SlideShare une entreprise Scribd logo

IPv6 Security by Joe Klein at gogoNET LIVE! 3 IPv6 Conference

gogo6
gogo6

gogo6 IPv6 Video Series. Event, presentation and speaker details below: EVENT gogoNET LIVE! 3: Enterprise wide Migration. http://gogonetlive.com November 12 – 14, 2012 at San Jose State University, California Agenda: http://gogonetlive.com/4105/gogonetlive3-agenda.asp PRESENTATION IPv6 Security Abstract: http://www.gogo6.com/forum/topics/speaking-on-ipv6-security-at-gogo6-live Presentation video: http://www.gogo6.com/video/ipv4-vs-ipv6-the-shifting-security-paradigm-by-joe-klein-at Interview video: http://www.gogo6.com/video/interview-with-joe-klein-at-gogonet-live-3-ipv6-conference SPEAKER Joe Klein - Cyber Security Principal Architect, QinetiQ Bio/Profile: http://www.gogo6.com/profile/JoeKlein749 MORE Learn more about IPv6 on the gogoNET social network http://www.gogo6.com Get free IPv6 connectivity with Freenet6 http://www.gogo6.com/Freenet6 Subscribe to the gogo6 IPv6 Channel on YouTube http://www.youtube.com/subscription_center?add_user=gogo6videos Follow gogo6 on Twitter http://twitter.com/gogo6inc Like gogo6 on Facebook http://www.facebook.com/pages/IPv6-products-community-and-services-gogo6/161626696777

Technologie
1  sur  24
Télécharger pour lire hors ligne
IPv4 vs. IPv6 The Shifting Security Paradigm Joe Klein CISSP CE|H CISM CISA NSA-IAM/IEM IA-CMM 6Sigma… Scientific Hooligan, Longboat LLC Cyber Security SME, North American IPv6 Task Force Cyber Security SME, IPv6 Forum Cyber Security SME, IPv6 Cyber Security Task Force Contributor to: NIST SP-119, NIST SP-123, DoD MO2, MO3.x, “Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government 2012” JSKlein@gmail.com Voice: 703-594-1419 Blog: http://scientifichooligan.me/
Scope of the CyberSecurity problem   What is the cost of Cybercrime ?   Number of records compromised ?   Number of Systems/Networks/Applications Compromised ? Millions? Billions? Trillions? Estimates?
Classes of Attack - Targeted   Inbound Directed   Flaws in technology   Flaws in governance   Flaws in people   Flaws in adequate funding & staffing   Insiders   Disgruntled   Opportunistic   Untrained   Vendors   Supply Chain
Verizon - 2012 DATA BREACH INVESTIGATIONS REPORT Reference: http://securityblog.verizonbusiness.com/
What We Know About Today Security measures? “The best companies aren’t the ones who stop attacks, – that’s important – it’s the companies that can spot intrusions quickly and respond to them in ways that limit the damage.” “This idea that you can stop intrusions… just isn’t going to hold up against certain kinds of threats.” - Richard Bejtlich – TaoSecurity Blog,
Our Current Security Model Source: http://www.photographersdirect.com/buyers/stockphoto.asp?imageid=2249700
Two Models of Survivability “What If We Got A “Do-Over?” an Overview of CRASH and MRC “, Howard Shrobe Program Manager, DARPA I2O, 2012
The Human Body Uses Both “What If We Got A “Do-Over?” an Overview of CRASH and MRC “, Howard Shrobe Program Manager, DARPA I2O, 2012
Trust Network Model (RFC 1918)| IPv4 Everyone All nodes and routers trust each other that:   All devices behave correctly X   Layer 2 (MAC) and Layer 3 (IP)   Hosts always provide true information   Routers always provide true information Behind the NAT: “Blind Trust behind the NAT”   All devices behave correctly   Layer 2 (MAC) and Layer 3 (IP)   Hosts always provide true information   Internal communications   Outbound Initiated communications trusted   Inbound Initiated communications trusted   Routers always provide true information No one NETWORK CENTERIC – Fortress Model
Trust Node Model (RFC 3756) | IPv6 Everyone   Corporate Internet: “Blind Trust” X   All authenticated nodes and routers trust each other to:   Behave correctly at the IP layer   Not to send any network discovery message that contains false information   Not to send router discovery message that contains false information   Public wireless: “Trust transit, trust but verify nodes”   Router is trusted by the other nodes in the network to: X   Be a legitimate router   Faithfully route packets between the local network   Faithfully route packets to any connected external networks   The router is trusted to:   Behave correctly at the IP layer   Not to send any network discovery messages that contain false information   Not to send router discovery messages that contain false information. X   Ad hoc network: - “Trust but Verify hosts and transit”   Nodes do not directly trust each other at the IP layer nor trust routers No one HOST CENTERIC – Organism Model
Survivability model | Resilience/Agility   Preparing for, preventing, or otherwise resisting an adverse event;   Absorbing, withstanding, or maintaining essential functions in the face of the event;   Recovering from the event; and   Adapting to (changing processes, systems, or training based on) the event, its consequences, and its implications for the future. This must be done as close to real-time as possible! Reference: www.cyber.st.dhs.gov/wp-content/.../Dr_Steven_King-_ASD_RE.pdf
Techniques for Resilience/Agility Adaptive Integrity Pro-active Containment Isolation Randomness and unpredictability Cyber Modeling Least Privilege Reconstitution Deception Monitoring Redundancy Detection Cyber Maneuver Topology Hiding Distributedness Precedence Attribution Diversity Prioritization IPv6 Features mapped to Resilience Harriet Goldman, MITRE at the Secure and Resilient Cyber Architectures Workshop Oct 29, 2010
Why is your Internet Edge Scanned? ISR Why?   Money   Pre-Attack Preparation   Research How:   Inbound – Packets against your infrastructure   Outbound – Outbound Queries & Cookies Steps:   Intelligence – Footprinting   Data retrieved ‘Third Party Sources’   Surveillance – Scanning   Directly or In-directly (services)   Layer 3-7, 8-10   Reconnaissance – Enumeration   Directly or In-directly (services)   Layer 3-7, 8-10 Our Focus is layer 3-7
Attackers Assumption   One address per physical Interface   Inbound addresses = Outbound addresses   Device addresses say the same over time   Inside the same network   With the same local address   If a system is not responding,   Do a port scan to find if it was crashed or now blocked   Check back later to see if it was rebooted IPv4 thinking in an IPv6 Resilient World
Problems in IPv4   Even a Script Kiddie can do it!   Destination – Your Network   Densely Populated, ‘Fast’ brute-force tools, Single Interface Address   Source of scan   Needle in a haystack, Fast vs. Slow, limited context due to address fragmentation   NAT and Tunnels hide true sources   Attribution is hard
Detecting | Impact of Host Density - 2006 IPv4 Brute Force Attack -Internet Survival Time   Attacker   Find & compromise an un-patched computer with a Windows operating system.   Less than 6 minutes   5+ min to find   >1min to compromise   Identifying attacker   Noise hides indications of an attack Reference: SANS Institute’s Internet Storm Center
IPv6 Brute Force Attack - Internet Survival Time IPv4 Internet: 1 Day Internet 298.26162 Days 24 0.02560 Minutes 27 0.00320 Minutes 28 0.00160 Minutes IPv6 Internet: Internet 89,088,482,281,112,800,000,000,000 Millennium 32 20,742,528,671,657,900 Millennium 56 1,236,351,053 Millennium 64 4,829,496 Millennium Assumption: 10,000 Scans per minutes, to identify endpoints, non-optimized, non-distributed scanners Brute Force Target scan is now indicator of an attack Detectable at Firewall and DNS Server
Smart Targeting IPv6 Identify end devices based on IPv4 address (Dual-Stack) • Scan IPv4 Range, obtain host names.domains • Query AAAA based on names.domains Identify end devices based on IPv6 Address Identifier Linear search find one device, scan up 1, 2, 3 or a, b, c Bracketed Search Find 1 device, scan around it Find 5, Scan 1-4 & 5-9 Pronounceable Search DEAD, BEEF, DEED, ABED,… Pattern Search Based on an identified pattern 1, 10, 100, 1000, … Ports Search 53, 80, 25, etc Based on function Routers .1, .2 Smart Target Scanning is indicator of “Interest” Detectable at Firewall and DNS Server?
Static Addresses | Use of Deception   In A Record   Insert host names which do not exist with AAAA records   Impact:   Additional scanning of the address shows intention   Poisons attackers current and future targeting list   Insert HoneyPot   Linked to all AAAA addresses listed in AAAA deception record   Detect attempts at compromise   Management   Addresses assigned and AAAA records - IPAM
Survivability model | IPv6 Abundance   Summary:   Little noise based on scanning – easier to ID attackers   IPv6 devices with obscure names and random addresses are undiscoverable for inbound connections   Separating inbound and outbound connections breaks attacker preconceptions   Use of dual stack improves the target list for attackers   Techniques exist to provide pre-attack
Evolving IPv6 Defensive Tool Kit – Can’t be done on IPv4!   Large Local Segments   Large Network   Non Routable Addresses (aka RFC 1918) via ULA   Secure Neighbor Discovery (SEND) - Crypto-Generated Address (CGA)   IPSEC (AH & ESP) H-G | G-G | H-H | Tunnel & Transport   With Extension Headers | H-G-G-H   Server Enclave Domain Isolation (SEDI)   Common Architecture Label IPv6 Security Option (CALIPSO)   DHCPv6 – Multi-Interface setup & signed   Multicast NTPv4 with Autokey public key authentication   Leverage DNSSec to storage or public Keys of registered devices   Leverage DNSSec with ‘split-brain’ to limit disclosure   Multicast Signature and Security Information – “Parallel Push”   Fast Address Maneuvering   Attribution   Infrastructure Hiding
Take away   Security methods have failed   Resilience and Agility provides a solution   IPv6 is not about the numbers, but about bringing resilience and agility tools to the defender   Many resilience techniques have yet to be implemented by vendors, ask for them repeatedly or call me   Enjoy the remainder of the conference!
IPv4 vs. IPv6 The Shifting Security Paradigm Joe Klein CISSP CE|H CISM CISA NSA-IAM/IEM IA-CMM 6Sigma… Scientific Hooligan, Longboat LLC Cyber Security SME, North American IPv6 Task Force Cyber Security SME, IPv6 Forum Cyber Security SME, IPv6 Cyber Security Task Force Contributor to: NIST SP-119, NIST SP-123, DoD MO2, MO3.x, “Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government 2012” JSKlein@gmail.com Voice: 703-594-1419 Blog: http://scientifichooligan.me/
Where do attackers find vulnerabilities?   All systems have vulnerabilities 1.  Design and Architecture Phase (RFC, IEEE, WC3, ITU, etc) 2.  Development Phase (Coding) 3.  Architecting, Implementation and Deployment (Staff, Procedures, Governance, etc) 4.  Management (Patching, Configuration Management, etc) 5.  End of Life, Refresh & Replacement

Recommandé

Ipv6
Ipv6Ipv6
Ipv6satish 486
 
ipv6 ppt
ipv6 pptipv6 ppt
ipv6 pptShiva Kumar
 
IPv6
IPv6IPv6
IPv6Peter R. Egli
 
Latency i pv4 vs ipv6
Latency i pv4 vs ipv6Latency i pv4 vs ipv6
Latency i pv4 vs ipv6Qrator Labs
 
Dual stack IPv4 / IPv6 Security Issues - A simple proof of concept
Dual stack IPv4 / IPv6 Security Issues - A simple proof of conceptDual stack IPv4 / IPv6 Security Issues - A simple proof of concept
Dual stack IPv4 / IPv6 Security Issues - A simple proof of conceptEduardo Coelho
 
IPv4 vs IPv6
IPv4 vs IPv6IPv4 vs IPv6
IPv4 vs IPv6NetProtocol Xpert
 
Ipv4 & ipv6
Ipv4 & ipv6Ipv4 & ipv6
Ipv4 & ipv6kamran_share
 
IPV4 vs IPV6
IPV4 vs IPV6IPV4 vs IPV6
IPV4 vs IPV6Devang Doshi
 

Recommandé

Ipv6
Ipv6Ipv6
Ipv6satish 486
 
ipv6 ppt
ipv6 pptipv6 ppt
ipv6 pptShiva Kumar
 
IPv6
IPv6IPv6
IPv6Peter R. Egli
 
Latency i pv4 vs ipv6
Latency i pv4 vs ipv6Latency i pv4 vs ipv6
Latency i pv4 vs ipv6Qrator Labs
 
Dual stack IPv4 / IPv6 Security Issues - A simple proof of concept
Dual stack IPv4 / IPv6 Security Issues - A simple proof of conceptDual stack IPv4 / IPv6 Security Issues - A simple proof of concept
Dual stack IPv4 / IPv6 Security Issues - A simple proof of conceptEduardo Coelho
 
IPv4 vs IPv6
IPv4 vs IPv6IPv4 vs IPv6
IPv4 vs IPv6NetProtocol Xpert
 
Ipv4 & ipv6
Ipv4 & ipv6Ipv4 & ipv6
Ipv4 & ipv6kamran_share
 
IPV4 vs IPV6
IPV4 vs IPV6IPV4 vs IPV6
IPV4 vs IPV6Devang Doshi
 
Comparison between ipv4 and ipv6
Comparison between ipv4 and ipv6Comparison between ipv4 and ipv6
Comparison between ipv4 and ipv6Dharmesh Patel
 
IPv6
IPv6IPv6
IPv6Suman Bose
 
IPV6 ppt
IPV6 pptIPV6 ppt
IPV6 pptjustdoitkhan
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6mithilak
 
Ipv4 vs Ipv6 comparison
Ipv4 vs Ipv6 comparisonIpv4 vs Ipv6 comparison
Ipv4 vs Ipv6 comparisonShailesh Pachori
 
IPv4 and IPv6
IPv4 and IPv6IPv4 and IPv6
IPv4 and IPv6RIPE NCC
 
Internet Protocol version 6
Internet Protocol version 6Internet Protocol version 6
Internet Protocol version 6Rekha Yadav
 
IPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeIPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeRIPE NCC
 
Comparative study of IPv4 and IPv6 on Windows and Linux.
Comparative study of IPv4 and IPv6 on Windows and Linux. Comparative study of IPv4 and IPv6 on Windows and Linux.
Comparative study of IPv4 and IPv6 on Windows and Linux. Shourya Puri
 
IPv6 Autoconfig
IPv6 AutoconfigIPv6 Autoconfig
IPv6 AutoconfigFred Bovy
 
IPv6 Deployment in Japan
IPv6 Deployment in JapanIPv6 Deployment in Japan
IPv6 Deployment in JapanAkira Nakagawa
 
JPNE MAP-E Deployment (IETF92@Dallas)
JPNE MAP-E Deployment (IETF92@Dallas)JPNE MAP-E Deployment (IETF92@Dallas)
JPNE MAP-E Deployment (IETF92@Dallas)Akira Nakagawa
 
Operational Experience of MAP-E
Operational Experience of MAP-EOperational Experience of MAP-E
Operational Experience of MAP-EAkira Nakagawa
 
MAP-E as IPv4 over IPv6 Technology
MAP-E as IPv4 over IPv6 TechnologyMAP-E as IPv4 over IPv6 Technology
MAP-E as IPv4 over IPv6 TechnologyAkira Nakagawa
 
MAP-E as IPv4 over IPv6 Technology - with some operational experiences
MAP-E as IPv4 over IPv6 Technology - with some operational experiencesMAP-E as IPv4 over IPv6 Technology - with some operational experiences
MAP-E as IPv4 over IPv6 Technology - with some operational experiencesAPNIC
 
Look at ipv6 security advantages over ipv4
Look at ipv6 security advantages over ipv4Look at ipv6 security advantages over ipv4
Look at ipv6 security advantages over ipv4Alexander Decker
 
IPv6-Networking-Referat: «Mapping of Address and Port (MAP) – Deep Dive»
IPv6-Networking-Referat: «Mapping of Address and Port (MAP) – Deep Dive»IPv6-Networking-Referat: «Mapping of Address and Port (MAP) – Deep Dive»
IPv6-Networking-Referat: «Mapping of Address and Port (MAP) – Deep Dive»Digicomp Academy AG
 
ID IGF 2016 - Infrastruktur 2 - IPv4 vs IPv6
ID IGF 2016 - Infrastruktur 2 - IPv4 vs IPv6ID IGF 2016 - Infrastruktur 2 - IPv4 vs IPv6
ID IGF 2016 - Infrastruktur 2 - IPv4 vs IPv6IGF Indonesia
 
170 azimov.latency-i pv4-vs-ipv6-understanding-the-difference
170 azimov.latency-i pv4-vs-ipv6-understanding-the-difference170 azimov.latency-i pv4-vs-ipv6-understanding-the-difference
170 azimov.latency-i pv4-vs-ipv6-understanding-the-differenceQratorLabs
 
資訊安全規劃
資訊安全規劃資訊安全規劃
資訊安全規劃道成資訊股份有限公司
 
Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...
Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...
Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...gogo6
 
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...gogo6
 

Contenu connexe

En vedette

Comparison between ipv4 and ipv6
Comparison between ipv4 and ipv6Comparison between ipv4 and ipv6
Comparison between ipv4 and ipv6Dharmesh Patel
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6mithilak
 
IPv4 and IPv6
IPv4 and IPv6IPv4 and IPv6
IPv4 and IPv6RIPE NCC
 
Internet Protocol version 6
Internet Protocol version 6Internet Protocol version 6
Internet Protocol version 6Rekha Yadav
 
IPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeIPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeRIPE NCC
 
Comparative study of IPv4 and IPv6 on Windows and Linux.
Comparative study of IPv4 and IPv6 on Windows and Linux. Comparative study of IPv4 and IPv6 on Windows and Linux.
Comparative study of IPv4 and IPv6 on Windows and Linux. Shourya Puri
 
IPv6 Autoconfig
IPv6 AutoconfigIPv6 Autoconfig
IPv6 AutoconfigFred Bovy
 
IPv6 Deployment in Japan
IPv6 Deployment in JapanIPv6 Deployment in Japan
IPv6 Deployment in JapanAkira Nakagawa
 
JPNE MAP-E Deployment (IETF92@Dallas)
JPNE MAP-E Deployment (IETF92@Dallas)JPNE MAP-E Deployment (IETF92@Dallas)
JPNE MAP-E Deployment (IETF92@Dallas)Akira Nakagawa
 
Operational Experience of MAP-E
Operational Experience of MAP-EOperational Experience of MAP-E
Operational Experience of MAP-EAkira Nakagawa
 
MAP-E as IPv4 over IPv6 Technology
MAP-E as IPv4 over IPv6 TechnologyMAP-E as IPv4 over IPv6 Technology
MAP-E as IPv4 over IPv6 TechnologyAkira Nakagawa
 
MAP-E as IPv4 over IPv6 Technology - with some operational experiences
MAP-E as IPv4 over IPv6 Technology - with some operational experiencesMAP-E as IPv4 over IPv6 Technology - with some operational experiences
MAP-E as IPv4 over IPv6 Technology - with some operational experiencesAPNIC
 
Look at ipv6 security advantages over ipv4
Look at ipv6 security advantages over ipv4Look at ipv6 security advantages over ipv4
Look at ipv6 security advantages over ipv4Alexander Decker
 
IPv6-Networking-Referat: «Mapping of Address and Port (MAP) – Deep Dive»
IPv6-Networking-Referat: «Mapping of Address and Port (MAP) – Deep Dive»IPv6-Networking-Referat: «Mapping of Address and Port (MAP) – Deep Dive»
IPv6-Networking-Referat: «Mapping of Address and Port (MAP) – Deep Dive»Digicomp Academy AG
 
ID IGF 2016 - Infrastruktur 2 - IPv4 vs IPv6
ID IGF 2016 - Infrastruktur 2 - IPv4 vs IPv6ID IGF 2016 - Infrastruktur 2 - IPv4 vs IPv6
ID IGF 2016 - Infrastruktur 2 - IPv4 vs IPv6IGF Indonesia
 
170 azimov.latency-i pv4-vs-ipv6-understanding-the-difference
170 azimov.latency-i pv4-vs-ipv6-understanding-the-difference170 azimov.latency-i pv4-vs-ipv6-understanding-the-difference
170 azimov.latency-i pv4-vs-ipv6-understanding-the-differenceQratorLabs
 

En vedette (20)

Comparison between ipv4 and ipv6
Comparison between ipv4 and ipv6Comparison between ipv4 and ipv6
Comparison between ipv4 and ipv6
 
IPv6
IPv6IPv6
IPv6
 
IPV6 ppt
IPV6 pptIPV6 ppt
IPV6 ppt
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6
 
Ipv4 vs Ipv6 comparison
Ipv4 vs Ipv6 comparisonIpv4 vs Ipv6 comparison
Ipv4 vs Ipv6 comparison
 
IPv4 and IPv6
IPv4 and IPv6IPv4 and IPv6
IPv4 and IPv6
 
Internet Protocol version 6
Internet Protocol version 6Internet Protocol version 6
Internet Protocol version 6
 
IPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeIPv6 Security - Where is the Challenge
IPv6 Security - Where is the Challenge
 
Comparative study of IPv4 and IPv6 on Windows and Linux.
Comparative study of IPv4 and IPv6 on Windows and Linux. Comparative study of IPv4 and IPv6 on Windows and Linux.
Comparative study of IPv4 and IPv6 on Windows and Linux.
 
IPv6 Autoconfig
IPv6 AutoconfigIPv6 Autoconfig
IPv6 Autoconfig
 
IPv6 Deployment in Japan
IPv6 Deployment in JapanIPv6 Deployment in Japan
IPv6 Deployment in Japan
 
JPNE MAP-E Deployment (IETF92@Dallas)
JPNE MAP-E Deployment (IETF92@Dallas)JPNE MAP-E Deployment (IETF92@Dallas)
JPNE MAP-E Deployment (IETF92@Dallas)
 
Operational Experience of MAP-E
Operational Experience of MAP-EOperational Experience of MAP-E
Operational Experience of MAP-E
 
MAP-E as IPv4 over IPv6 Technology
MAP-E as IPv4 over IPv6 TechnologyMAP-E as IPv4 over IPv6 Technology
MAP-E as IPv4 over IPv6 Technology
 
MAP-E as IPv4 over IPv6 Technology - with some operational experiences
MAP-E as IPv4 over IPv6 Technology - with some operational experiencesMAP-E as IPv4 over IPv6 Technology - with some operational experiences
MAP-E as IPv4 over IPv6 Technology - with some operational experiences
 
Look at ipv6 security advantages over ipv4
Look at ipv6 security advantages over ipv4Look at ipv6 security advantages over ipv4
Look at ipv6 security advantages over ipv4
 
IPv6-Networking-Referat: «Mapping of Address and Port (MAP) – Deep Dive»
IPv6-Networking-Referat: «Mapping of Address and Port (MAP) – Deep Dive»IPv6-Networking-Referat: «Mapping of Address and Port (MAP) – Deep Dive»
IPv6-Networking-Referat: «Mapping of Address and Port (MAP) – Deep Dive»
 
ID IGF 2016 - Infrastruktur 2 - IPv4 vs IPv6
ID IGF 2016 - Infrastruktur 2 - IPv4 vs IPv6ID IGF 2016 - Infrastruktur 2 - IPv4 vs IPv6
ID IGF 2016 - Infrastruktur 2 - IPv4 vs IPv6
 
170 azimov.latency-i pv4-vs-ipv6-understanding-the-difference
170 azimov.latency-i pv4-vs-ipv6-understanding-the-difference170 azimov.latency-i pv4-vs-ipv6-understanding-the-difference
170 azimov.latency-i pv4-vs-ipv6-understanding-the-difference
 
資訊安全規劃
資訊安全規劃資訊安全規劃
資訊安全規劃
 

Plus de gogo6

Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...
Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...
Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...gogo6
 
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...gogo6
 
Panel Discussion: Small Steps for USGv6 a giant leap for Internet-kind? with ...
Panel Discussion: Small Steps for USGv6 a giant leap for Internet-kind? with ...Panel Discussion: Small Steps for USGv6 a giant leap for Internet-kind? with ...
Panel Discussion: Small Steps for USGv6 a giant leap for Internet-kind? with ...gogo6
 
Panel Discussion: Small Steps for USGv6 a giant leap for Internet-kind? with ...
Panel Discussion: Small Steps for USGv6 a giant leap for Internet-kind? with ...Panel Discussion: Small Steps for USGv6 a giant leap for Internet-kind? with ...
Panel Discussion: Small Steps for USGv6 a giant leap for Internet-kind? with ...gogo6
 
Welcome to gogoNET LIVE! 3 - Updates on the CAv6TF and NAv6TF by George Usi a...
Welcome to gogoNET LIVE! 3 - Updates on the CAv6TF and NAv6TF by George Usi a...Welcome to gogoNET LIVE! 3 - Updates on the CAv6TF and NAv6TF by George Usi a...
Welcome to gogoNET LIVE! 3 - Updates on the CAv6TF and NAv6TF by George Usi a...gogo6
 
A10 Networks: IPv6 Solutions for Enterprise by Paul Nicholson at gogoNET LIVE...
A10 Networks: IPv6 Solutions for Enterprise by Paul Nicholson at gogoNET LIVE...A10 Networks: IPv6 Solutions for Enterprise by Paul Nicholson at gogoNET LIVE...
A10 Networks: IPv6 Solutions for Enterprise by Paul Nicholson at gogoNET LIVE...gogo6
 
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...gogo6
 
Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...
Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...
Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...gogo6
 

Plus de gogo6 (8)

Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...
Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...
Scaling the Web to Billions of Nodes: Towards the IPv6 “Internet of Things” b...
 
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
IoT Field Area Network Solutions & Integration of IPv6 Standards by Patrick G...
 
Panel Discussion: Small Steps for USGv6 a giant leap for Internet-kind? with ...
Panel Discussion: Small Steps for USGv6 a giant leap for Internet-kind? with ...Panel Discussion: Small Steps for USGv6 a giant leap for Internet-kind? with ...
Panel Discussion: Small Steps for USGv6 a giant leap for Internet-kind? with ...
 
Panel Discussion: Small Steps for USGv6 a giant leap for Internet-kind? with ...
Panel Discussion: Small Steps for USGv6 a giant leap for Internet-kind? with ...Panel Discussion: Small Steps for USGv6 a giant leap for Internet-kind? with ...
Panel Discussion: Small Steps for USGv6 a giant leap for Internet-kind? with ...
 
Welcome to gogoNET LIVE! 3 - Updates on the CAv6TF and NAv6TF by George Usi a...
Welcome to gogoNET LIVE! 3 - Updates on the CAv6TF and NAv6TF by George Usi a...Welcome to gogoNET LIVE! 3 - Updates on the CAv6TF and NAv6TF by George Usi a...
Welcome to gogoNET LIVE! 3 - Updates on the CAv6TF and NAv6TF by George Usi a...
 
A10 Networks: IPv6 Solutions for Enterprise by Paul Nicholson at gogoNET LIVE...
A10 Networks: IPv6 Solutions for Enterprise by Paul Nicholson at gogoNET LIVE...A10 Networks: IPv6 Solutions for Enterprise by Paul Nicholson at gogoNET LIVE...
A10 Networks: IPv6 Solutions for Enterprise by Paul Nicholson at gogoNET LIVE...
 
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
 
Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...
Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...
Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...
 

Dernier

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Dernier (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

IPv6 Security by Joe Klein at gogoNET LIVE! 3 IPv6 Conference

  • 1. IPv4 vs. IPv6 The Shifting Security Paradigm Joe Klein CISSP CE|H CISM CISA NSA-IAM/IEM IA-CMM 6Sigma… Scientific Hooligan, Longboat LLC Cyber Security SME, North American IPv6 Task Force Cyber Security SME, IPv6 Forum Cyber Security SME, IPv6 Cyber Security Task Force Contributor to: NIST SP-119, NIST SP-123, DoD MO2, MO3.x, “Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government 2012” JSKlein@gmail.com Voice: 703-594-1419 Blog: http://scientifichooligan.me/
  • 2. Scope of the CyberSecurity problem   What is the cost of Cybercrime ?   Number of records compromised ?   Number of Systems/Networks/Applications Compromised ? Millions? Billions? Trillions? Estimates?
  • 3. Classes of Attack - Targeted   Inbound Directed   Flaws in technology   Flaws in governance   Flaws in people   Flaws in adequate funding & staffing   Insiders   Disgruntled   Opportunistic   Untrained   Vendors   Supply Chain
  • 4. Verizon - 2012 DATA BREACH INVESTIGATIONS REPORT Reference: http://securityblog.verizonbusiness.com/
  • 5. What We Know About Today Security measures? “The best companies aren’t the ones who stop attacks, – that’s important – it’s the companies that can spot intrusions quickly and respond to them in ways that limit the damage.” “This idea that you can stop intrusions… just isn’t going to hold up against certain kinds of threats.” - Richard Bejtlich – TaoSecurity Blog,
  • 6. Our Current Security Model Source: http://www.photographersdirect.com/buyers/stockphoto.asp?imageid=2249700
  • 7. Two Models of Survivability “What If We Got A “Do-Over?” an Overview of CRASH and MRC “, Howard Shrobe Program Manager, DARPA I2O, 2012
  • 8. The Human Body Uses Both “What If We Got A “Do-Over?” an Overview of CRASH and MRC “, Howard Shrobe Program Manager, DARPA I2O, 2012
  • 9. Trust Network Model (RFC 1918)| IPv4 Everyone All nodes and routers trust each other that:   All devices behave correctly X   Layer 2 (MAC) and Layer 3 (IP)   Hosts always provide true information   Routers always provide true information Behind the NAT: “Blind Trust behind the NAT”   All devices behave correctly   Layer 2 (MAC) and Layer 3 (IP)   Hosts always provide true information   Internal communications   Outbound Initiated communications trusted   Inbound Initiated communications trusted   Routers always provide true information No one NETWORK CENTERIC – Fortress Model
  • 10. Trust Node Model (RFC 3756) | IPv6 Everyone   Corporate Internet: “Blind Trust” X   All authenticated nodes and routers trust each other to:   Behave correctly at the IP layer   Not to send any network discovery message that contains false information   Not to send router discovery message that contains false information   Public wireless: “Trust transit, trust but verify nodes”   Router is trusted by the other nodes in the network to: X   Be a legitimate router   Faithfully route packets between the local network   Faithfully route packets to any connected external networks   The router is trusted to:   Behave correctly at the IP layer   Not to send any network discovery messages that contain false information   Not to send router discovery messages that contain false information. X   Ad hoc network: - “Trust but Verify hosts and transit”   Nodes do not directly trust each other at the IP layer nor trust routers No one HOST CENTERIC – Organism Model
  • 11. Survivability model | Resilience/Agility   Preparing for, preventing, or otherwise resisting an adverse event;   Absorbing, withstanding, or maintaining essential functions in the face of the event;   Recovering from the event; and   Adapting to (changing processes, systems, or training based on) the event, its consequences, and its implications for the future. This must be done as close to real-time as possible! Reference: www.cyber.st.dhs.gov/wp-content/.../Dr_Steven_King-_ASD_RE.pdf
  • 12. Techniques for Resilience/Agility Adaptive Integrity Pro-active Containment Isolation Randomness and unpredictability Cyber Modeling Least Privilege Reconstitution Deception Monitoring Redundancy Detection Cyber Maneuver Topology Hiding Distributedness Precedence Attribution Diversity Prioritization IPv6 Features mapped to Resilience Harriet Goldman, MITRE at the Secure and Resilient Cyber Architectures Workshop Oct 29, 2010
  • 13. Why is your Internet Edge Scanned? ISR Why?   Money   Pre-Attack Preparation   Research How:   Inbound – Packets against your infrastructure   Outbound – Outbound Queries & Cookies Steps:   Intelligence – Footprinting   Data retrieved ‘Third Party Sources’   Surveillance – Scanning   Directly or In-directly (services)   Layer 3-7, 8-10   Reconnaissance – Enumeration   Directly or In-directly (services)   Layer 3-7, 8-10 Our Focus is layer 3-7
  • 14. Attackers Assumption   One address per physical Interface   Inbound addresses = Outbound addresses   Device addresses say the same over time   Inside the same network   With the same local address   If a system is not responding,   Do a port scan to find if it was crashed or now blocked   Check back later to see if it was rebooted IPv4 thinking in an IPv6 Resilient World
  • 15. Problems in IPv4   Even a Script Kiddie can do it!   Destination – Your Network   Densely Populated, ‘Fast’ brute-force tools, Single Interface Address   Source of scan   Needle in a haystack, Fast vs. Slow, limited context due to address fragmentation   NAT and Tunnels hide true sources   Attribution is hard
  • 16. Detecting | Impact of Host Density - 2006 IPv4 Brute Force Attack -Internet Survival Time   Attacker   Find & compromise an un-patched computer with a Windows operating system.   Less than 6 minutes   5+ min to find   >1min to compromise   Identifying attacker   Noise hides indications of an attack Reference: SANS Institute’s Internet Storm Center
  • 17. IPv6 Brute Force Attack - Internet Survival Time IPv4 Internet: 1 Day Internet 298.26162 Days 24 0.02560 Minutes 27 0.00320 Minutes 28 0.00160 Minutes IPv6 Internet: Internet 89,088,482,281,112,800,000,000,000 Millennium 32 20,742,528,671,657,900 Millennium 56 1,236,351,053 Millennium 64 4,829,496 Millennium Assumption: 10,000 Scans per minutes, to identify endpoints, non-optimized, non-distributed scanners Brute Force Target scan is now indicator of an attack Detectable at Firewall and DNS Server
  • 18. Smart Targeting IPv6 Identify end devices based on IPv4 address (Dual-Stack) • Scan IPv4 Range, obtain host names.domains • Query AAAA based on names.domains Identify end devices based on IPv6 Address Identifier Linear search find one device, scan up 1, 2, 3 or a, b, c Bracketed Search Find 1 device, scan around it Find 5, Scan 1-4 & 5-9 Pronounceable Search DEAD, BEEF, DEED, ABED,… Pattern Search Based on an identified pattern 1, 10, 100, 1000, … Ports Search 53, 80, 25, etc Based on function Routers .1, .2 Smart Target Scanning is indicator of “Interest” Detectable at Firewall and DNS Server?
  • 19. Static Addresses | Use of Deception   In A Record   Insert host names which do not exist with AAAA records   Impact:   Additional scanning of the address shows intention   Poisons attackers current and future targeting list   Insert HoneyPot   Linked to all AAAA addresses listed in AAAA deception record   Detect attempts at compromise   Management   Addresses assigned and AAAA records - IPAM
  • 20. Survivability model | IPv6 Abundance   Summary:   Little noise based on scanning – easier to ID attackers   IPv6 devices with obscure names and random addresses are undiscoverable for inbound connections   Separating inbound and outbound connections breaks attacker preconceptions   Use of dual stack improves the target list for attackers   Techniques exist to provide pre-attack
  • 21. Evolving IPv6 Defensive Tool Kit – Can’t be done on IPv4!   Large Local Segments   Large Network   Non Routable Addresses (aka RFC 1918) via ULA   Secure Neighbor Discovery (SEND) - Crypto-Generated Address (CGA)   IPSEC (AH & ESP) H-G | G-G | H-H | Tunnel & Transport   With Extension Headers | H-G-G-H   Server Enclave Domain Isolation (SEDI)   Common Architecture Label IPv6 Security Option (CALIPSO)   DHCPv6 – Multi-Interface setup & signed   Multicast NTPv4 with Autokey public key authentication   Leverage DNSSec to storage or public Keys of registered devices   Leverage DNSSec with ‘split-brain’ to limit disclosure   Multicast Signature and Security Information – “Parallel Push”   Fast Address Maneuvering   Attribution   Infrastructure Hiding
  • 22. Take away   Security methods have failed   Resilience and Agility provides a solution   IPv6 is not about the numbers, but about bringing resilience and agility tools to the defender   Many resilience techniques have yet to be implemented by vendors, ask for them repeatedly or call me   Enjoy the remainder of the conference!
  • 23. IPv4 vs. IPv6 The Shifting Security Paradigm Joe Klein CISSP CE|H CISM CISA NSA-IAM/IEM IA-CMM 6Sigma… Scientific Hooligan, Longboat LLC Cyber Security SME, North American IPv6 Task Force Cyber Security SME, IPv6 Forum Cyber Security SME, IPv6 Cyber Security Task Force Contributor to: NIST SP-119, NIST SP-123, DoD MO2, MO3.x, “Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government 2012” JSKlein@gmail.com Voice: 703-594-1419 Blog: http://scientifichooligan.me/
  • 24. Where do attackers find vulnerabilities?   All systems have vulnerabilities 1.  Design and Architecture Phase (RFC, IEEE, WC3, ITU, etc) 2.  Development Phase (Coding) 3.  Architecting, Implementation and Deployment (Staff, Procedures, Governance, etc) 4.  Management (Patching, Configuration Management, etc) 5.  End of Life, Refresh & Replacement