Results of a Security Assessment of the Internet Protocol version 6 (IPv6) Fernando Gont Fernando Gont DEEPSEC 2011 Conference DEEPSEC 2011 Conference Vienna, Austria, November Vienna, Austria, November 15-18, 2011 15-18, 2011
About... � I have I have worked worked in security in security assessment assessment of of communication communication protocols protocols for: or: � UK NISCC (National UK NISCC (National Infrastructur nfrastructure Security ecurity Co-or o-ordination dination Centr Centre) � UK CPNI (Centre for UK CPNI (Centre for the he Protec Protection tion of of National National Infrastructure) Infrastructure) � Currently Currently working orking for for SI6 Networks ( I6 Networks (http://www.si6networks.com http://www.si6networks.com) � Membe Member of of R+D group R+D group CEDI at UTN/FR EDI at UTN/FRH � Invo Involved lved in t the Internet ernet Eng Engineering ering Task Force orce (IET ETF) F) � More information More information at: t: http://www.gont.com.ar http://www.gont.com.ar
Agenda � Motivation Motivation for for this his talk alk � Brief Brief comparision omparision of IPv6/IPv4 Pv6/IPv4 � Discussion Discussion of security ecurity aspects aspects of IPv6 Pv6 � Security Security implications implications of of IPv6 IPv6 tran transition/co-existence sition/co-existence mechanisms echanisms � Security curity implications implications of of IP IPv6 on on IP IPv4 ne networ tworks ks � Areas Areas in which n which further urther work ork is needed eeded � Conclusions nclusions � Questions Questions & (hopefully) (hopefully) Answers Answers
Motivation for this talk
So... what is this “IPv6” thing about? � IPv6 IPv6 was was developed eveloped to to address address the he exhaustion exhaustion of IPv4 IPv4 addresses addresses � IPv6 IPv6 has no has not yet et seen seen broad/glo broad/global deplo al deployment yment (current current estimatio stimations ns are are that that IPv6 IPv6 traffic traffic is less ess than han 1% of % of total traffic) total traffic) � Howeve wever, gene r, general-purpose ral-purpose OSes OSes have ave shippe hipped with ith IPv6 Pv6 support upport for for a long time – long time – hence ence part part of of your your network network is already lready running running IPv6 IPv6! � Additionaly, ISPs Additionaly, ISPs and and other ther organizations organizations have ave started tarted to to take take IPv6 IPv6 more more seriosly, partly seriosly, partly as a result as a result of: of: � Exhaus Exhausti tion on of of the the IAN ANA I IPv4 v4 fr free ee pool pool � Awareness Awareness activities ctivities such uch as the s the “World IPv6 World IPv6 Day” Day” � Imminent Imminent exhaustion exhaustion of the the free po ree pool o ol of IPv4 IPv4 addresses addresses at the t the different ifferent RIRs RIRs � It It looks like looks like IPv6 Pv6 is finally inally starting starting to to take take off... off...
Motivation for this presentation � A lot A lot of myths yths have have been been created created around round IPv6 Pv6 security: ecurity: � Security Security as a as a key key component component of of the the protocol rotocol � Change Change from from networ network-centr k-centric to host-centri ost-centric para aradigm igm � Increased Increased use o se of IPsec IPsec � etc etc. � They They have have lead lead to to a general misunderstanding a general misunderstanding of of the the security ecurity properties roperties of of IPv6, thus IPv6, thus negatively negatively affecting affecting the he emerging emerging (or (or existing) IPv6 xisting) IPv6 networks. networks. � This This presentation presentation separates separates fudge udge from from fact, and fact, and offers ffers a more realistic a more realistic view view of “IPv6 “IPv6 security” ecurity” � Rather Rather than than delving delving into nto specific pecific vulnerabilities, it ulnerabilities, it is is meant meant to influence nfluence the way the ay in which in which you ou think think about bout IPv6 IPv6 security security (and (and IPv6 IPv6 in general). in general).
General considerations about IPv6 security
Some interesting aspects of IPv6 security � There i e is m s much l h less e s experience w e with I h IPv6 t 6 than w n with I h IPv4 � IPv6 IPv6 implementations implementations are less are less mat mature ure than than their their IPv4 Pv4 counterparts ounterparts � Security curity products products (firewalls, NIDS, etc.) have (firewalls, NIDS, etc.) have less less support support for or IPv6 IPv6 than than for for IPv4 IPv4 � The The complexity omplexity of of the the resulting esulting network network will ill increase increase during during the the transition/co-existance transition/co-existance period: eriod: � Two Two internetw nternetworking orking protocols protocols (IPv4 v4 and and IPv6) Pv6) � Increased Increased use o se of NATs NATs � Increased Increased use o se of tunnels tunnels � Use Use of of other other transition/co-existance ransition/co-existance technologies echnologies � Lack Lack of of well-trained well-trained human resources uman resources …and …and even then, in many even then, in many cases IPv6 cases IPv6 will will be the be the only nly option ption to remain emain in this n this business business
Brief comparision between IPv6/IPv4 (what (what changes, and hanges, and what hat doesn’t) oesn’t)
Brief comparision of IPv6 and IPv4 IPv6 IPv6 and and IPv4 Pv4 are very re very similar in terms similar in terms of functionality unctionality (but (but not not in terms n terms of � mecha mechanisms isms) IPv4 IPv4 IPv6 IPv6 Addressing Addressing 32 b 32 bits ts 128 bits 128 bits Address Address resolutio resolution ARP ARP ICMPv6 NS/NA (+ MLD) ICMPv6 NS/NA (+ MLD) Auto-configuration Auto-configuration DHCP & ICMP RS/RA DHCP & ICMP RS/RA ICMPv6 ICMPv6 RS/RA & DHCPv6 RS/RA & DHCPv6 ( optional optional ) (+ MLD) ) (+ MLD) Fault Isolatio Fault Isolation ICMPv4 ICMPv4 ICMPv6 ICMPv6 IPsec IPsec support support Optional Optional Mandatory Mandatory (to to "opt "optional ional") ") Fragmentation Fragmentation Both in hosts Both in hosts and nd ro routers uters Only Only in hosts in hosts
Security Implications of IPv6
IPv6 Addressing Implications on host-scanning
Brief overview � The The main ain drive river for or IPv6 IPv6 is is its its inc ncreased reased address address space space � IPv6 IPv6 uses 128-bit uses 128-bit addresses ddresses � Simi Simila larly rly to IPv4, Pv4, � Addresses Addresses are are aggregated aggregated into into “prefixes” “prefixes” (for (for routi routing pur urposes) poses) � There There are different re different address address types ypes (u (unicast, anycast, and nicast, anycast, and multicast ulticast) � There There are different re different address address scopes copes (link-local, global, etc.) (link-local, global, etc.) � It’s It’s common common for for a node node to to be using, at any be using, at any given iven time, several time, several addresses, ddresses, of of multiple multiple types types and nd scopes. For scopes. For example, xample, � One One or more unicast ore unicast link-local address k-local address � One One or more global unicast ore global unicast address ddress � One One or more l ore link-local address k-local address
Global Unicast Addresses � Syntax Syntax of of the the global unicast lobal unicast addresses: ddresses: | n bits | m bits | 128-n-m bits | Global Routing Prefix Subnet ID Interface ID � The The interface nterface ID is ID is typically typically 64-bis 4-bis � Global Unicast Global Unicast Addresses ddresses can be generated can be generated with ith multiple ultiple diffe ifferent rent criteria: criteria: � Use Use modified modified EUI-64 forma EUI-64 format identifiers identifiers (embed embed the he MAC address) MAC address) � “Privacy “Privacy Addresses” Addresses” (or (or some ome var aria iant nt of of them) them) � Manual Manually-configured ly-configured (e.g., 2001:db8::1) e.g., 2001:db8::1) � As specified As specified by some y some specific specific transitio transition/co-existence /co-existence technology echnology
Recommend
More recommend
