ipv6 security
play

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March - PowerPoint PPT Presentation

Jul 29, 2023 •160 likes •501 views

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction to WLCG & IPv6 IPv6 security & threats IPv6 protocol attacks Issues for site network & security teams Issues for sys admins

  1. IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016

  2. Outline • Introduction to WLCG & IPv6 • IPv6 security & threats • IPv6 protocol attacks • Issues for site network & security teams • Issues for sys admins • Where to find more information • Summary and outlook With MANY thanks to my colleagues in the HEPiX IPv6 Working Group and EGI CSIRT 16 Mar 2016 IPv6 Security (Kelsey) 2

  3. WLCG & IPv6 (Worldwide LHC Computing Grid) 16 Mar 2016 IPv6 Security (Kelsey) 3

  4. % clients accessing Google services via IPv6 https://www.google.com/intl/en/ipv6/statistics.html Global > 10% Belgium > 40% USA > 24% 16 Mar 2016 IPv6 Security (Kelsey) 4

  5. WLCG – why use IPv6? • HEPiX IPv6 working group started work 5 years ago – To assess, evaluate, test and plan • Decided in 2012 that WLCG should move asap to dual-stack services – To support IPv6-only clients • Sites beginning to run out of routable IPv4 addresses (2014) – Large increase in use of virtualisation, multi-cores, etc. – ~ 10% of sites report potential shortage of IPv4 addresses (incl. CERN) • See ISGC2015 talk • Aim at: April 2017 for support (some) IPv6-only clients (WN, VM) • A major activity – Need to consider all software, applications, operational tools – Only recently are main storage systems fully supporting IPv6 – Operational Security – an important issue! 16 Mar 2016 IPv6 Security (Kelsey) 5

  6. New features of IPv6 (1998) https://tools.ietf.org/html/rfc2460 • Larger address space • Streamlined protocol headers • Stateless auto-configuration • Privacy • Multicast • Jumbograms • Network layer security • Quality of Service • Anycast • Mobility 16 Mar 2016 IPv6 Security (Kelsey) 6

  7. Problems with IPv4 security • Design favoured interoperability over – Confidentiality, integrity, availability – No cryptographic protection from eavesdropping or manipulation – No end to end authentication • New technologies were added along the way – E.g. SSL/TLS, IPsec • With IPv6 these were designed in as mandatory components 16 Mar 2016 IPv6 Security (Kelsey) 7

  8. IPv6 security and threats 16 Mar 2016 IPv6 Security (Kelsey) 8

  9. IPv6 security pros/cons • Advantages of a new design – Security: important part of the IPv6 initial design • Down-sides – Lack of maturity – New vulnerabilities and attack vectors – Need IPv6-compliant monitoring and tools – Lack of education and experience – Problems of transition – dual-stack, tunnels • BUT - Many threats/attacks happen at layers above/below the network layer – And are therefore exactly the same as in IPv4 – Malware, phishing, buffer overflows, cross-site scripting, DDoS etc etc 16 Mar 2016 IPv6 Security (Kelsey) 9

  10. Immediate IPv6 concerns • IPv6 may be on by default (and not controlled or monitored) • End systems have multiple addresses (and changing) • Searching logs will not always work – Formatting when writing the logs is still broken – Same address but different formats (drop zero or not) • What is wrong with tunnels? – Site may not be in control – Tunnels traverse the IPv4 perimeter firewall and NAT gateways • Reputation-based (IP address) web protection does not fully exist for IPv6 16 Mar 2016 IPv6 Security (Kelsey) 10

  11. IPv6 deployment risks • The attacker community can make good use of IPv6 – They are IPv6 experts – E.g. for tunneling leaked info out from compromised systems • Vulnerabilities present in IPv6, including day zero issues inherent in any new or revised system – 242 CVE entries with keyword “IPv6” since 2002 – 44 in 2015 • Lack of vendor support 16 Mar 2016 IPv6 Security (Kelsey) 11

  12. IPv6 security myths • Internet Society has published 10 myths of IPv6 security • https://www.internetsociety.org/deploy360/b log/tag/ipv6-security-myths/ • Myth 2: IPv6 has security designed In • Reality: IPv6 was designed 15-20 years ago 16 Mar 2016 IPv6 Security (Kelsey) 12

  13. Network scanning • IPv6 Security Myth #4 – IPv6 Networks are Too Big to Scan (Internet Society) • Myth: IPv6 networks are too big to scan Reality: Many addressing techniques reduce the search space • Scanning an IPv4 /24 subnet (256 addresses) is trivial • An IPv6 /64 subnet has 1.8 * 10 19 addresses • BUT - SLAAC, DHCPv6 and manual configuration all tend to introduce order into the sparse address space • For LANs, can use one compromised host to scan via use of Neighbor Discovery 16 Mar 2016 IPv6 Security (Kelsey) 13

  14. Some IPv6 protocol attacks 16 Mar 2016 IPv6 Security (Kelsey) 14

  15. Extension Header vulnerabilities • Routing Header Type 0 – Source Routing – Lots of security issues with RH0 – Destination address in packet is replaced at every Layer 3 hop – Difficult for firewalls to determine the actual destination and compare with policy – Can be used for DoS traffic amplification – RH0 deprecated (rfc5095) • Fragmentation issues – Upper-layer info may be in second packet (and not inspected by firewall) – IPv6 standard defines every link to have MTU of at least 1280 bytes • Smaller fragments should be suspicious • Hop-by-hop extension header also dangerous • Solutions include – Filter on allowed and expected EH 16 Mar 2016 IPv6 Security (Kelsey) 15

  16. IPv6 Neighbor Discovery Edoardo Martelli (CERN) 16 Mar 2016 IPv6 Security (Kelsey) 16

  17. Neighbor Discovery Protocol • NDP authenticates neither the requestor or responder – Spoofing is possible • SLAAC, NDP and DAD include protection mechanisms – Source address for RA and NS messages must be unspecified (::) – Hop limit must be 255 (the maximum) – RA and NA messages must be rejected if hop limit is not 255 – This prevents a remote attacker sending forged RA or NA messages • scope is always local • Secure Neighbor Discovery (SEND) (rfc3971) – Uses Cryptographically Generated Addresses (rfc3972) – BUT – problems managing the keys 16 Mar 2016 IPv6 Security (Kelsey) 17

  18. Rogue RA • No authentication mechanism built into SLAAC • Malicious host can send rogue RA and pretend to be a router – Can capture or drop packets • Badly configured systems too 16 Mar 2016 IPv6 Security (Kelsey) 18

  19. Detecting rogue RA messages • Use generic IDS with customised signatures – RA whose source MAC or IP is not in a configured list • Lots of manual configuration! • Use tool NDPMon – And check against XML config file – also monitor all NS and NA – To check when NA contradicts a previous one • Intelligent switches – known RA source • Cisco RA Guard • Rafixd (and ramond) – Detect all rogue RA messages and immediately transmit another forged RA with lifetime 0 seconds (to clear the rogue info on all nodes) 16 Mar 2016 IPv6 Security (Kelsey) 19

  20. DAD • Duplicate Address Detection – Host checks whether its address is already in use – Sends NS asking for resolution of its own address – An attacker can launch a DoS attack by pretending to own all IPv6 addresses on the LAN 16 Mar 2016 IPv6 Security (Kelsey) 20

  21. ICMPv6 • Internet Control Message Protocol (rfc4443) • An important component of IPv6 • Redefines ICMPv4 with additions and changes – Ping, destination unreachable, neighbor discovery, path MTU discovery – Error messages (message number 1 to 127) – Informational messages (128 to 255) • Essential to establish strict ICMP filtering policies – Define ICMPv6 messages that can/cannot pass between the site and the internet • E.g. PMTU and ND • Rfc4890 “Recommendation for Filtering ICMPv6 Messages in Firewalls” – Each site needs to consider carefully! 16 Mar 2016 IPv6 Security (Kelsey) 21

  22. Draft guidance from HEPiX IPv6 working group Issues for Sites 16 Mar 2016 IPv6 Security (Kelsey) 22

  23. IPv6 issues for security/network teams • Control IPv6 if not using it • Use Dual-stack and avoid use of tunnels wherever possible • Drop packets containing RH Type 0 and unknown option headers • Deny packets that do not follow rules for extension headers • Filter IPv6 packets that enter and leave your network • Restrict who can send messages to multicast group addresses • Create an Address management plan • Create a Security Policy for IPv6 (same as IPv4) • Block unnecessary ICMPv6 • Protect against LAN RA, ND and DHCP attacks – NDPMON and RAFIXD on critical segments • Check/modify all security monitoring, logging and parsing tools 16 Mar 2016 IPv6 Security (Kelsey) 23

  24. Draft guidance from HEPiX IPv6 working group Issues for Sys Admins 16 Mar 2016 IPv6 Security (Kelsey) 24

  25. IPv6 issues for sys admins • Follow best practice security guidance – System hardening as in IPv4, see for example – https://access.redhat.com/documentation/en- US/Red_Hat_Enterprise_Linux/6/pdf/Security_Guide/Red_Hat_Enterprise_Linu x-6-Security_Guide-en-US.pdf – Specific advice on IPv6 hardening, see for example – https://www.ernw.de/download/ERNW_Guide_to_Securely_Configure_Linux_ Servers_For_IPv6_v1_0.pdf • Check for processes listening on open ports – # netstat, lsof • Review neighbour cache for unauthorised systems – # ip -6 neigh show • Check for undesired tunnel interfaces – # ip -6 tunnel show, # route – A inet6 16 Mar 2016 IPv6 Security (Kelsey) 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions Security of IPv6

625 views • 33 slides
IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer fmajstor@cisco.com Cisco Systems, Inc. 1 fmajstor@cisco.com, IPv6 Security Agenda IPv6 Primer IPv6 Protocol

241 views • 21 slides
Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi,

Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi,

Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi, G. Leclanche, E. Vyncke, R. Anfinsen Status -00 posted on 25 January 2013 Some comments on the list (see later) Problem Statement

378 views • 10 slides
Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security

Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security

A Comparative Security Evaluation for IPv4 and IPv6 Addresses Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security Scanning the Internet for profit, ethically. 2 Why do we need to know this? IPv6

279 views • 16 slides
Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The

Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The

Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The University of Tokyo / Laboratoire dInformatique de Paris 6 Summary IPv6 Mobile IPv6 Security and Mobile IPv6 Protections by

669 views • 50 slides
The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich,

The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich,

The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich, Ph.D. jullrich@sans.edu 1 Housekeeping This presentation consists of slides and audio. If you are experiencing any problems/ issues,

1.12k views • 56 slides
Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension Headers Antonios Atlasis antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science Bio Independent IT Security

689 views • 66 slides
v6ops and security IPv6 Transition/Co-existence Security Considerations

v6ops and security IPv6 Transition/Co-existence Security Considerations

v6ops and security IPv6 Transition/Co-existence Security Considerations draft-savola-v6ops-security-overview-00.txt Pekka Savola, CSC/FUNET Overview Overview Look at different kinds of issues IPv6 protocol Transition mechanisms in general

853 views • 10 slides
IPv6 Security Concerns Introduction to Integralis Garry Sidaway SVP Security Strategy Agenda

IPv6 Security Concerns Introduction to Integralis Garry Sidaway SVP Security Strategy Agenda

IPv6 Security Concerns Introduction to Integralis Garry Sidaway SVP Security Strategy Agenda Introduction to Integralis IPv6 Security Concerns Questions Private & Confidential Continuous Secure Service Delivery Governance,

336 views • 21 slides
IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC Stephen.honlue@afrinic.net 1

IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC Stephen.honlue@afrinic.net 1

IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC Stephen.honlue@afrinic.net 1 04/12/2015' Presentation Objectives ! Create awareness of IPv6 Security implications. ! Highlight technical concepts on IPv6 weaknesses ! Describe

822 views • 36 slides
IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi Company Dept of Computer

IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi Company Dept of Computer

IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi Company Dept of Computer Sc. & Engg. LOGO Indian Institute of Technology Guwahati Agenda Outline Motivation for IPv6 Brief comparision between IPv6 and IPv4

290 views • 25 slides
IPv6 Security Training Course February 2019 09:00 - 09:30 Coffee, Tea 11:00 - 11:15 Break

IPv6 Security Training Course February 2019 09:00 - 09:30 Coffee, Tea 11:00 - 11:15 Break

IPv6 Security Training Course February 2019 09:00 - 09:30 Coffee, Tea 11:00 - 11:15 Break 13:00 - 14:00 Lunch 15:30 - 15:45 Break 17:30 End 2 Introductions Name Number in the list Experience with Security and IPv6

1.9k views • 173 slides
IPv6 Distributed Security Alvaro Vives (alvaro.vives@consulintel.es) Jordi Palet

IPv6 Distributed Security Alvaro Vives (alvaro.vives@consulintel.es) Jordi Palet

IPv6 Distributed Security Alvaro Vives (alvaro.vives@consulintel.es) Jordi Palet (jordi.palet@consulintel.es) 1 Motivation How would the deployment of IPv6 affect the security of a network? IPv6 enabled devices and networks bring

305 views • 19 slides
IPv6 Distributed Security Activity Status <draft-vives-v6ops-ipv6-security-ps-01> (Problem

IPv6 Distributed Security Activity Status <draft-vives-v6ops-ipv6-security-ps-01> (Problem

IPv6 Distributed Security Activity Status <draft-vives-v6ops-ipv6-security-ps-01> (Problem Statement) <draft-palet-v6ops-ipv6security-01> (Requirements) Alvaro Vives (alvaro.vives@consulintel.es) Jordi Palet

607 views • 14 slides
IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

Outline IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer Science and IPv6 Autoconfiguration Institute of Communications Engineering National Tsing Hua University jcchen@cs.nthu.edu.tw

783 views • 11 slides
IPv6?? Yawn amiright? Actually, IPv6 adoption is now very robust. E.g.: Google Clients

IPv6?? Yawn amiright? Actually, IPv6 adoption is now very robust. E.g.: Google Clients

Dont Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy Jakub (Jake) Czyz, University of Michigan & QuadMetrics, Inc. Matthew Luckie, University of Waikato Mark Allman, International Computer Science

552 views • 17 slides
Collaborative Security Reflections about Security and the Open Internet NLUUG Najaarsconferentie

Collaborative Security Reflections about Security and the Open Internet NLUUG Najaarsconferentie

Collaborative Security Reflections about Security and the Open Internet NLUUG Najaarsconferentie 2015 19 November 2015 www.internetsociety.org Mission: To promote the open development, evolution, f o e c and use of the Internet r u t

547 views • 27 slides
CBCN4103 It is a global collection of networks, both big and small, that connect together in

CBCN4103 It is a global collection of networks, both big and small, that connect together in

CBCN4103 It is a global collection of networks, both big and small, that connect together in many different ways to form the single entity that we know as "the Internet." Who owns it? The Internet ernet Society, a

833 views • 42 slides
Learning from the Past J. Trent Adams (adams@isoc.org) Learning from the Past: Reinvention A

Learning from the Past J. Trent Adams (adams@isoc.org) Learning from the Past: Reinvention A

W3C Identity in the Browser Workshop Learning from the Past J. Trent Adams (adams@isoc.org) Learning from the Past: Reinvention A Cautionary Tale Of course you can reinvent the wheel but it ll require new roads, too.

304 views • 5 slides
Research and Applications of Internet Measurements (RAIM) in Cooperation with ACM SIGCOMM

Research and Applications of Internet Measurements (RAIM) in Cooperation with ACM SIGCOMM

IRTF & ISOC Workshop on Research and Applications of Internet Measurements (RAIM) in Cooperation with ACM SIGCOMM Yokohama, Japan October 31, 2015 Lars Eggert (lars@netapp.com) Genesis EC looking for opportunities to bring SIG closer

543 views • 19 slides
Putting private and government CERTs to the test Stefan Frei, Martin May ETH Zurich:

Putting private and government CERTs to the test Stefan Frei, Martin May ETH Zurich:

Putting private and government CERTs to the test Stefan Frei, Martin May ETH Zurich: http://www.csg.ethz.ch Paper download: http://www.techzoom.net/risk ETH Zurich - Stefan Frei, Martin May - 20 th Annual FIRST Conference 2008 - Vancouver -

723 views • 35 slides
Measuring Decentralized Video Streaming: Background Methodology A Case Study of DTube Analysis

Measuring Decentralized Video Streaming: Background Methodology A Case Study of DTube Analysis

Motivation Measuring Decentralized Video Streaming: Background Methodology A Case Study of DTube Analysis Conclusions Trinh Viet Doan, Tat Dat Pham, Markus Oberprieler, Vaibhav Bajpai Technical University of Munich (TUM) IFIP Networking,

1.26k views • 59 slides
NETmundial Ini-a-ve: Planning Document WHERE ARE WE NOW O

NETmundial Ini-a-ve: Planning Document WHERE ARE WE NOW O

NETmundial Ini-a-ve: Planning Document WHERE ARE WE NOW O VERVIEW q Ini-a-ve was officially launched on 6 November 2014; q The community was invited to:

685 views • 15 slides
DNSSEC Workshop San Jos, Costa Rica ICANN Meeting 14 March 2012 1 Program Committee

DNSSEC Workshop San Jos, Costa Rica ICANN Meeting 14 March 2012 1 Program Committee

DNSSEC Workshop San Jos, Costa Rica ICANN Meeting 14 March 2012 1 Program Committee Steve Crocker, Shinkuro, Inc. Simon McCalla, Nominet Russ Mundy, Cobham Lance Wolak, Public Interest Registry Luis Diego Espinoza,

347 views • 11 slides

More recommend