SlideShare une entreprise Scribd logo

Presd1 09

N
Niels Groeneveld
1  sur  28
Télécharger pour lire hors ligne
IPv6 The Latest Security Challenge Cyber Defence Conference Tallin, Estonia 17 May 2010 Ron Broersma DREN Chief Engineer SPAWAR Network Security Manager ron@spawar.navy.mil 17-May-10 1
Agenda •  Brief introduction to IPv6 •  Implementing IPv6 across DREN •  New security challenges 17-May-10 2
Brief introduction to IPv6 17-May-10 3
IP version 6 •  “IP” (Internet Protocol) is the glue that makes the Internet work –  Every device on the network has an IP “address” •  What we use today is IP version 4 –  In production use for 27 years (1983), and showing its age –  32 bit addresses •  IPv6 is the next generation Internet protocol –  Huge address space (128 bit addresses) –  Aggregation based hierarchy for route table efficiency –  Simplified, fixed length header – better options support –  Mandatory IPsec (promise for improved security) –  Autoconfiguration, ease of renumbering –  Support for QoS •  The most important piece right now is that it has incredibly vast address space 17-May-10 4
The piece that has changed ISO 7 Layer Model Application Internet Stack Presentation Session Sockets Transport TCP, UDP Network IPv6 IP Link Mac Layer Physical 17-May-10 5
The Transition to IPv6 •  Running out of IPv4 address space –  Expected depletion in 2012 •  Every network connected device must upgrade. •  Transition to IPv6 should have happened by now –  delays in product availability and maturity –  apathy on all fronts, lack of sense of urgency –  other priorities 17-May-10 6
Implementation approach: “Dual Stack” •  IPv6 is not compatible with IPv4. –  They can exist side by side, but don’t interoperate. •  It is not possible to communicate between IPv4 and IPv6 Internets without translators. –  Translators are problematic, and we should avoid them. •  “Dual Stack” is when you run both protocols on all networks and systems. –  This allows full connectivity to both IPv4 and IPv6 Internets. –  It is the most pragmatic transition mechanism today if you have sufficient IPv4 addresses. •  When we speak of “transition”, we mean “transition to dual-stack”, not to “IPv6 only”. 17-May-10 7
Address exhaustion •  ARIN Board of Trustees Resolution dated 7 May 2007: RESOLUTION OF THE BOARD OF TRUSTEES OF ARIN ON INTERNET PROTOCOL NUMBERING RESOURCE AVAILABILITY WHEREAS, community access to Internet Protocol (IP) numbering Resources has proved essential to the successful growth of the Internet; and, WHEREAS, ongoing community access to Internet Protocol version 4 (IPv4) numbering resources can not be assured indefinitely; and, WHEREAS, Internet Protocol version 6 (IPv6) numbering resources are available and suitable for many Internet applications, BE IT RESOLVED, that this Board of Trustees hereby advises the Internet community that migration to IPv6 numbering resources is necessary for any applications which require ongoing availability from ARIN of contiguous IP numbering resources; and, BE IT ORDERED, that this Board of Trustees hereby directs ARIN staff to take any and all measures necessary to assure veracity of applications to ARIN for IPv4 numbering resources; and, BE IT RESOLVED, that this Board of Trustees hereby requests the ARIN Advisory Council to consider Internet Numbering Resource Policy changes advisable to encourage migration to IPv6 numbering resources where possible. Unanimously passed by the Board of Trustees on 7 May 2007. 17-May-10 8
IPv4 address depletion 17-May-10 9
Notice of IPv4 Address Depletion “Make your organization’s publicly accessible resources available via IPv6 as soon as possible” 17-May-10 10
Potential scenario •  Projected IPv4 address depletion in 2012 –  Address blocks become scarce commodity –  Broken into smaller pieces, and “sold” •  Then, IPv4 Routing tables exceed router capacity –  Upwards of 2M routes, won’t fit router memory –  Some parts of Internet become isolated •  Islands of IPv6-only –  Can’t get IPv4 addresses –  Don’t want complexity of dual stack –  National mandates •  No good IPv4/IPv6 translator solution yet –  But IETF is working on proposals. 17-May-10 11
IPv6 Deployment on DREN 17-May-10 12
Background •  DREN (Defense Research and Engineering Network) –  is DoD’s Internet Service Provider for the Research and Engineering community –  also serves as the DoD IPv6 “pilot” network •  Started the transition to IPv6 nearly 10 years ago •  In full production “dual stack” for some years now –  Significant operational experience, and lessons learned 17-May-10 13
Benefits already realized •  Adversaries can’t map nets, due to sparse addressing •  Vastly reduced routing tables, resulting in faster convergence •  Everything gets an address (or many of them), and NATs are eliminated. –  End to end model is restored –  With IPSEC, an end to end security model is possible –  Facilitates “one-IP one-service” model –  Improved battery life of network devices (sensors, cell phones) •  Multicast is greatly simplified –  Rendezvous Point (RP) embedded in multicast group address –  No more MSDP * NATs: Network Address Translators * IPSEC: Internet Protocol Security * MSDP: Multicast Source Discovery Protocol 17-May-10 14
IPv6 Security Issues 17-May-10 15
IPv6 Security Review •  Independent security review performed by SAIC for DREN during 2005 –  Publicly available •  Conclusions: –  protocol is no less secure than v4 17-May-10 16
Maturity of Implementations •  IPv4 is very mature, implementations are solid –  used heavily for over 20 years •  IPv6 is very new –  limited production experience –  vendors aren’t “eating their own dogfood” –  we haven’t found all the bugs yet Near certainty that we will find Denial of Service Vulnerabilities 17-May-10 17
Tunnels •  If systems are connected to a network that does not support IPv6, they may try to “tunnel” IPv6 in IPv4 packets –  Popular mechanisms are 6to4, ISATAP, Teredo –  Default in Windows •  Tunnels can bypass firewalls and other security protections –  can easily happen by accident –  you may not be aware that it is happening •  Recommendation: –  Block tunnels (IP Protocol 41) at security boundaries 17-May-10 18
Rogue routers •  In IPv6, routers announce themselves using “RA” (router advertisements) •  Systems on the network learn a default gateway from the RAs –  part of the auto-configuration feature of IPv6 •  Any system could pretend to be an IPv6 router and send RAs –  other systems will hear this and route traffic to this rogue router –  denial of service to the entire subnet •  Windows systems that have Internet Connection Sharing (ICS) enabled will do this automatically. •  Solution: –  Long term – Implement “RA Guard” when available –  Near term – set router priority to “high” on the true routers 17-May-10 19
THC report - 2008 •  http://www.thc.org •  Confirms early implementations are immature –  47 implementation bugs reported by June 2008 •  Conclusions: –  no serious new risks with IPv6 –  some security improvements over IPv4 •  scanning and worming will be harder •  no record-route, no uptime check •  easier filtering and attack tracing 17-May-10 20
Many products lack IPv6 support •  Many products that are critical to security infrastructure are not IPv6-enabled –  Firewall –  Web cache/proxy –  Load balancer –  Intrusion Detection System (IDS) –  Intrusion Prevention System (IPS) –  Many VPN products •  Both SSL VPNs and IPSEC VPNs –  Vulnerability assessment and forensics tools from most vendors 17-May-10 21
Privacy addresses •  See RFC 4941 •  Windows systems do this by default (and we don’t like it!) •  Breaks many things in our environment –  Forensics –  Stable DNS entries –  Automated management tools •  Could fix with DHCPv6, but client not available in important OS’s –  Windows XP, Mac OSX •  Would be nice if RA’s could say “don’t do this” •  So we have to visit every Windows machine to disable this. –  Breaks the “plug and play” goal of IPv6 for clients. •  How To: (next slide) 17-May-10 22
Disabling privacy addresses •  Windows XP ipv6 -p gpu UseTemporaryAddresses no •  Windows 2003 netsh interface ipv6 set privacy state=disabled store=persistent •  Windows Vista netsh interface ipv6 set privacy state=disabled store=persistent netsh interface ipv6 set global randomizeidentifiers=disabled netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent •  Windows 2008 netsh interface ipv6 set global randomizeidentifiers=disabled netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent 17-May-10 23
Dual Stack complexities •  Operating dual stack is like running two separate networks in parallel •  All security mechanisms must be equally applied to both network protocols –  otherwise one of them becomes the “weakest link” –  new entry vector for adversaries •  Addition of complexity –  makes it harder to maintain –  more prone to mistakes •  Recommendation: topological and security congruency –  same topology for both IPv4 and IPv6 components –  identical security policies, ACLs, defences, etc. 17-May-10 24
VPN problems •  Travelers and telecommuters use client VPNs to connect to the corporate Intranet securely –  Like Cisco IPSEC VPN or Juniper SSL VPN •  Only tunnels the IPv4 traffic (today) •  IPv6 traffic, if supported at all, goes outside this tunnel –  IPv6 traffic is now in the clear over the Internet, where user may think it is protected –  But it may be blocked by the corporate firewall •  Seriously impacts performance for IPv6-enabled remote users. •  Users disable IPv6 to fix it (bad scenario) •  Solution: –  Deploy ISATAP to Intranet. –  But MACs don’t have ISATAP client support. 17-May-10 25
Crisis response •  Deployment of anything in a crisis is prone to mistakes –  insufficient time to plan and design the solution –  insufficient time to develop or procure the best tools •  Waiting too long to deploy IPv6 will put you into a crisis scenario at some point •  Recommendation: deploy IPv6 now –  you should have been working on it for a few years now 17-May-10 26
Summary •  DREN has been successfully using IPv6 in a production environment, with many dual- stack systems and services, for years •  IPv6 presents some new security challenges, but it is fundamentally no less secure than IPv4 •  Most significant problem is the very limited deployment to date •  Strongest recommendation: IPv6-enable your public facing services now! 17-May-10 27
END 17-May-10 28

Recommandé

Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalEric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalIKT-Norge
 
Hands-on Experience with IPv6 Routing and Services
Hands-on Experience with IPv6 Routing and ServicesHands-on Experience with IPv6 Routing and Services
Hands-on Experience with IPv6 Routing and ServicesCisco Canada
 
Cameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway MeetingCameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway MeetingIPv6no
 
Norway - IPv6 World Leader: Tore Anderson, IPv6 guru, Redpill Linpro
Norway - IPv6 World Leader: Tore Anderson, IPv6 guru, Redpill LinproNorway - IPv6 World Leader: Tore Anderson, IPv6 guru, Redpill Linpro
Norway - IPv6 World Leader: Tore Anderson, IPv6 guru, Redpill LinproIPv6no
 
Ron Broersma dren-stavanger-22 nov2011
Ron Broersma dren-stavanger-22 nov2011Ron Broersma dren-stavanger-22 nov2011
Ron Broersma dren-stavanger-22 nov2011IPv6no
 
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsAusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsMark Smith
 
Jan Zorz - IPv6 and mobile emergency response teams
Jan Zorz - IPv6 and mobile emergency response teamsJan Zorz - IPv6 and mobile emergency response teams
Jan Zorz - IPv6 and mobile emergency response teamsIKT-Norge
 
Google and IPv6: Steinar H. Gunderson, Software engineer, Google
Google and IPv6: Steinar H. Gunderson, Software engineer, GoogleGoogle and IPv6: Steinar H. Gunderson, Software engineer, Google
Google and IPv6: Steinar H. Gunderson, Software engineer, GoogleIPv6no
 

Recommandé

Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalEric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalIKT-Norge
 
Hands-on Experience with IPv6 Routing and Services
Hands-on Experience with IPv6 Routing and ServicesHands-on Experience with IPv6 Routing and Services
Hands-on Experience with IPv6 Routing and ServicesCisco Canada
 
Cameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway MeetingCameron - TMO IPv6 Norway Meeting
Cameron - TMO IPv6 Norway MeetingIPv6no
 
Norway - IPv6 World Leader: Tore Anderson, IPv6 guru, Redpill Linpro
Norway - IPv6 World Leader: Tore Anderson, IPv6 guru, Redpill LinproNorway - IPv6 World Leader: Tore Anderson, IPv6 guru, Redpill Linpro
Norway - IPv6 World Leader: Tore Anderson, IPv6 guru, Redpill LinproIPv6no
 
Ron Broersma dren-stavanger-22 nov2011
Ron Broersma dren-stavanger-22 nov2011Ron Broersma dren-stavanger-22 nov2011
Ron Broersma dren-stavanger-22 nov2011IPv6no
 
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsAusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsMark Smith
 
Jan Zorz - IPv6 and mobile emergency response teams
Jan Zorz - IPv6 and mobile emergency response teamsJan Zorz - IPv6 and mobile emergency response teams
Jan Zorz - IPv6 and mobile emergency response teamsIKT-Norge
 
Google and IPv6: Steinar H. Gunderson, Software engineer, Google
Google and IPv6: Steinar H. Gunderson, Software engineer, GoogleGoogle and IPv6: Steinar H. Gunderson, Software engineer, Google
Google and IPv6: Steinar H. Gunderson, Software engineer, GoogleIPv6no
 
ARIN 36 IETF IPv6 Activities Report
ARIN 36 IETF IPv6 Activities ReportARIN 36 IETF IPv6 Activities Report
ARIN 36 IETF IPv6 Activities ReportARIN
 
Content over IPv6: no excuses
Content over IPv6: no excusesContent over IPv6: no excuses
Content over IPv6: no excusesIvan Pepelnjak
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayIKT-Norge
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
Application Engineered Routing: Allowing Applications to Program the Network
Application Engineered Routing: Allowing Applications to Program the NetworkApplication Engineered Routing: Allowing Applications to Program the Network
Application Engineered Routing: Allowing Applications to Program the NetworkCisco Canada
 
Jan zorz procurement-ripe-501
Jan zorz procurement-ripe-501Jan zorz procurement-ripe-501
Jan zorz procurement-ripe-501IPv6no
 
2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIPOlle E Johansson
 
Sipforum SIP & IPv6 discussion slides
Sipforum SIP & IPv6 discussion slidesSipforum SIP & IPv6 discussion slides
Sipforum SIP & IPv6 discussion slidesOlle E Johansson
 
Ole Ipv4onlifesupport
Ole Ipv4onlifesupport Ole Ipv4onlifesupport
Ole Ipv4onlifesupport IPv6no
 
Getting The World IPv6 Enabled
Getting The World IPv6 EnabledGetting The World IPv6 Enabled
Getting The World IPv6 EnabledIPv6 Forum Singapore
 
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS NetworksG. Geshev
 
IPV6 Network Simulation Projects Research Guidance
IPV6 Network Simulation Projects Research GuidanceIPV6 Network Simulation Projects Research Guidance
IPV6 Network Simulation Projects Research GuidancePhdtopiccom
 
Sip & IPv6 - time for action!
Sip & IPv6 - time for action!Sip & IPv6 - time for action!
Sip & IPv6 - time for action!Olle E Johansson
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreOlle E Johansson
 
Ipv6 tutorial
Ipv6 tutorialIpv6 tutorial
Ipv6 tutorialsaryu2011
 
Geir Making the leap to ipv6 final
Geir Making the leap to ipv6 finalGeir Making the leap to ipv6 final
Geir Making the leap to ipv6 finalIPv6no
 
Possible futures for the internet: Sander Steffann, IPv6 specialist, co-chair...
Possible futures for the internet: Sander Steffann, IPv6 specialist, co-chair...Possible futures for the internet: Sander Steffann, IPv6 specialist, co-chair...
Possible futures for the internet: Sander Steffann, IPv6 specialist, co-chair...IPv6no
 
IPv6 translation methods
IPv6 translation methodsIPv6 translation methods
IPv6 translation methodsAhmad Hijazi
 
How to Build Advanced Voice Assistants and Chatbots
How to Build Advanced Voice Assistants and ChatbotsHow to Build Advanced Voice Assistants and Chatbots
How to Build Advanced Voice Assistants and ChatbotsCisco DevNet
 
implementing IPv6 in an ISP network, case study and lessons learned - Amos Ro...
implementing IPv6 in an ISP network, case study and lessons learned - Amos Ro...implementing IPv6 in an ISP network, case study and lessons learned - Amos Ro...
implementing IPv6 in an ISP network, case study and lessons learned - Amos Ro...Israeli Internet Association technology committee
 
Hannes astok digital_security_2012
Hannes astok digital_security_2012Hannes astok digital_security_2012
Hannes astok digital_security_2012E-Government Center Moldova
 
Elektronische identität in Estland
Elektronische identität in EstlandElektronische identität in Estland
Elektronische identität in EstlandTrägerverein SuisseID
 

Contenu connexe

Tendances

ARIN 36 IETF IPv6 Activities Report
ARIN 36 IETF IPv6 Activities ReportARIN 36 IETF IPv6 Activities Report
ARIN 36 IETF IPv6 Activities ReportARIN
 
Content over IPv6: no excuses
Content over IPv6: no excusesContent over IPv6: no excuses
Content over IPv6: no excusesIvan Pepelnjak
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayIKT-Norge
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
Application Engineered Routing: Allowing Applications to Program the Network
Application Engineered Routing: Allowing Applications to Program the NetworkApplication Engineered Routing: Allowing Applications to Program the Network
Application Engineered Routing: Allowing Applications to Program the NetworkCisco Canada
 
Jan zorz procurement-ripe-501
Jan zorz procurement-ripe-501Jan zorz procurement-ripe-501
Jan zorz procurement-ripe-501IPv6no
 
2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIPOlle E Johansson
 
Sipforum SIP & IPv6 discussion slides
Sipforum SIP & IPv6 discussion slidesSipforum SIP & IPv6 discussion slides
Sipforum SIP & IPv6 discussion slidesOlle E Johansson
 
Ole Ipv4onlifesupport
Ole Ipv4onlifesupport Ole Ipv4onlifesupport
Ole Ipv4onlifesupport IPv6no
 
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS NetworksG. Geshev
 
IPV6 Network Simulation Projects Research Guidance
IPV6 Network Simulation Projects Research GuidanceIPV6 Network Simulation Projects Research Guidance
IPV6 Network Simulation Projects Research GuidancePhdtopiccom
 
Sip & IPv6 - time for action!
Sip & IPv6 - time for action!Sip & IPv6 - time for action!
Sip & IPv6 - time for action!Olle E Johansson
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreOlle E Johansson
 
Ipv6 tutorial
Ipv6 tutorialIpv6 tutorial
Ipv6 tutorialsaryu2011
 
Geir Making the leap to ipv6 final
Geir Making the leap to ipv6 finalGeir Making the leap to ipv6 final
Geir Making the leap to ipv6 finalIPv6no
 
Possible futures for the internet: Sander Steffann, IPv6 specialist, co-chair...
Possible futures for the internet: Sander Steffann, IPv6 specialist, co-chair...Possible futures for the internet: Sander Steffann, IPv6 specialist, co-chair...
Possible futures for the internet: Sander Steffann, IPv6 specialist, co-chair...IPv6no
 
IPv6 translation methods
IPv6 translation methodsIPv6 translation methods
IPv6 translation methodsAhmad Hijazi
 
How to Build Advanced Voice Assistants and Chatbots
How to Build Advanced Voice Assistants and ChatbotsHow to Build Advanced Voice Assistants and Chatbots
How to Build Advanced Voice Assistants and ChatbotsCisco DevNet
 

Tendances (20)

ARIN 36 IETF IPv6 Activities Report
ARIN 36 IETF IPv6 Activities ReportARIN 36 IETF IPv6 Activities Report
ARIN 36 IETF IPv6 Activities Report
 
Content over IPv6: no excuses
Content over IPv6: no excusesContent over IPv6: no excuses
Content over IPv6: no excuses
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norway
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 
Application Engineered Routing: Allowing Applications to Program the Network
Application Engineered Routing: Allowing Applications to Program the NetworkApplication Engineered Routing: Allowing Applications to Program the Network
Application Engineered Routing: Allowing Applications to Program the Network
 
Jan zorz procurement-ripe-501
Jan zorz procurement-ripe-501Jan zorz procurement-ripe-501
Jan zorz procurement-ripe-501
 
2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP
 
Sipforum SIP & IPv6 discussion slides
Sipforum SIP & IPv6 discussion slidesSipforum SIP & IPv6 discussion slides
Sipforum SIP & IPv6 discussion slides
 
Ole Ipv4onlifesupport
Ole Ipv4onlifesupport Ole Ipv4onlifesupport
Ole Ipv4onlifesupport
 
Getting The World IPv6 Enabled
Getting The World IPv6 EnabledGetting The World IPv6 Enabled
Getting The World IPv6 Enabled
 
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks
[ZeroNights] G. Geshev - Warranty Void If Label Removed: Attacking MPLS Networks
 
IPV6 Network Simulation Projects Research Guidance
IPV6 Network Simulation Projects Research GuidanceIPV6 Network Simulation Projects Research Guidance
IPV6 Network Simulation Projects Research Guidance
 
Sip & IPv6 - time for action!
Sip & IPv6 - time for action!Sip & IPv6 - time for action!
Sip & IPv6 - time for action!
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and more
 
Ipv6 tutorial
Ipv6 tutorialIpv6 tutorial
Ipv6 tutorial
 
Geir Making the leap to ipv6 final
Geir Making the leap to ipv6 finalGeir Making the leap to ipv6 final
Geir Making the leap to ipv6 final
 
Possible futures for the internet: Sander Steffann, IPv6 specialist, co-chair...
Possible futures for the internet: Sander Steffann, IPv6 specialist, co-chair...Possible futures for the internet: Sander Steffann, IPv6 specialist, co-chair...
Possible futures for the internet: Sander Steffann, IPv6 specialist, co-chair...
 
IPv6 translation methods
IPv6 translation methodsIPv6 translation methods
IPv6 translation methods
 
How to Build Advanced Voice Assistants and Chatbots
How to Build Advanced Voice Assistants and ChatbotsHow to Build Advanced Voice Assistants and Chatbots
How to Build Advanced Voice Assistants and Chatbots
 
implementing IPv6 in an ISP network, case study and lessons learned - Amos Ro...
implementing IPv6 in an ISP network, case study and lessons learned - Amos Ro...implementing IPv6 in an ISP network, case study and lessons learned - Amos Ro...
implementing IPv6 in an ISP network, case study and lessons learned - Amos Ro...
 

En vedette

Public sector innovation lessons from E-Estonia / Siim Sikkut
Public sector innovation lessons from E-Estonia / Siim SikkutPublic sector innovation lessons from E-Estonia / Siim Sikkut
Public sector innovation lessons from E-Estonia / Siim SikkutSiim Sikkut
 
How Estonia is helping to shape cyber resilience
How Estonia is helping to shape cyber resilienceHow Estonia is helping to shape cyber resilience
How Estonia is helping to shape cyber resiliencermdesilva
 

En vedette (7)

Hannes astok digital_security_2012
Hannes astok digital_security_2012Hannes astok digital_security_2012
Hannes astok digital_security_2012
 
Elektronische identität in Estland
Elektronische identität in EstlandElektronische identität in Estland
Elektronische identität in Estland
 
Public sector innovation lessons from E-Estonia / Siim Sikkut
Public sector innovation lessons from E-Estonia / Siim SikkutPublic sector innovation lessons from E-Estonia / Siim Sikkut
Public sector innovation lessons from E-Estonia / Siim Sikkut
 
How Estonia is helping to shape cyber resilience
How Estonia is helping to shape cyber resilienceHow Estonia is helping to shape cyber resilience
How Estonia is helping to shape cyber resilience
 
Presd2 06
Presd2 06Presd2 06
Presd2 06
 
The new era of smart
The new era of smart The new era of smart
The new era of smart
 
Cybersecurity by Mr Peter Pedak
Cybersecurity by Mr Peter PedakCybersecurity by Mr Peter Pedak
Cybersecurity by Mr Peter Pedak
 

Similaire à Presd1 09

4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn FortinetDigicomp Academy AG
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoDigicomp Academy AG
 
IPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-onIPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-onAPNIC
 
Tutorial: IPv6-only transition with demo
Tutorial: IPv6-only transition with demoTutorial: IPv6-only transition with demo
Tutorial: IPv6-only transition with demoAPNIC
 
Rapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksRapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksSkeeve Stevens
 
12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of Southampton12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of SouthamptonIPv6 Summit 2010
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarMen and Mice
 
IPv6 New RFCs
IPv6 New RFCsIPv6 New RFCs
IPv6 New RFCsAPNIC
 
Understanding i pv6 2
Understanding i pv6 2Understanding i pv6 2
Understanding i pv6 2srmanjuskp
 
2011 TWNIC SP IPv6 Transition
2011 TWNIC SP IPv6 Transition2011 TWNIC SP IPv6 Transition
2011 TWNIC SP IPv6 TransitionJohnson Liu
 
Campus networking
Campus networkingCampus networking
Campus networkingJisc
 
Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fred Bovy
 
Successfully Deploying IPv6
Successfully Deploying IPv6Successfully Deploying IPv6
Successfully Deploying IPv6Zivaro Inc
 

Similaire à Presd1 09 (20)

Ip v4 & ip v6
Ip v4 & ip v6Ip v4 & ip v6
Ip v4 & ip v6
 
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live Demo
 
IPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-onIPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-on
 
Tutorial: IPv6-only transition with demo
Tutorial: IPv6-only transition with demoTutorial: IPv6-only transition with demo
Tutorial: IPv6-only transition with demo
 
Rapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksRapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP Networks
 
10 fn s05
10 fn s0510 fn s05
10 fn s05
 
10 fn s05
10 fn s0510 fn s05
10 fn s05
 
IPv6 in cellular networks - Jordi Palet
IPv6 in cellular networks - Jordi PaletIPv6 in cellular networks - Jordi Palet
IPv6 in cellular networks - Jordi Palet
 
12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of Southampton12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of Southampton
 
RIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinarRIPE 71 and IETF 94 reports webinar
RIPE 71 and IETF 94 reports webinar
 
IPv6 New RFCs
IPv6 New RFCsIPv6 New RFCs
IPv6 New RFCs
 
Understanding i pv6 2
Understanding i pv6 2Understanding i pv6 2
Understanding i pv6 2
 
Ipv6
Ipv6Ipv6
Ipv6
 
2011 TWNIC SP IPv6 Transition
2011 TWNIC SP IPv6 Transition2011 TWNIC SP IPv6 Transition
2011 TWNIC SP IPv6 Transition
 
I pv6
I pv6I pv6
I pv6
 
Ipv6 tutorial
Ipv6 tutorialIpv6 tutorial
Ipv6 tutorial
 
Campus networking
Campus networkingCampus networking
Campus networking
 
Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0
 
Successfully Deploying IPv6
Successfully Deploying IPv6Successfully Deploying IPv6
Successfully Deploying IPv6
 

Plus de Niels Groeneveld

Plus de Niels Groeneveld (8)

Presd2 04
Presd2 04Presd2 04
Presd2 04
 
Presd2 02
Presd2 02Presd2 02
Presd2 02
 
Presd1 17
Presd1 17Presd1 17
Presd1 17
 
Presd1 14
Presd1 14Presd1 14
Presd1 14
 
Presd1 13
Presd1 13Presd1 13
Presd1 13
 
Presd1 11
Presd1 11Presd1 11
Presd1 11
 
Presd1 10
Presd1 10Presd1 10
Presd1 10
 
Presd1 04
Presd1 04Presd1 04
Presd1 04
 

Presd1 09

  • 1. IPv6 The Latest Security Challenge Cyber Defence Conference Tallin, Estonia 17 May 2010 Ron Broersma DREN Chief Engineer SPAWAR Network Security Manager ron@spawar.navy.mil 17-May-10 1
  • 2. Agenda •  Brief introduction to IPv6 •  Implementing IPv6 across DREN •  New security challenges 17-May-10 2
  • 3. Brief introduction to IPv6 17-May-10 3
  • 4. IP version 6 •  “IP” (Internet Protocol) is the glue that makes the Internet work –  Every device on the network has an IP “address” •  What we use today is IP version 4 –  In production use for 27 years (1983), and showing its age –  32 bit addresses •  IPv6 is the next generation Internet protocol –  Huge address space (128 bit addresses) –  Aggregation based hierarchy for route table efficiency –  Simplified, fixed length header – better options support –  Mandatory IPsec (promise for improved security) –  Autoconfiguration, ease of renumbering –  Support for QoS •  The most important piece right now is that it has incredibly vast address space 17-May-10 4
  • 5. The piece that has changed ISO 7 Layer Model Application Internet Stack Presentation Session Sockets Transport TCP, UDP Network IPv6 IP Link Mac Layer Physical 17-May-10 5
  • 6. The Transition to IPv6 •  Running out of IPv4 address space –  Expected depletion in 2012 •  Every network connected device must upgrade. •  Transition to IPv6 should have happened by now –  delays in product availability and maturity –  apathy on all fronts, lack of sense of urgency –  other priorities 17-May-10 6
  • 7. Implementation approach: “Dual Stack” •  IPv6 is not compatible with IPv4. –  They can exist side by side, but don’t interoperate. •  It is not possible to communicate between IPv4 and IPv6 Internets without translators. –  Translators are problematic, and we should avoid them. •  “Dual Stack” is when you run both protocols on all networks and systems. –  This allows full connectivity to both IPv4 and IPv6 Internets. –  It is the most pragmatic transition mechanism today if you have sufficient IPv4 addresses. •  When we speak of “transition”, we mean “transition to dual-stack”, not to “IPv6 only”. 17-May-10 7
  • 8. Address exhaustion •  ARIN Board of Trustees Resolution dated 7 May 2007: RESOLUTION OF THE BOARD OF TRUSTEES OF ARIN ON INTERNET PROTOCOL NUMBERING RESOURCE AVAILABILITY WHEREAS, community access to Internet Protocol (IP) numbering Resources has proved essential to the successful growth of the Internet; and, WHEREAS, ongoing community access to Internet Protocol version 4 (IPv4) numbering resources can not be assured indefinitely; and, WHEREAS, Internet Protocol version 6 (IPv6) numbering resources are available and suitable for many Internet applications, BE IT RESOLVED, that this Board of Trustees hereby advises the Internet community that migration to IPv6 numbering resources is necessary for any applications which require ongoing availability from ARIN of contiguous IP numbering resources; and, BE IT ORDERED, that this Board of Trustees hereby directs ARIN staff to take any and all measures necessary to assure veracity of applications to ARIN for IPv4 numbering resources; and, BE IT RESOLVED, that this Board of Trustees hereby requests the ARIN Advisory Council to consider Internet Numbering Resource Policy changes advisable to encourage migration to IPv6 numbering resources where possible. Unanimously passed by the Board of Trustees on 7 May 2007. 17-May-10 8
  • 10. Notice of IPv4 Address Depletion “Make your organization’s publicly accessible resources available via IPv6 as soon as possible” 17-May-10 10
  • 11. Potential scenario •  Projected IPv4 address depletion in 2012 –  Address blocks become scarce commodity –  Broken into smaller pieces, and “sold” •  Then, IPv4 Routing tables exceed router capacity –  Upwards of 2M routes, won’t fit router memory –  Some parts of Internet become isolated •  Islands of IPv6-only –  Can’t get IPv4 addresses –  Don’t want complexity of dual stack –  National mandates •  No good IPv4/IPv6 translator solution yet –  But IETF is working on proposals. 17-May-10 11
  • 12. IPv6 Deployment on DREN 17-May-10 12
  • 13. Background •  DREN (Defense Research and Engineering Network) –  is DoD’s Internet Service Provider for the Research and Engineering community –  also serves as the DoD IPv6 “pilot” network •  Started the transition to IPv6 nearly 10 years ago •  In full production “dual stack” for some years now –  Significant operational experience, and lessons learned 17-May-10 13
  • 14. Benefits already realized •  Adversaries can’t map nets, due to sparse addressing •  Vastly reduced routing tables, resulting in faster convergence •  Everything gets an address (or many of them), and NATs are eliminated. –  End to end model is restored –  With IPSEC, an end to end security model is possible –  Facilitates “one-IP one-service” model –  Improved battery life of network devices (sensors, cell phones) •  Multicast is greatly simplified –  Rendezvous Point (RP) embedded in multicast group address –  No more MSDP * NATs: Network Address Translators * IPSEC: Internet Protocol Security * MSDP: Multicast Source Discovery Protocol 17-May-10 14
  • 16. IPv6 Security Review •  Independent security review performed by SAIC for DREN during 2005 –  Publicly available •  Conclusions: –  protocol is no less secure than v4 17-May-10 16
  • 17. Maturity of Implementations •  IPv4 is very mature, implementations are solid –  used heavily for over 20 years •  IPv6 is very new –  limited production experience –  vendors aren’t “eating their own dogfood” –  we haven’t found all the bugs yet Near certainty that we will find Denial of Service Vulnerabilities 17-May-10 17
  • 18. Tunnels •  If systems are connected to a network that does not support IPv6, they may try to “tunnel” IPv6 in IPv4 packets –  Popular mechanisms are 6to4, ISATAP, Teredo –  Default in Windows •  Tunnels can bypass firewalls and other security protections –  can easily happen by accident –  you may not be aware that it is happening •  Recommendation: –  Block tunnels (IP Protocol 41) at security boundaries 17-May-10 18
  • 19. Rogue routers •  In IPv6, routers announce themselves using “RA” (router advertisements) •  Systems on the network learn a default gateway from the RAs –  part of the auto-configuration feature of IPv6 •  Any system could pretend to be an IPv6 router and send RAs –  other systems will hear this and route traffic to this rogue router –  denial of service to the entire subnet •  Windows systems that have Internet Connection Sharing (ICS) enabled will do this automatically. •  Solution: –  Long term – Implement “RA Guard” when available –  Near term – set router priority to “high” on the true routers 17-May-10 19
  • 20. THC report - 2008 •  http://www.thc.org •  Confirms early implementations are immature –  47 implementation bugs reported by June 2008 •  Conclusions: –  no serious new risks with IPv6 –  some security improvements over IPv4 •  scanning and worming will be harder •  no record-route, no uptime check •  easier filtering and attack tracing 17-May-10 20
  • 21. Many products lack IPv6 support •  Many products that are critical to security infrastructure are not IPv6-enabled –  Firewall –  Web cache/proxy –  Load balancer –  Intrusion Detection System (IDS) –  Intrusion Prevention System (IPS) –  Many VPN products •  Both SSL VPNs and IPSEC VPNs –  Vulnerability assessment and forensics tools from most vendors 17-May-10 21
  • 22. Privacy addresses •  See RFC 4941 •  Windows systems do this by default (and we don’t like it!) •  Breaks many things in our environment –  Forensics –  Stable DNS entries –  Automated management tools •  Could fix with DHCPv6, but client not available in important OS’s –  Windows XP, Mac OSX •  Would be nice if RA’s could say “don’t do this” •  So we have to visit every Windows machine to disable this. –  Breaks the “plug and play” goal of IPv6 for clients. •  How To: (next slide) 17-May-10 22
  • 23. Disabling privacy addresses •  Windows XP ipv6 -p gpu UseTemporaryAddresses no •  Windows 2003 netsh interface ipv6 set privacy state=disabled store=persistent •  Windows Vista netsh interface ipv6 set privacy state=disabled store=persistent netsh interface ipv6 set global randomizeidentifiers=disabled netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent •  Windows 2008 netsh interface ipv6 set global randomizeidentifiers=disabled netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent 17-May-10 23
  • 24. Dual Stack complexities •  Operating dual stack is like running two separate networks in parallel •  All security mechanisms must be equally applied to both network protocols –  otherwise one of them becomes the “weakest link” –  new entry vector for adversaries •  Addition of complexity –  makes it harder to maintain –  more prone to mistakes •  Recommendation: topological and security congruency –  same topology for both IPv4 and IPv6 components –  identical security policies, ACLs, defences, etc. 17-May-10 24
  • 25. VPN problems •  Travelers and telecommuters use client VPNs to connect to the corporate Intranet securely –  Like Cisco IPSEC VPN or Juniper SSL VPN •  Only tunnels the IPv4 traffic (today) •  IPv6 traffic, if supported at all, goes outside this tunnel –  IPv6 traffic is now in the clear over the Internet, where user may think it is protected –  But it may be blocked by the corporate firewall •  Seriously impacts performance for IPv6-enabled remote users. •  Users disable IPv6 to fix it (bad scenario) •  Solution: –  Deploy ISATAP to Intranet. –  But MACs don’t have ISATAP client support. 17-May-10 25
  • 26. Crisis response •  Deployment of anything in a crisis is prone to mistakes –  insufficient time to plan and design the solution –  insufficient time to develop or procure the best tools •  Waiting too long to deploy IPv6 will put you into a crisis scenario at some point •  Recommendation: deploy IPv6 now –  you should have been working on it for a few years now 17-May-10 26
  • 27. Summary •  DREN has been successfully using IPv6 in a production environment, with many dual- stack systems and services, for years •  IPv6 presents some new security challenges, but it is fundamentally no less secure than IPv4 •  Most significant problem is the very limited deployment to date •  Strongest recommendation: IPv6-enable your public facing services now! 17-May-10 27