these extra networks within your

  • rganization
slide-21
SLIDE 21

Extra Security Can Cause Insecurity

Internet

slide-22
SLIDE 22

Firewalls (and Admins) Must Learn New Tricks

How to filter ICMPv6? Handling new extension headers Filtering Multicast and Anycast Hosts w/multiple addresses

slide-23
SLIDE 23

EXTRA: The Same There are some security issues that IPv6 has little effect on:

Application-layer attacks Sniffing Rogue Devices Man-in-the-Middle Attacks Flooding/DoS Attacks

slide-24
SLIDE 24

THANK YOU

slide-25
SLIDE 25

Major References

 IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation  http://www.cisco.com/web/about/security/security_services/ciag/documents/ v6-v4-threats.pdf  IPv6 Security Challenges https://www.cs.siue.edu/~wwhite/CS447/TopicalPaper/Originals/Bridges_IP v6SecurityChallenges.pdf  IPv6 Security Challenges by Samuel Sotillo http://www.infosecwriters.com/text_resources/pdf/IPv6_SSotillo.pdf  IPv6 Security Best Practices http://www.cisco.com/web/SG/learning/ipv6_seminar/files/02Eric_Vyncke_S ecurity_Best_Practices.pdf  IPv6 Security Considerations and Recommendations  http://technet.microsoft.com/en-us/library/bb726956.aspx  NIST: Guidelines for the Secure Deployment of IPv6  http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf  IPv6 Transition/Coexistence Security Considerations (RFC 4942)  http://www.ietf.org/rfc/rfc4942.txt  And many more….