ipv6 security issues and challenges
play

IPv6 Security Issues and Challenges Dr. Omar A. Abouabdalla - PowerPoint PPT Presentation

Oct 19, 2023 •317 likes •622 views

Ministry of Science, People First, Performance Now Technology and Innovation IPv6 Security Issues and Challenges Dr. Omar A. Abouabdalla (omar@ipv6global.my) Head Technology Consultant Head Technology Consultant IPv6 Global Sdn Bhd 7

  1. Ministry of Science, People First, Performance Now Technology and Innovation IPv6 Security Issues and Challenges Dr. Omar A. Abouabdalla (omar@ipv6global.my) Head Technology Consultant Head Technology Consultant IPv6 Global Sdn Bhd 7 November 2012

  2. Ministry of Science, People First, Performance Now Technology and Innovation IP 6 IPv6 TO MIGRATE OR NOT TO MIGRATE? TO MIGRATE OR NOT TO MIGRATE? •It’s not an option. •Either we migrate or we will be left behind. •Malaysian government has mandated they will be IPv6 native by end of 2015 native by end of 2015. •Malaysian major trading partners including the U.S., China and India has already started aggressively migrating to IPv6. If we want to continue to be relevant, communicate and do business with these countries, we will have to migrate. migrate.

  3. Ministry of Science, People First, Performance Now Technology and Innovation Wh t' What's the problem? th bl ? • We have firewalls and Intrusion Detection Systems – so we’re safe from outside attack. • VPNs, SSH, etc. allow secure remote access. • SSL/TLS protects web access – so phishing attacks SSL/TLS t t b hi hi tt k don’t work. • Virus scanning is effective - so viruses are a thing of the Virus scanning is effective so viruses are a thing of the past. • Security patches applied – The patches never break anything. thi • IPv6 has complete built-in security. • And cows can fly! • And cows can fly!

  4. Ministry of Science, People First, Performance Now Technology and Innovation IPv4 to IPv6 Challenging Move • The exhaustion of the finite pool of IPv4 addresses. The e ha stion of the finite pool of IP 4 addresses • IPv6 deployment is critical to safeguarding the future expansion of the internet. p • IPv6 deployment comes with its own set of challenges, and security issues. • Networks need to be dual-stack during the transition phase. • In most cases settings will not be automatically copied • In most cases, settings will not be automatically copied between IPv4 and IPv6. • Whenever you make a change for one protocol you have to do it for the other, which doubles the chances of making a mistake.

  5. Ministry of Science, People First, Some interesting aspects about IPv6 Some interesting aspects about IPv6 Performance Now Technology and Innovation security • We have much less experience with IPv6 than with IPv4 with IPv4. • IPv6 implementations are much less mature than their IPv4 counterparts. p • Security products (firewalls, NIDS, etc.) have less support for IPv6 than for IPv4. • The complexity of the resulting network will The complexity of the resulting network will greatly increase during the transition/co- existence period: � Two internetworkin protocols (IPv4 and IPv6) � Increased use of NATs � Increased use of tunnels � Increased use of tunnels • Lack of trained human resources.

  6. Ministry of Science, People First, Performance Now Technology and Innovation B i f Brief comparison between IPv6 and IPv4 i b t IP 6 d IP 4 • IPv6 and IPv4 are very similar in terms of functionality (but not in terms of mechanisms ) terms of mechanisms ) IPv4 IPv6 Addressing Addressing 32 bits 32 bits 128 bits 128 bits Address ARP ICMPv6 NS/NA Resolution Auto- A t DHCP & ICMP RS/RA DHCP & ICMP RS/RA ICMP 6 RS/RA & DHCP 6 ICMPv6 RS/RA & DHCPv6 configuration ( recommended ) Fault Isolation F lt I l ti ICMP ICMP ICMP 6 ICMPv6 IPsec support Optional Recommended ( not mandatory) Fragmentation Both in hosts and Only in hosts routers

  7. Ministry of Science, People First, Performance Now Technology and Innovation B i f Brief comparison between IPv6 and IPv4 i b t IP 6 d IP 4 • Header formats:

  8. Ministry of Science, People First, Performance Now Technology and Innovation Fl Flow Label L b l • The three tuple {Source Address Destination • The three-tuple {Source Address, Destination Address, Flow Label} was meant to identify a communication flow. • Currently unused by many stacks – others use it C tl d b t k th it improperly • Speficication of this header field, together with p , g possible uses, is “work in progress” at the IETF. • Potential vulnerabilities depend on the ongoing work at the IETF: work at the IETF: – Might be leveraged to perform “dumb” (stealth) address scans. – Might be leveraged to perform Denial of Service Might be leveraged to perform Denial of Service attacks.

  9. Ministry of Science, People First, Performance Now Technology and Innovation H Hop Limit Li it • Analogous to IPv4’s “Time to Live” (TTL) • Analogous to IPv4 s Time to Live (TTL). • Identifies the number of network links the packet may traverse packet may traverse. • Packets are discarded when the Hop Limit is decremented to 0 is decremented to 0. • Could be leveraged for: – Detecting the Operating System of a remote Detecting the Operating System of a remote node. – Fingerprinting a remote physical device. Fingerprinting a remote physical device. – Locating a node in the network topology.

  10. Ministry of Science, People First, Performance Now Technology and Innovation H Hop Limit: Fingerprinting Devices or OSes Li it Fi i ti D i OS • Different Oses use different defaults for the “Hop Limit” Different Oses use different defaults for the Hop Limit (typically a power of two: 64, 128, etc.) • If packets originating from the same IPv6 addresses contain very different “Hop Limits”, they might be originated by different devices. E.g.: – Packets from FTP server 2001:db8::1 arrive with a “Hop Limit” of 60 Packets from FTP server 2001:db8::1 arrive with a Hop Limit of 60 – Packets from web server 2001:db8::2 arrive with a “Hop Limit” of 124 – We infer: • FTP server sets the Hop Limit to 64 and is 4 “routers” away • FTP server sets the Hop Limit to 64, and is 4 routers away. • Web server sets the Hop Limit to 128, and is 4 “routers” away. • Detecting the Operating System of a remote node.

  11. Ministry of Science, People First, Performance Now Technology and Innovation H Hop Limit: Locating a Node Li it L ti N d • Basic idea: if we are receiving packets from a node and assume that it is using the default “Hop Limit” we can infer assume that it is using the default Hop Limit , we can infer the orginal “Hop Limit” • If we have multple “sensors”, we can “triangulate” the position of the node Source Hop Limit A 61 B 61 C 61 D 62 F is the only node that is: • 4 “routers” from A • 4 “routers” from B • 4 “routers” from C • 3 “routers” from D

  12. Ministry of Science, People First, Performance Now Technology and Innovation Threats to be Countered in IPV6 � Scanning Gateways and Hosts for weakness � Scanning for Multicast Addresses � Unauthorised Access Control � Protocol Weaknesses � Distributed Denial of Service (DDos) � Transition Mechanisms � Worms/Viruses � There are already worms that use IPv6 y � e.g. Rbot.DUD

  13. Ministry of Science, People First, Performance Now Technology and Innovation Scanning Gateways and Hosts � IPv6 Subnet Size is much larger � More than 500 000 years to scan a /64 subnet@1M addresses/sec. � Scanning for backdoors impractical � Scanning for backdoors impractical. � Scanning for proxies impractical. � Scan-based worms can not propagate � Scan-based worms can not propagate.

  14. Ministry of Science, People First, Performance Now Technology and Innovation Scanning Gateways and Hosts � IPv6 Scanning methods are changing IP 6 S i th d h i � Public servers will still need to be DNS reachable giving attacker some hosts to attack. attacker some hosts to attack. � Administrators may adopt easy to remember addresses (::1,::2,::53, or simply IPv4 last octet). � Use of trivial EUI-64 derived addresses. � EUI-64 derived from interface MAC addresses. � By compromising routers at key transit points in a By compromising routers at key transit points in a network, an attacker can learn new addresses to scan. � Avoid using easy to guess addresses Avoid using easy to guess addresses.

  15. Ministry of Science, People First, Performance Now Technology and Innovation S Scanning Multicast Addresses i M lti t Add � New Multicast Addresses - IPv6 supports new multicast addresses enabling attacker to identify key lti t dd bli tt k t id tif k resources on a network and attack them. � E g Site local all DHCP servers (FF05::1:3) mDNSv6 � E.g. Site-local all DHCP servers (FF05::1:3), mDNSv6 (FF05::FB), and All Routers (FF05::2) � Addresses must be filtered at the border in order to Addresses must be filtered at the border in order to make them unreachable from the outside. � To prevent smurf type of attacks: IPv6 specs forbids p yp p the generation of ICMPv6 packets in response to messages to global multicast addresses that contain requests.

  16. Ministry of Science, People First, Performance Now Technology and Innovation Security of IPv6 Addresses • Cryptographically Generated Addresses (CGA) IPv6 addresses [RFC3972]. � Host ID - part of address is an encoded hash. H t ID t f dd i d d h h � Binds IPv6 address to public key � Used for SEcuring Neighbor Discovery [RFC3971]. g g y [ ] � Is being extended for other uses [RFC4581]. � Privacy addresses as defined [RFC 4941]. y [ ] � Prevents device/user tracking � Makes accountability harder

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction to WLCG & IPv6 IPv6 security & threats IPv6 protocol attacks Issues for site network & security teams Issues for sys admins

501 views • 34 slides
IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi Company Dept of Computer

IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi Company Dept of Computer

IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi Company Dept of Computer Sc. & Engg. LOGO Indian Institute of Technology Guwahati Agenda Outline Motivation for IPv6 Brief comparision between IPv6 and IPv4

290 views • 25 slides
The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich,

The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich,

The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich, Ph.D. jullrich@sans.edu 1 Housekeeping This presentation consists of slides and audio. If you are experiencing any problems/ issues,

1.12k views • 56 slides
v6ops and security IPv6 Transition/Co-existence Security Considerations

v6ops and security IPv6 Transition/Co-existence Security Considerations

v6ops and security IPv6 Transition/Co-existence Security Considerations draft-savola-v6ops-security-overview-00.txt Pekka Savola, CSC/FUNET Overview Overview Look at different kinds of issues IPv6 protocol Transition mechanisms in general

853 views • 10 slides
Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions Security of IPv6

625 views • 33 slides
IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer fmajstor@cisco.com Cisco Systems, Inc. 1 fmajstor@cisco.com, IPv6 Security Agenda IPv6 Primer IPv6 Protocol

241 views • 21 slides
Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi,

Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi,

Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi, G. Leclanche, E. Vyncke, R. Anfinsen Status -00 posted on 25 January 2013 Some comments on the list (see later) Problem Statement

378 views • 10 slides
Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security

Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security

A Comparative Security Evaluation for IPv4 and IPv6 Addresses Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security Scanning the Internet for profit, ethically. 2 Why do we need to know this? IPv6

279 views • 16 slides
IOT SECURITY ONGOING CHALLENGES Selvana Naiken Gopalla Information Security Consultant

IOT SECURITY ONGOING CHALLENGES Selvana Naiken Gopalla Information Security Consultant

IOT SECURITY ONGOING CHALLENGES Selvana Naiken Gopalla Information Security Consultant CERT-MU | National Computer Board OUTLINE The Internet of Insecure Things New Devices, New Security Challenges IOT Specific Security Issues

301 views • 27 slides
Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The

Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The

Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The University of Tokyo / Laboratoire dInformatique de Paris 6 Summary IPv6 Mobile IPv6 Security and Mobile IPv6 Protections by

669 views • 50 slides
Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension Headers Antonios Atlasis antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science Bio Independent IT Security

689 views • 66 slides
IANA IPV6 Workshop A View From the Trenches (Some thoughts on IPV6 deployment in enterprise and

IANA IPV6 Workshop A View From the Trenches (Some thoughts on IPV6 deployment in enterprise and

IANA IPV6 Workshop A View From the Trenches (Some thoughts on IPV6 deployment in enterprise and ISP networks) Joel Jaeggli Nokia This talk is focused on the issues faced by network operators in deploying IPV6 Most of these observations are

548 views • 50 slides
IPv6 Security Concerns Introduction to Integralis Garry Sidaway SVP Security Strategy Agenda

IPv6 Security Concerns Introduction to Integralis Garry Sidaway SVP Security Strategy Agenda

IPv6 Security Concerns Introduction to Integralis Garry Sidaway SVP Security Strategy Agenda Introduction to Integralis IPv6 Security Concerns Questions Private & Confidential Continuous Secure Service Delivery Governance,

336 views • 21 slides
IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC Stephen.honlue@afrinic.net 1

IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC Stephen.honlue@afrinic.net 1

IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC Stephen.honlue@afrinic.net 1 04/12/2015' Presentation Objectives ! Create awareness of IPv6 Security implications. ! Highlight technical concepts on IPv6 weaknesses ! Describe

822 views • 36 slides
IPv6 Security Training Course February 2019 09:00 - 09:30 Coffee, Tea 11:00 - 11:15 Break

IPv6 Security Training Course February 2019 09:00 - 09:30 Coffee, Tea 11:00 - 11:15 Break

IPv6 Security Training Course February 2019 09:00 - 09:30 Coffee, Tea 11:00 - 11:15 Break 13:00 - 14:00 Lunch 15:30 - 15:45 Break 17:30 End 2 Introductions Name Number in the list Experience with Security and IPv6

1.9k views • 173 slides
IPv6 Distributed Security Alvaro Vives (alvaro.vives@consulintel.es) Jordi Palet

IPv6 Distributed Security Alvaro Vives (alvaro.vives@consulintel.es) Jordi Palet

IPv6 Distributed Security Alvaro Vives (alvaro.vives@consulintel.es) Jordi Palet (jordi.palet@consulintel.es) 1 Motivation How would the deployment of IPv6 affect the security of a network? IPv6 enabled devices and networks bring

305 views • 19 slides
Anomaly Detection Based on Simplicity Theory Giacomo Casoni Mar Badias Sim Research Project 1

Anomaly Detection Based on Simplicity Theory Giacomo Casoni Mar Badias Sim Research Project 1

Anomaly Detection Based on Simplicity Theory Giacomo Casoni Mar Badias Sim Research Project 1 - #43 Supervisor: Giovanni Sileno Lecturer: Cees de Laat TABLE OF 01 INTRODUCTION Basic concepts and Research CONTENTS questions 02 THEORY

795 views • 65 slides
STEPHEN GREY DRAFT OF OPENING REMARKS CHECK VS DELIVERY 1 Ladies and Gentleman, I am

STEPHEN GREY DRAFT OF OPENING REMARKS CHECK VS DELIVERY 1 Ladies and Gentleman, I am

STEPHEN GREY DRAFT OF OPENING REMARKS CHECK VS DELIVERY 1 Ladies and Gentleman, I am honored to be invited to speak to the European Parliament, though saddened that due to my governments intentions I may not be able to return

347 views • 8 slides
SMURF Serial MUsic Represented as Functions Van Bui Richard Townsend Lianne Lairmore Kuangya

SMURF Serial MUsic Represented as Functions Van Bui Richard Townsend Lianne Lairmore Kuangya

SMURF Serial MUsic Represented as Functions Van Bui Richard Townsend Lianne Lairmore Kuangya Zhai Lindsay Neubauer Overview Functional Language Generates Serialist compositions Syntax and semantics loosely based on Haskell

189 views • 6 slides
EXECUTIVE SUMMARY Multiplatform release of a movie-based game with the Smurfs license, based on

EXECUTIVE SUMMARY Multiplatform release of a movie-based game with the Smurfs license, based on

EXECUTIVE SUMMARY Multiplatform release of a movie-based game with the Smurfs license, based on and timed with the Smurfs 2 Movie (Sony Pictures Entertainment) THE GAME 2011 G AME TITLE === The Smurfs 2 G ENRE ====== 2D Platformer 189K Units P

728 views • 30 slides
A Machine Learning Approach for Detecting Distributed Denial of Service Attacks Tanaphon Roempluk

A Machine Learning Approach for Detecting Distributed Denial of Service Attacks Tanaphon Roempluk

A Machine Learning Approach for Detecting Distributed Denial of Service Attacks Tanaphon Roempluk Master's degree studying Majoring in Information technology Faculty of informatics, Mahasarakham University The 4th International Conference on

207 views • 17 slides
Investor Presentation July 2017 ASX:MMI 1 Executive Summary Metro is rapidly advancing its

Investor Presentation July 2017 ASX:MMI 1 Executive Summary Metro is rapidly advancing its

Investor Presentation July 2017 ASX:MMI 1 Executive Summary Metro is rapidly advancing its compelling Bauxite Hills Mine towards production in early 2018 1 Bauxite fundamentals & strong price outlook given rising China seaborne demand 2

740 views • 28 slides
Investor Presentation RIU Conference, Sydney May 2019 ASX: KIN Disclaimer Disclaimer This

Investor Presentation RIU Conference, Sydney May 2019 ASX: KIN Disclaimer Disclaimer This

Investor Presentation RIU Conference, Sydney May 2019 ASX: KIN Disclaimer Disclaimer This presentation is not a prospectus nor an offer for securities in any jurisdiction nor a securities recommendation. The information in this presentation is

267 views • 14 slides
Management Resource Solutions Strategic Acquisition of SubZero Group August 2016 Disclaimer

Management Resource Solutions Strategic Acquisition of SubZero Group August 2016 Disclaimer

Management Resource Solutions Strategic Acquisition of SubZero Group August 2016 Disclaimer This presentation document and its content (the Presentation ) have been prepared by Management Resource Solutions Plc (the Company ) for

839 views • 28 slides

More recommend