the security impact of ipv6
play

The Security Impact of IPv6 How I Learned to Stop Worrying and Love - PowerPoint PPT Presentation

Mar 11, 2023 •551 likes •1.12k views

The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich, Ph.D. jullrich@sans.edu 1 Housekeeping This presentation consists of slides and audio. If you are experiencing any problems/ issues,

  1. The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich, Ph.D. jullrich@sans.edu 1

  2. “ Housekeeping ” • This presentation consists of slides and audio. If you are experiencing any problems/ issues, please press the F5 key on your keyboard if you’re using W indow s , or Com m and + R if you’re on a Mac , to refresh your console, or close and re-launch the presentation. You can also view the Webcast Help Guide, by clicking on the “Help” widget in the bottom dock. • To control volume, adjust the master volume on your computer. • At the end of the presentation, you’ll see a survey URL on the final slide. Please take a minute to click on the link and fill it out to help us improve your next webinar experience. • You can download a PDF of these slides by clicking on the Resources widget in the bottom dock. • This presentation is being recorded and will be available for on-demand viewing in the next few days. You will receive an autom atic e-m ail notification when the recording is ready. • If you think of a question during the presentation, please type it into the Q&A box and click on the submit button. You do not need to wait until the end of the presentation to begin submitting questions. You may also use the Q&A box (and the survey at the end) to suggest topics for future webinars of interest to you. 2

  3. ACM Learning Center http: / / learning.acm.org • 1,350+ trusted technical books and videos by leading publishers including O’Reilly, Morgan Kaufmann, others • Online courses with assessments and certification-track mentoring, member discounts on tuition at partner institutions • Learning Webinars on big topics (Cloud/ Mobile Development, Cybersecurity, Big Data, Recommender Systems, SaaS, Agile, Natural Language Processing, Parallel Programming) • ACM Tech Packs on top current computing topics: Annotated Bibliographies compiled by subject experts • Popular video tutorials/ keynotes from ACM Digital Library, A.M. Turing Centenary talks/ panels • Podcasts with industry leaders/ award winners 3

  4. Talk Back • Use the Facebook widget in the bottom panel to share this presentation with friends and colleagues • Use Twitter widget to Tweet your favorite quotes from today’s presentation with hashtag # ACMWebinarIPv6 • Submit questions and comments via Twitter to @acmeducation – we’re reading them! 4

  5. Why IPv6 Scalability 5

  6. IPv4 vs. Reality IPv4 Design Today’s Reality Network Size Million’s of Hosts Billion’s Network Speed Kbit/MBit GBit RAM/System MBytes GBytes Network Use EDU/GOV COM Endpoints Servers/Workstations Mobile/Devices 6

  7. When did we run out of Addresses • We are out of IPv4 addresses since 1993 (RFC 1517) • CIDR is a “hack” to extend the life of IPv4 address space • Even with CIDR, IPv4 address space now exhausted 7

  8. What is today’s Internet • Internet of devices: Most IP endpoints are devices without a “user” • Mobile Internet: Biggest (only?) growth area right now is mobile devices • Security: Business transactions require more security 8

  9. IPv6 Design Goals • Scaling the Internet – More addresses – Simpler routing • Adjusting to Modern Hardware – More memory – Larger address buses in CPUs – Mobility 9

  10. IPv6 Header 1234 5678 1234 5678 1234 5678 1234 5678 Version Traffic Class Flow Label Payload Length Next Header Hop Limit Source Address (4x32 Bits) Target Address (4x32 Bits) 10

  11. Compare to IPv4 1234 5678 1234 5678 1234 5678 1234 5678 Version HL TOS Total Length IP ID Fragmentation TTL Protocol Header Checksum Source Address Target Address 11

  12. Extension Headers • Many of the complexities are moved to extension headers • Extension headers are optional • Order is recommended but not enforced • Can make IPv6 much more complex than IPv4 12

  13. Extension Headers IPv6 TCP IPv6 TCP Frag. Frag. TCP IPv6 RH 13

  14. Outline • Privacy • What happened to NAT? • Fake Routers • But I am not running IPv6! Why should I care? 14

  15. IPv6 Privacy 15

  16. IPv6 Privacy 16

  17. IPv6 Addresses 2001:DB8:ABCD:1234:abcd:efab:cdef:abcd Network Host (Interface) • 64 Bit to identify network – ISP may assign you / 48, / 56 or / 64 • 64 Bit to identify interface 17

  18. Interface ID • MAC Derived Privacy issues! • Privacy Enhanced / Temporary Hard to manage • DHCP Probably best “enterprise” solution. • Static 18

  19. Interface ID Recommendation • Home users / small business: Privacy enhanced addresses • Managed Networks: DHCP • Servers: DHCP / Static 19

  20. Who told you NAT is a But What about NAT? security feature in the first place? 20

  21. ULA Addresses • fc00: : / 7 reserved address space • Pick a random subnet fdaa: bbcc: ddee: : / 48 If you really like NAT, you can still do it! (ask your Vendor) 21

  22. NAT and IPv6 (don’t tell your kids!) • RFC 6296: IPv6-to-IPv6 Network Prefix Translation • Cisco: NPTv6 (Network Prefix Translation) • Juniper: basic-nat66 • ip6tables: -t nat66 22

  23. Sample Network 23

  24. Sample Network 24

  25. Sample Network Global ULA 25

  26. How is this different than IPv4? • Sure you can do the same in IPv4 • But in IPv6, no NAT should be the standard • Better vendor support? • Easier Management? • Maybe we should try to improve our networks? 26

  27. Vendor Support • IPv6 Firewalls have come a long way • Not all Firewalls support IPv6 (so what?) • Advanced features may be missing – Deep packet inspection? – Performance? 27

  28. Router Advertisements • “DHCP Lite” • Used to configure IP address • Router advertises first 64 bits, host picks the next 64 bits • In some cases, a DNS server and other settings may be configured 28

  29. Fake routers • Just like a rogue DHCP server • For DHCP we got DHCP Snooping in switches • For Router Advertisements, we got “RAGuard” in a few switches 29

  30. Router Advertisements • Switch needs to detect router advertisements • Sounds easy: “Next Header” is ICMPv6 and ICMPv6 Type is “Router Advertisement” 30

  31. RAGuard • Feature is some modern switches (few) to detect Router Advertisements and limit them to authorized ports. • Not widely implemented (unlike DHCP Snooping) 31

  32. RAGuard Bypass • ICMPv6 packets may include extension headers • “Next Header” field in IPv6 header may not indicate ICMPv6 • Switch has to look for last header 32

  33. RAGuard Bypass • ICMPv6 may be fragmented • Switch has to reassemble fragments to figure out if packet is a RA • Has to do it for all fragments where the NH is not a transport header 33

  34. But what happens if… • “I am not running IPv6” (one of the top 10 networking lies like: “All my critical devices are air gapped” ) 34

  35. IPv6 VPN Exfiltration User connecting from remote location back to an internal network 35

  36. IPv6 VPN Exfiltration Standard Solution: IPSEC (or other) VPN: All Traffic routed via VPN! 36

  37. IPv6 VPN Exfiltration Standard Solution: IPSEC (or other) VPN: All IPv4 Traffic routed via VPN! 37

  38. IPv6 VPN Exfiltration Attacker inserts IPv6 router IPv6 Internet 38

  39. I nterlude: DNS6 4 Host attempts to connect to an IPv4 Server IPv6 Only Host AAAA IPv4.example.com Router DNS Server 39

  40. I nterlude: DNS6 4 Host attempts to connect to an IPv4 Server IPv6 Only Host AAAA IPv4.example.com A IPv4.example.com Router DNS Server 40

  41. I nterlude: DNS6 4 Host attempts to connect to an IPv4 Server IPv6 Only Host 192.0.2.1 Router DNS Server 41

  42. I nterlude: DNS6 4 Host attempts to connect to an IPv4 Server IPv6 Only Host 64::c000:201 Router DNS Server 42

  43. I nterlude: DNS6 4 Host attempts to connect to an IPv4 Server IPv6 Only Host 64::c000:201 192.0.2.1 Router DNS Server 43

  44. IPv6 VPN Exfiltration Attacker inserts IPv6 router + DNS64! IPv6 Internet 44

  45. Testing Results • Still ongoing. Need to test various VPN/ OS combinations • Windows + IPSEC seems to be ok (uses VPN advertised DNS server only, does not request AAAA records if VPN is IPv4 only) 45

  46. TCP Session Reassembly • TCP uses “Sessions”: Establishes sequence of packets and allows receiver to detect missing packets • TCP stream starts with random initial sequence number (SEQ1) • Sequence number increments with number of bytes sent Packet 1 Packet 2 Packet 3 Packet 4  SEQ1  SEQ1+len(Packet 1) 46

  47. TCP Session Reassembly Problems • Designed to allow for error recovery • If an error is detected, affected data is resent • Intrusion Detection System (IDS) has to figure out which data is accepted and not accepted • Not an easy problem even in IPv4 47

  48. TCP Complications in IPv6 • Extension header may cause packet to be dropped by destination (or not) • For example: – Unknown destination options – Routing headers – Unknown routing options 48

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions Security of IPv6

625 views • 33 slides
IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer fmajstor@cisco.com Cisco Systems, Inc. 1 fmajstor@cisco.com, IPv6 Security Agenda IPv6 Primer IPv6 Protocol

241 views • 21 slides
IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction to WLCG & IPv6 IPv6 security & threats IPv6 protocol attacks Issues for site network & security teams Issues for sys admins

501 views • 34 slides
Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi,

Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi,

Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi, G. Leclanche, E. Vyncke, R. Anfinsen Status -00 posted on 25 January 2013 Some comments on the list (see later) Problem Statement

378 views • 10 slides
Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security

Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security

A Comparative Security Evaluation for IPv4 and IPv6 Addresses Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security Scanning the Internet for profit, ethically. 2 Why do we need to know this? IPv6

279 views • 16 slides
Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The

Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The

Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The University of Tokyo / Laboratoire dInformatique de Paris 6 Summary IPv6 Mobile IPv6 Security and Mobile IPv6 Protections by

669 views • 50 slides
Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension Headers Antonios Atlasis antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science Bio Independent IT Security

689 views • 66 slides
v6ops and security IPv6 Transition/Co-existence Security Considerations

v6ops and security IPv6 Transition/Co-existence Security Considerations

v6ops and security IPv6 Transition/Co-existence Security Considerations draft-savola-v6ops-security-overview-00.txt Pekka Savola, CSC/FUNET Overview Overview Look at different kinds of issues IPv6 protocol Transition mechanisms in general

853 views • 10 slides
IPv6 Security Concerns Introduction to Integralis Garry Sidaway SVP Security Strategy Agenda

IPv6 Security Concerns Introduction to Integralis Garry Sidaway SVP Security Strategy Agenda

IPv6 Security Concerns Introduction to Integralis Garry Sidaway SVP Security Strategy Agenda Introduction to Integralis IPv6 Security Concerns Questions Private & Confidential Continuous Secure Service Delivery Governance,

336 views • 21 slides
IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC Stephen.honlue@afrinic.net 1

IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC Stephen.honlue@afrinic.net 1

IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC Stephen.honlue@afrinic.net 1 04/12/2015' Presentation Objectives ! Create awareness of IPv6 Security implications. ! Highlight technical concepts on IPv6 weaknesses ! Describe

822 views • 36 slides
IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi Company Dept of Computer

IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi Company Dept of Computer

IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi Company Dept of Computer Sc. & Engg. LOGO Indian Institute of Technology Guwahati Agenda Outline Motivation for IPv6 Brief comparision between IPv6 and IPv4

290 views • 25 slides
IPv6 Security Training Course February 2019 09:00 - 09:30 Coffee, Tea 11:00 - 11:15 Break

IPv6 Security Training Course February 2019 09:00 - 09:30 Coffee, Tea 11:00 - 11:15 Break

IPv6 Security Training Course February 2019 09:00 - 09:30 Coffee, Tea 11:00 - 11:15 Break 13:00 - 14:00 Lunch 15:30 - 15:45 Break 17:30 End 2 Introductions Name Number in the list Experience with Security and IPv6

1.9k views • 173 slides
IPv6 Distributed Security Alvaro Vives (alvaro.vives@consulintel.es) Jordi Palet

IPv6 Distributed Security Alvaro Vives (alvaro.vives@consulintel.es) Jordi Palet

IPv6 Distributed Security Alvaro Vives (alvaro.vives@consulintel.es) Jordi Palet (jordi.palet@consulintel.es) 1 Motivation How would the deployment of IPv6 affect the security of a network? IPv6 enabled devices and networks bring

305 views • 19 slides
IPv6 Distributed Security Activity Status <draft-vives-v6ops-ipv6-security-ps-01> (Problem

IPv6 Distributed Security Activity Status <draft-vives-v6ops-ipv6-security-ps-01> (Problem

IPv6 Distributed Security Activity Status <draft-vives-v6ops-ipv6-security-ps-01> (Problem Statement) <draft-palet-v6ops-ipv6security-01> (Requirements) Alvaro Vives (alvaro.vives@consulintel.es) Jordi Palet

607 views • 14 slides
IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

Outline IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer Science and IPv6 Autoconfiguration Institute of Communications Engineering National Tsing Hua University jcchen@cs.nthu.edu.tw

783 views • 11 slides
IPv6?? Yawn amiright? Actually, IPv6 adoption is now very robust. E.g.: Google Clients

IPv6?? Yawn amiright? Actually, IPv6 adoption is now very robust. E.g.: Google Clients

Dont Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy Jakub (Jake) Czyz, University of Michigan & QuadMetrics, Inc. Matthew Luckie, University of Waikato Mark Allman, International Computer Science

552 views • 17 slides
Capturing the Laws of (Data) Nature Hannes Mhleisen, Martin Kersten & Stefan Manegold

Capturing the Laws of (Data) Nature Hannes Mhleisen, Martin Kersten & Stefan Manegold

Capturing the Laws of (Data) Nature Hannes Mhleisen, Martin Kersten & Stefan Manegold CIDR 2015 Statistical Model Fitting & DB? User gave me a model, lets see. I am storing some data. I need some of the observations to fit

464 views • 24 slides
? packets (example: packet voice). It is better to provide degraded service to everyone than

? packets (example: packet voice). It is better to provide degraded service to everyone than

Process Layer Process Process CSCE 515: Computer Network Transport Layer TCP UDP Programming ------ IP routing ICMP, ARP Network Layer IP & Wenyuan Xu RARP Department of Computer Science and Engineering University of South

472 views • 5 slides
Basic Internetworking (IP) CSCI 466: Networks Keith

Basic Internetworking (IP) CSCI 466: Networks Keith

Basic Internetworking (IP) CSCI 466: Networks Keith Vertanen Fall 2011 Overview Internetworking Service model Internet protocol (IP)

604 views • 35 slides
Introduction to exterior routing S-38.2121 / Fall-2005 / RKa, NB CIDR-1 Autonomous Systems

Introduction to exterior routing S-38.2121 / Fall-2005 / RKa, NB CIDR-1 Autonomous Systems

Introduction to exterior routing S-38.2121 / Fall-2005 / RKa, NB CIDR-1 Autonomous Systems An Autonomous System (AS) is a part of the Internet owned by a single organization. In an AS, usually one interior routing protocol is used

1.04k views • 18 slides
Naiad James Thomas Goals High-throughput batch processing Low-latency processing

Naiad James Thomas Goals High-throughput batch processing Low-latency processing

Naiad James Thomas Goals High-throughput batch processing Low-latency processing Iterative computation with streaming updates (novel contribution) For 100% in-memory workloads Novel Application, CIDR 2013 paper

423 views • 13 slides
Security Mechanisms Rahul Hiran , Niklas Carlsson, Nahid Shahmehri Linkping University, Sweden

Security Mechanisms Rahul Hiran , Niklas Carlsson, Nahid Shahmehri Linkping University, Sweden

Does Scale, Size, and Locality Matter? Evaluation of Collaborative BGP Security Mechanisms Rahul Hiran , Niklas Carlsson, Nahid Shahmehri Linkping University, Sweden 1 Routing attacks increasingly common Each day there are large numbers of

894 views • 58 slides
IP Routing 12 May, 2002 1 Subnetting: Subnet Addressing

IP Routing 12 May, 2002 1 Subnetting: Subnet Addressing

IP Routing 12 May, 2002 1 Subnetting: Subnet Addressing

346 views • 8 slides
CSE 461 FINAL EXAM REVIEW HELP YOURSELF TO SNACKS FINAL OVERVIEW Online final (through

CSE 461 FINAL EXAM REVIEW HELP YOURSELF TO SNACKS FINAL OVERVIEW Online final (through

CSE 461 FINAL EXAM REVIEW HELP YOURSELF TO SNACKS FINAL OVERVIEW Online final (through Catalyst) Starts Friday, late night Due by Monday, 5:00PM (hard deadline) Open book, open notes, open internet, but not open people

803 views • 51 slides

More recommend