Results of a Security Assessment of the Internet Protocol version 6 - - PowerPoint PPT Presentation

Results of a Security Assessment of the Internet Protocol version 6 (IPv6)

Fernando Gont Fernando Gont

DEEPSEC 2011 Conference DEEPSEC 2011 Conference

Vienna, Austria, November Vienna, Austria, November 15-18, 2011 15-18, 2011

About...

I have

I have worked worked in security in security assessment assessment of

• f communication

communication protocols protocols for:

• r:

UK NISCC (National

UK NISCC (National Infrastructur nfrastructure Security ecurity Co-or

• -ordination

dination Centr Centre)

UK CPNI (Centre for

UK CPNI (Centre for the he Protec Protection tion of

• f National

National Infrastructure) Infrastructure)

Currently

Currently working

• rking for

for SI6 Networks ( I6 Networks (http://www.si6networks.com http://www.si6networks.com)

Membe

Member of

• f R+D group

R+D group CEDI at UTN/FR EDI at UTN/FRH

Invo

Involved lved in t the Internet ernet Eng Engineering ering Task Force

• rce (IET

ETF) F)

More information

More information at: t: http://www.gont.com.ar http://www.gont.com.ar

Agenda

Motivation

Motivation for for this his talk alk

Brief

Brief comparision

• mparision of IPv6/IPv4

Pv6/IPv4

Discussion

Discussion of security ecurity aspects aspects of IPv6 Pv6

Security

Security implications implications of

• f IPv6

IPv6 tran transition/co-existence sition/co-existence mechanisms echanisms

Security

curity implications implications of

• f IP

IPv6 on

• n IP

IPv4 ne networ tworks ks

Areas

Areas in which n which further urther work

• rk is needed

eeded

Conclusions

nclusions

Questions

Questions & (hopefully) (hopefully) Answers Answers

Motivation for this talk

So... what is this “IPv6” thing about?

IPv6

IPv6 was was developed eveloped to to address address the he exhaustion exhaustion of IPv4 IPv4 addresses addresses

IPv6

IPv6 has no has not yet et seen seen broad/glo broad/global deplo al deployment yment (current current estimatio stimations ns are are that that IPv6 IPv6 traffic traffic is less ess than han 1% of % of total traffic) total traffic)

Howeve

wever, gene r, general-purpose ral-purpose OSes OSes have ave shippe hipped with ith IPv6 Pv6 support upport for for a long time – long time – hence ence part part of

• f your

your network network is already lready running running IPv6 IPv6!

Additionaly, ISPs

Additionaly, ISPs and and other ther organizations

• rganizations have

ave started tarted to to take take IPv6 IPv6 more more seriosly, partly seriosly, partly as a result as a result of:

• f:

Exhaus

Exhausti tion

• n of
• f the

the IAN ANA I IPv4 v4 fr free ee pool pool

Awareness

Awareness activities ctivities such uch as the s the “World IPv6 World IPv6 Day” Day”

Imminent

Imminent exhaustion exhaustion of the the free po ree pool o

• l of IPv4

IPv4 addresses addresses at the t the different ifferent RIRs RIRs

It

It looks like looks like IPv6 Pv6 is finally inally starting starting to to take take off...

• ff...

Motivation for this presentation

A lot

A lot of myths yths have have been been created created around round IPv6 Pv6 security: ecurity:

Security

Security as a as a key key component component of

• f the

the protocol rotocol

Change

Change from from networ network-centr k-centric to host-centri

• st-centric para

aradigm igm

Increased

Increased use o se of IPsec IPsec

etc

etc.

They

They have have lead lead to to a general misunderstanding a general misunderstanding of

• f the

the security ecurity properties roperties

• f
• f IPv6, thus

IPv6, thus negatively negatively affecting affecting the he emerging emerging (or (or existing) IPv6 xisting) IPv6 networks. networks.

This

This presentation presentation separates separates fudge udge from from fact, and fact, and offers ffers a more realistic a more realistic view view of “IPv6 “IPv6 security” ecurity”

Rather

Rather than than delving delving into nto specific pecific vulnerabilities, it ulnerabilities, it is is meant meant to influence nfluence the the way ay in which in which you

• u think

think about bout IPv6 IPv6 security security (and (and IPv6 IPv6 in general). in general).

General considerations about IPv6 security

Some interesting aspects of IPv6 security

There i

e is m s much l h less e s experience w e with I h IPv6 t 6 than w n with I h IPv4

IPv6

IPv6 implementations implementations are less are less mat mature ure than than their their IPv4 Pv4 counterparts

• unterparts

Security

curity products products (firewalls, NIDS, etc.) have (firewalls, NIDS, etc.) have less less support support for

• r IPv6

IPv6 than than for for IPv4 IPv4

The

The complexity

• mplexity of
• f the

the resulting esulting network network will ill increase increase during during the the transition/co-existance transition/co-existance period: eriod:

Two

Two internetw nternetworking

• rking protocols

protocols (IPv4 v4 and and IPv6) Pv6)

Increased

Increased use o se of NATs NATs

Increased

Increased use o se of tunnels tunnels

Use

Use of

• f other
• ther transition/co-existance

ransition/co-existance technologies echnologies

Lack

Lack of

• f well-trained

well-trained human resources uman resources …and …and even then, in many even then, in many cases IPv6 cases IPv6 will will be the be the only nly option ption to remain emain in this n this business business

Brief comparision between IPv6/IPv4

(what (what changes, and hanges, and what hat doesn’t)

• esn’t)

Brief comparision of IPv6 and IPv4

• IPv6

IPv6 and and IPv4 Pv4 are very re very similar in terms similar in terms of functionality unctionality (but (but not not in terms n terms of mecha mechanisms isms) ICMPv6 ICMPv6 ICMPv4 ICMPv4 Fault Fault Isolatio Isolation Mandatory Mandatory (to to "opt "optional ional") ") Optional Optional IPsec IPsec support support Only Only in hosts in hosts Both Both in hosts in hosts and nd ro routers uters Fragmentation Fragmentation ICMPv6 ICMPv6 RS/RA & DHCPv6 RS/RA & DHCPv6 (optional

• ptional) (+ MLD)

) (+ MLD) DHCP & ICMP RS/RA DHCP & ICMP RS/RA Auto-configuration Auto-configuration ICMPv6 ICMPv6 NS/NA (+ MLD) NS/NA (+ MLD) ARP ARP Address Address resolutio resolution 128 bits 128 bits 32 32 b bits ts Addressing Addressing

IPv6 IPv6 IPv4 IPv4

Security Implications of IPv6

IPv6 Addressing

Implications on host-scanning

Brief overview

The

The main ain drive river for

• r IPv6

IPv6 is is its its inc ncreased reased address address space space

IPv6

IPv6 uses 128-bit uses 128-bit addresses ddresses

Simi

Simila larly rly to IPv4, Pv4,

Addresses

Addresses are are aggregated aggregated into into “prefixes” “prefixes” (for (for routi routing pur urposes) poses)

There

There are different re different address address types ypes (u (unicast, anycast, and nicast, anycast, and multicast ulticast)

There

There are different re different address address scopes copes (link-local, global, etc.) (link-local, global, etc.)

It’s

It’s common common for for a node node to to be using, at any be using, at any given iven time, several time, several addresses, ddresses,

• f
• f multiple

multiple types types and nd scopes. For

• scopes. For example,

xample,

One

One or more unicast

• re unicast link-local address

k-local address

One

One or more global unicast

• re global unicast address

ddress

One

One or more l

• re link-local address

k-local address

Global Unicast Addresses

Syntax

Syntax of

• f the

the global unicast lobal unicast addresses: ddresses:

The

The interface nterface ID is ID is typically typically 64-bis 4-bis

Global Unicast

Global Unicast Addresses ddresses can be generated can be generated with ith multiple ultiple diffe ifferent rent criteria: criteria:

Use

Use modified modified EUI-64 forma EUI-64 format identifiers identifiers (embed embed the he MAC address) MAC address)

“Privacy

“Privacy Addresses” Addresses” (or (or some

• me var

aria iant nt of

• f them)

them)

Manual

Manually-configured ly-configured (e.g., 2001:db8::1) e.g., 2001:db8::1)

As specified

As specified by some y some specific specific transitio transition/co-existence /co-existence technology echnology Global Routing Prefix Subnet ID Interface ID

| n bits | m bits | 128-n-m bits |

Implications on host scanning

Myth: “The Myth: “The huge huge IPv6 IPv6 address address spaces paces makes akes host-scanning host-scanning attacks ttacks impossible. impossible. Host scanning Host scanning would would take ake ages!” ges!”

This

This assumes assumes host

• st addresses

ddresses are uniformly re uniformly distribute istributed ove ver the he subnet subnet address address spa pace ce (/64) 64)

However, Malone (*) measured

However, Malone (*) measured and and categorized ategorized addresses addresses into nto the he following following patterns: patterns:

SLAAC (Interface-ID based

SLAAC (Interface-ID based on

• n the MAC address)

AC address)

IPv4-ba

IPv4-based sed (e.g., 2001:db8::192.168.10.1) (e.g., 2001:db8::192.168.10.1)

“Low byte”

“Low byte” (e.g., 2001:d e.g., 2001:db8::1, 2001:db8::2, etc.) b8::1, 2001:db8::2, etc.)

Priva

Privacy Addresses ddresses (Random (Random Interface-IDs) nterface-IDs)

“Wordy”

“Wordy” (e.g., 2001:db8::dead:beef) e.g., 2001:db8::dead:beef)

Related

Related to specific pecific transitio ransition-co-existence n-co-existence tec echnologies hnologies (e.g., Teredo (e.g., Teredo)

(*) Malone, D. 2008. Observations of IPv6 Addresses. Passive and Active Measurement Conference (PAM 2008, LNCS 4979), 29–30 April 2008.

Some real-world data….

The

The results esults of

• f [Malone, 2008] (*) roughly

[Malone, 2008] (*) roughly are: re:

20% 20% IPv4-ba IPv4-based ed Addr Address ess Type ype Percentage Percentage SLAAC SLAAC 50% 50% Teredo Teredo 10% 10% Low-byte Low-byte 8% Pri Privacy acy 6% Wordy Wordy <1% 1% Other Other <1% 1%

(*) Malone, D. 2008. Observations of IPv6 Addresses. Passive and Active Measurement Conference (PAM 2008, LNCS 4979), 29–30 April 2008.

<1% <1% Wordy Wordy Addr Address ess Type ype Percentage Percentage Low-byte Low-byte 70% 70% IPv4-ba IPv4-based ed 5% 5% SLAAC SLAAC 1% Pri Privacy acy <1% 1% Teredo Teredo <1% <1% Other Other <1% 1%

Hosts Hosts Routers Routers

Some thoughts about network scanning

IPv6

IPv6 does does not not not

• t make

make host-scanning host-scanning attacks ttacks unfeasible unfeasible

Host scanning

st scanning attacks attacks have ave been been found found in the n the wild. ild.

IPv6

IPv6 host-scanning host-scanning will will become become much much less less “brute-force” “brute-force” than han its ts IPv4 IPv4 counterpart: counterpart:

They

They will will leverage leverage address address pattern atterns (i.e., predictable i.e., predictable addresses) ddresses)

They

They will will leverage leverage application-layer application-layer add ddress-leaks ress-leaks (e.g., e-mail, P2P, etc.) e.g., e-mail, P2P, etc.)

For

For local scans, multicast addresses, Neighbor

• cal scans, multicast addresses, Neighbor Discov

Discovery, and ery, and “Network “Network Neighborhood” Neighborhood” protocols rotocols (e.g., mDNS) w e.g., mDNS) will ill be leveraged be leveraged

Some

Some recommendations: recommendations:

For

For servers, address servers, address predictability predictability is irrelevant rrelevant --

• - after

after all, yo ll, you want ant them hem to be easily be easily fo found. und.

For

For hosts, IPv6

• sts, IPv6 “privacy

“privacy addresses” addresses” are are probably probably desirable. –

• desirable. – However, always
• wever, always

co consider nsider the the use o se of firewalls! firewalls!

End-to-end connectivity

Brief overview

The

The IPv4 Pv4 Internet was nternet was based ased on

• n the

the so-called

• -called “End

End to End” nd” principle: rinciple:

Dumb

Dumb networ network, sm k, smar art hosts

• sts

Any

Any node

• de can establ

an establis ish a communi communication cation instance stance wi with th any any other ther node node in the in the networ network

The

The network etwork do does es not not care are abo bout ut what what is is inside inside internet-layer internet-layer packets packets

It

It is is usually usually argue ued that hat the he “end-to-end “end-to-end principle” rinciple” enables nables “innovation” innovation”

Deployment

Deployment of

• f some

some devices devices (mostly mostly NATs) has basically NATs) has basically elimintated limintated the the “end-to-end” “end-to-end” principle principle from from the the Internet nternet

With

With the the increased ncreased IPv6 IPv6 address address space, it pace, it is is expected expected that that each each device device will will ha have ve a globally-unique a globally-unique address, an ess, and NATs ATs will ill be no longer be no longer needed. needed.

Some considerations

Myth: “IPv6 Myth: “IPv6 will ill return return the the End-to-End nd-to-End principle rinciple to to the the Internet” nternet”

It

It is is assumed assumed that hat the he possibility possibility of glbal-addresses lbal-addresses for for eve very ry host host will will return return the the “End-to-End” End-to-End” principle rinciple to to the the Internet. nternet.

However,

However,

Global-addressability

Global-addressability do does es not not necessarily ecessarily imply imply “end-to-end” end-to-end” connectivity. nnectivity.

Most

Most producti

• duction
• n networks

networks don’t don’t really eally care re about

• ut innovation,

nnovation, but but rat ather her abo about getting etting work work do done. ne.

Users

Users expect xpect to use in IPv6 se in IPv6 the the same ame services ervices currently urrently available available for

• r IPv4

IPv4 without without “end-to-end” end-to-end” connectivity

• nnectivity (web, email, s

web, email, social

• cial networks, etc.)

networks, etc.)

Thus,

Thus,

End-to-end

End-to-end connectivity connectivity is not

• t necessari

necessarily a desir desired property roperty in a production n a production networ network (e.g., may increase e.g., may increase host host exposure exposure unnecessari unnecessarily) y)

A typical

A typical IPv6 Pv6 subnet ubnet will ill be protected e protected by a st y a stat ateful ul firewall t firewall that at only allo allows ws “return “return traffic” raffic”

Address Resolution

Brief overview

IPv6

IPv6 addresses addresses are mappe re mapped to link-laye ink-layer addresses ddresses by means by means of the he “Neighbor “Neighbor Discove iscovery” ry” mechanism echanism (based (based on

• n ICMPv6

ICMPv6 messages). essages).

ICMPv6

ICMPv6 Neighbor Neighbor Solicitations Solicitations and and Neighbor eighbor Advertisements dvertisements are re analogous analogous to ARP RP requests requests and and ARP replies, respectively. RP replies, respectively.

Being

Being transported ransported by IPv6, NS/NA messages by IPv6, NS/NA messages may contain may contain IPv6 Pv6 Extension xtension Headers, be fragmented, etc. Headers, be fragmented, etc.

(ARP is

(ARP is implement implemented directly irectly over ver Ethernet thernet, with with no possibilities no possibilities for for Ext Extensio nsion Headers eaders or

• r fragmentatio

fragmentation) n)

Security considerations

IPv4’s ARP spoofing

IPv4’s ARP spoofing attacks ttacks can “por can “ported” ted” to to IPv6 IPv6 for for DoS

• S or
• r MITM attacks

MITM attacks

Possib

Possible le mitigation mitigation techniques: techniques:

Deploy

Deploy SEND (SEcure SEND (SEcure Neighbor eighbor Discovery) iscovery)

Monitor Neighbor

Monitor Neighbor Discovery traffic Discovery traffic (e.g. with e.g. with NDPMon) NDPMon)

Add

Add static tatic entries ntries to to the the Neighbor eighbor Cache ache

Restri

Restrict ct access cess to to the the local

• cal networ

network

Unfortunately,

Unfortunately,

SEND is

SEND is very very difficult difficult to deploy eploy (it it requires requires a PKI) a PKI)

ND monitoring

ND monitoring tools tools can be trivially an be trivially evaded vaded

Use

Use of

• f static

static Neighbor Neighbor Cache entr Cache entries ies does

• es not
• t scal

scale

Not

Not always lways is it possible ssible to restrict estrict access access to to the the local network

• cal network

Conclusion: the

Conclusion: the situation ituation is is not not that hat different ifferent from from that that of

• f IPv4

IPv4 (actually, (actually, it’s it’s a bit a bit worse)

• rse)

Auto-configuration

Brief overview

There

There are two re two auto-configuration uto-configuration mechanisms echanisms in IPv6: n IPv6:

Stateless

Stateless: SLAAC (Stateless : SLAAC (Stateless Address Address Aut Auto-Co

• Configuratio

figuration), based ), based on ICMPv6 ICMPv6 messages messages (Router Solicitation (Router Solicitation y Router Advertisement) Router Advertisement)

Stateful

Stateful: DHCPv6 : DHCPv6

SLAAC is

SLAAC is mandatory, while mandatory, while DHCPv6 HCPv6 is optional ptional

In SLAAC, “Router Advertiseme

In SLAAC, “Router Advertisements” nts” communicate communicate configuration

• nfiguration

information information such uch as: s:

IPv6

IPv6 prefixes prefixes to to use for use for autoconfiguration utoconfiguration

IPv6

IPv6 routes routes

Ot

Other her configuratio figuration parameters parameters (Hop Limit, MTU, etc.) (Hop Limit, MTU, etc.)

etc

etc.

Security considerations

By forging

By forging Router Advertiseme

• uter Advertisements, an

nts, an attacker attacker can perform: can perform:

Denial

Denial of

• f Servi

Service (DoS) att DoS) attacks

“Man

“Man in the the Middle” iddle” (MIT (MITM) at M) atta tacks cks

Possib

Possible le mitigation mitigation techniques: techniques:

Deploy

Deploy SEND (SEcure SEND (SEcure Neighbor eighbor Discovery) iscovery)

Monitor Neighbor

Monitor Neighbor Discovery Discovery traffic traffic (e.g., with e.g., with NDPMon) NDPMon)

Deploy

Deploy Ro Router Advertisement uter Advertisement Guard uard (RA-Guard) (RA-Guard)

Restri

Restrict ct access cess to to the the local

• cal networ

network

Unfortunately,

Unfortunately,

SEND is

SEND is very very difficult difficult to deploy eploy (it it requires requires a PKI) a PKI)

ND monitoring

ND monitoring tools tools can be trivially an be trivially evaded vaded

RA-Guard

RA-Guard can be trivially can be trivially evaded evaded

Not

Not always lways is it possible ssible to restrict estrict access access to to the the local network

• cal network

Conclusion: the

Conclusion: the situation ituation is is not not that hat different ifferent from from that that of

• f IPv4

IPv4 (actually, (actually, it’s it’s a bit a bit worse)

• rse)

IPsec Support

Brief overview and considerations

Myth: “ Myth: “IPv6 IPv6 is is more secure more secure than than IPv4 IPv4 because because security ecurity was as incorporated incorporated in the in the design design of

• f the

the protocol, rather rotocol, rather than than as an as an ‘add-on’ ‘add-on’”

This

This myth myth originated

• riginated from
• m the

the fact act that hat IPsec Psec support support is mandatory andatory for for IPv6, but IPv6, but optional ptional for

• r IPv4

IPv4

In practice, this

In practice, this is is irrele irrelevant: vant:

What

What is is mandatory mandatory is IPsec Psec support support – not

• t IPsec

IPsec usage usage

And

And nevertheless, many evertheless, many IPv4 IPv4 implem implementatio entations support upport IPsec, while IPsec, while there there exist exist IPv6 Pv6 implem mplementatio ntations ns th that at do n do not support upport IPsec IPsec

Virtually

Virtually all ll the the same ame IPsec Psec deployment deployment obstacles

• bstacles present

resent in IPv4 in IPv4 are also are also present present in IPv6 in IPv6

The

The IETF has acknowledged ETF has acknowledged this this fact fact, and , and is currently urrently changing changing IPsec IPsec support support in IPv6 n IPv6 to to “optional” “optional”

Conclusion: there

Conclusion: there is no reason

• reason to

to expect expect increased increased use of se of IPsec IPsec as a result s a result

• f
• f IPv6

IPv6 deployment deployment

Security Implications of Transition/Co-existance Mechanisms

Brief overview

The

The original IPv6 riginal IPv6 transition transition plan was plan was dual-stack ual-stack

Deploy

Deploy IPv6 v6 along

• ng IPv4

Pv4 before efore we really eally needed needed it

– Y

– Yes, it it failed failed. .

Current

Current strategy trategy is a transitio transition/co-existence /co-existence based ased on

• n a toolset:

a toolset:

Dual Stack

Dual Stack

“Configured”

“Configured” Tunnels nnels

Automatic

Automatic Tunnels unnels (ISATAP, 6to4, Teredo, etc.) (ISATAP, 6to4, Teredo, etc.)

Translatio

Translation (e.g., NAT6 e.g., NAT64)

Dual stack

Dual stack is usually sually enable enabled by default y default in most n most systems. systems.

Some

me automatic-tunnelling automatic-tunnelling mechanisms echanisms (e.g. Tere e.g. Teredo and do and ISATAP) are SATAP) are enable enabled by default y default in some n some systems systems (e.g., Windows Vista and e.g., Windows Vista and Windows 7) indows 7)

Security considerations

Transition

Transition technologies echnologies increase ncrease the he complexity complexity of

• f the

the network, and etwork, and thus hus the the number umber of potential

• tential vulnerabilities.

vulnerabilities.

Many

Many of

• f these

these technolo echnologies gies introduce introduce “Single Points “Single Points of

• f Failure”

Failure” in the n the network. network.

Some

Some of

• f them

them have have privacy privacy implications: mplications:

Which

Which networks/systems etworks/systems does

• es your Teredo or

eredo or 6to 6to4 traffic traffic traverse? raverse?

This

This may (or may (or may not) be an ay not) be an important important issue ssue for for your organizatio rganization

Security considerations (II)

Transition/co-e

ansition/co-existance xistance traffic traffic usually sually results results in complex n complex traffic raffic (with (with multiple multiple encapsulations). ncapsulations).

This

This inc increases eases the he difficulty difficulty of

• f pe

performing rforming Deep Deep Packet Packet Inspection Inspection (DPI) (DPI) and and (e.g. prevent e.g. prevent the he enforcement enforcement of some filtering iltering policies

• licies or detection

etection by NIDS). by NIDS).

Example: structure

Example: structure of

• f a Tere

a Teredo packet. do packet.

IPv4 Header IPv4 Header UDP Header UDP Header IPv6 Header IPv6 Header IPv6 Extension Headers IPv6 Extension Headers TCP segment TCP segment

“Exercise”: write

“Exercise”: write a libpcap libpcap filter filter to to detect detect TCP/IPv6 TCP/IPv6 packets packets transported ransported

• ver
• ver Teredo, and

Teredo, and destined estined to host

• st 2001:db8::1, TCP port

001:db8::1, TCP port 25. 25.

Security Implications of IPv6 on IPv4 Networks

Brief overview

Most

Most general-purpose general-purpose systems ystems have have some some form form of

• f IPv6

IPv6 support support enabled nabled by default. by default.

It

It may be in the may be in the form

• rm of “dual-stack”, and/or

dual-stack”, and/or some some transition/co-existence transition/co-existence technology. technology.

This

This essentially essentially means eans that that an an alledged alledged “IPv4-only” “IPv4-only” network etwork also also include include a partial a partial deployment eployment of

• f IPv6.

IPv6.

Security considerations

An

An attacke attacker could could readily eadily enable enable the the “dormant” dormant” IPv6 IPv6 support support at local at local nodes nodes (e.g., sending e.g., sending ICMPv6 CMPv6 RAs), or As), or transition/co-existence transition/co-existence technologies echnologies

These

These technologies echnologies could could possibly

• ssibly be leveraged

e leveraged to evade network vade network controls. controls.

Transition

ansition technologies echnologies such uch as Teredo could s Teredo could result esult in increase n increased (and and unexpected) host unexpected) host exposure exposure (e.g., e (e.g., even through en through NATs). ATs).

Thus,

Thus,

Eve

Even if if you don’t ’t plan to plan to “use” IPv6 IPv6, yo , you shoul uld consi sider der its ts implic implicatio ations on your your network. network.

If

If a network a network is meant eant to to be IPv4-o be IPv4-only, make nly, make sure sure this this is is actually actually the the case. ase.

Areas in which further work is needed

Key areas in which further work is needed

IPv6

IPv6 resiliency resiliency

Implementatio

Implementations hav ave not

• t really

really been been the the target arget of attackers, yet ttackers, yet

Only

Only a handful a handful of publicly ublicly available vailable attack ttack tools tools

Lots

Lots of vulnerabilities vulnerabilities and nd bugs bugs still still to be discovered. e discovered.

IPv6

IPv6 support support in security n security de devices vices

IPv6

IPv6 transport transport is not

• t broadly

broadly supported upported in sec in security urity devices evices (firewalls, IDS/IPS, (firewalls, IDS/IPS, etc etc.)

This

This is is key key to be able e able enforce enforce security ecurity policies

• licies comparable with

comparable with the the IPv4 Pv4 counterpa counterparts ts

Education/Training

Education/Training

Pushing

Pushing peop eople to “Enable able IPv6” v6” point

• int-and-click
• and-click style

style is simply imply insane nsane.

Training is

Training is needed needed for for engineers, techni ngineers, technicians, security cians, security perso ersonnel, etc., before nnel, etc., before the IPv6 Pv6 net etwo work rk is is ru running. g.

20 million engineers need IPv6 training, says IPv6 Forum

The IPv6 Forum - a global consortium of vendors, ISPs and national research & Education networks - has launched an IPv6 education certification programme in a bid to address what it says is an IPv6 training infrastructure that is "way too embryonic to have any critical impact.“ (http://www.itwire.com)

Some Conclusions

Some conclusions…

Beware

Beware of

• f IPv6

IPv6 marketing and marketing and mythology! ythology!

While

While IPv6 IPv6 provi provides es similar features similar features than han IPv4, it Pv4, it uses diffe uses different ent

• mechanisms. –
• mechanisms. – and

nd the the devil evil is is in the in the small mall details details

The

The security ecurity implications mplications of IPv6 Pv6 should hould be considered e considered before before it it is is deployed deployed (not not after!) fter!)

Most

Most systems systems have ave IPv6 Pv6 support upport enable enabled by default, and y default, and this his has as implications implications on “IPv4-only” IPv4-only” networks! networks!

Even if

Even if you you are not re not planning to planning to deplo deploy IPv6 Pv6 in the n the short term, most hort term, most likely likely you you will ill eventually ventually do it do it

It

It is is time to time to learn learn about bout and and experiment xperiment with ith IPv6! Pv6!

Questions?

Thank you!

Fernando Gont Fernando Gont fgont@si6networks.com fgont@si6networks.com IPv6 IPv6 Hackers mailing-list Hackers mailing-list http://www.si6networks.com/community/ http://www.si6networks.com/community/ www.si6networks.com www.si6networks.com