SlideShare une entreprise Scribd logo

IPV6 SIMPLE SECURITY CAPABILITIES

Télécharger en tant que KEY, PDF
Olle E Johansson
Olle E Johansson

A presentation based on RFC 6092 that presents recommendations for devices that operate IPv6 firewalls for home or small business networks.

Technologie
1  sur  60
IPV6 SIMPLE SECURITY CAPABILITIES. 50 issues from RFC 6092 edited by J. Woodyatt, Apple Presentation by Olle E. Johansson, Edvina AB.
ABSTRACT • The RFC which this presentation is based upon is focused on IPv6 gateway CPEs - home routers, business Internet gateways. • TheRFC is informational and refers to other RFCs that are standard documents. • TheRFC was contributed to by a large group of very experienced TCP/IP network engineers
COPYRIGHT FOR THE RFC Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
OVERVIEW For the purposes of this document, residential Internet gateways are assumed to be fairly simple devices with a limited subset of the full range of possible features. They function as default routers [RFC4294] for a single local-area network, e.g., an Ethernet network, a Wi-Fi network, or a bridge between two or more such segments. They have only one interface by which they can access the Internet service at any one time, using any of several possible sub-IP mechanisms, including tunnels and transition mechanisms. In referring to the security capabilities of residential gateways, it is reasonable to distinguish between their "interior" network, i.e., the local-area network, and their "exterior" networks, e.g., the public Internet and the networks of Internet service providers. This document is concerned only with the behavior of IP packet filters that police the flow of traffic between the interior IPv6 network and the exterior IPv6 networks of residential Internet gateways.
NOT A STANDARD, BUT VERY USEFUL • Even though this RFC is not a standards-track document, it’s a very useful document • If you refer to this document in your procurement process, you have a good reference • Some requirements can of course be discussed - and we hope they will be! • Feedback is of course welcome - on Facebook, Twitter or as a comment on our web page.
RECOMMENDED OPERATIONAL GOALS FOR THE FIREWALL • Check all traffic to and from Internet for basic sanity • Allow tracking of application usage by source and destination network addresses and ports • Provide a barrier agains untrusted external influences • Allow manually configured exceptions • Isolate local network DHCPv6 and DNS resolver services from the public Internet RFC 4864
50 RECOMMENDATIONS Read the RFC for details and references to other documents and web pages. The RFC has much more background material. This is just a checklist based on the RFC to simplify your checks with current products and firewall rulesets.
STATELESS FILTERS: 1. MULTICAST SOURCE • Packets bearing multicast source address in their outer IPv6 headers MUST NOT be forwarded or transmitted on any interface
STATELESS FILTERS: 2. MULTICAST DESTINATION • Packetsbearing multicast destination addresses in their outer IPv6 headers of equal or narrower scope than the configured scope boundary level of the gateway MUST NOT be forwarded in any direction. • The default scope SHOULD be organization-local scope. See RFC 4007 for scopes.
STATELESS FILTERS: 3. FORBIDDEN ADDRESSES • Packetsbearing source and/or destination addresses forbidden to appear in the outer headers of packets transmitted over the public Internet MUST NOT be forwarded. See RFC 3879 and 5156.
STATELESS FILTERS: 4. BAD EXTENSION HEADERS • Packetsbearing deprecated extension headers prior to their first upper-layer-protocol header SHOULD NOT be forwarded or transmitted over any interface. See RFC 2460 and 5095.
STATELESS FILTERS: 5. NON-LOCAL ADDRESSES • Outbound packets MUST NOT be forwarded if the source address in their outer IPv6 header does not have a unicast prefix configured for use by globally reachable nodes on the interior network.
STATELESS FILTERS: 6. LOCAL ADDRESSES ON INBOUND PACKETS • Inbound packets MUST NOT be forwarded if the source address in their outer IPv6 header has a global unicast prefix assigned for use by globally reachable nodes on the internal network. Don’t accept spoofed addresses.
STATELESS FILTERS: 7. UNIQUE LOCAL ADDRESSES • ByDEFAULT, packets with unique local source and/or destination addresses SHOULD NOT be forwarded to or from the exterior network. ULA: RFC 4193
STATELESS FILTERS: 8. DNS QUERIES • By DEFAULT, inbound DNS queries received on the exterior interfaces MUST NOT be processed by any integrated DNS resolving server. A gateway with DNS should serve the internal network only.
STATELESS FILTERS: 9. DHCPV6 • Inbound DHCPv6 discovery packets received on exterior interfaces MUST NOT be processed by any integrated DHCPv6 server or relay agent. A gateway with DHCPv6 should serve the internal network only.
CONNECTION-FREE FILTERS: 10. ICMPV6 • IPv6 gateways SHOULD NOT forward ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing IP headers that do not match generic upper-layer transport state records RFC 4890 describes filtering of ICMPv6
CONNECTION-FREE FILTERS: 11. APPLICATIONS • If application transparency is most important, then a stateful packet filter SHOULD have "endpoint-independent filtering" behavior for generic upper-layer transport protocols. • If a more stringent filtering behavior is most important, then a filter SHOULD have "address-dependent filtering" behavior. • The filtering behavior MAY be an option configurable by the network administrator, and it MAY be independent of the filtering behavior for other protocols. • Filtering behavior SHOULD be endpoint independent by DEFAULT in gateways intended for provisioning without service-provider management. A gateway is said to have "endpoint-independent filt when the exterior address ering" behavior is not evaluated when matc with a flow. A gateway is hing a packet said to have "address-dep behavior when the exterior endent filtering" address of a packet is re the exterior address for quired to match its flow.
CONNECTION-FREE FILTERS: 12. TIMEOUT FOR APPLICATIONS • Filter state records for generic upper-layer transport protocols MUST NOT be deleted or recycled until an idle timer not less than two minutes has expired without having forwarded a packet matching the state in some configurable amount of time. • By DEFAULT, the idle timer for such state records is five minutes.
CONNECTION-FREE FILTERS: 13. APPLICATION UPDATES • ResidentialIPv6 gateways SHOULD provide a convenient means to update their firmware securely, for the installation of security patches and other manufacturer-recommended changes The Internet security community is never completely at rest. New attack surfaces, and vulnerabilities in them, are typically discovered faster than they can be patched by normal equipment upgrade cycles. It's therefore important for vendors of residential gateway equipment to provide automatic software updates to patch vulnerabilities as they are discovered.
CONNECTION-FREE FILTERS - UDP: 14. UDP TIMEOUTS •A state record for a UDP flow where both source and destination ports are outside the well-known port range (ports 0-1023) MUST NOT expire in less than two minutes of idle time. • Thevalue of the UDP state record idle timer MAY be configurable. • The DEFAULT is five minutes. Based on RFC 4787 which describes best practise for IPv4 UDP filtering
CONNECTION-FREE FILTERS - UDP: 15. UDP TIMEOUTS •Astate record for a UDP flow where one or both of the source and destination ports are in the well-known port range (ports 0-1023) MAY expire after a period of idle time shorter than two minutes to facilitate the operation of the IANA- registered service assigned to the port in question. Based on RFC 4787 which describes best practise for IPv4 UDP filtering
CONNECTION-FREE FILTERS - UDP: 16. CONNECTION STATE REFRESH •A state record for a UDP flow MUST be refreshed when a packet is forwarded from the interior to the exterior, and it MAY be refreshed when a packet is forwarded in the reverse direction. NAT keepalives should come from the inside.
CONNECTION-FREE FILTERS - UDP: 17. APPLICATION TRANSPARENCY • If application transparency is most important, then a stateful packet filter SHOULD have "endpoint-independent filtering" behavior for UDP. • If a more stringent filtering behavior is most important, then a filter SHOULD have "address-dependent filtering" behavior. • The filtering behavior MAY be an option configurable by the network administrator, and it MAY be independent of the filtering behavior for TCP and other protocols. • Filtering behavior SHOULD be endpoint independent by DEFAULT in gateways intended for provisioning without service-provider management.
CONNECTION-FREE FILTERS - UDP: 18. CONNECTION RELATED ICMP MESSAGES • Ifa gateway forwards a UDP flow, it MUST also forward ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing UDP headers that match the flow state record. See Path MTU Discovery RFC 1981
CONNECTION-FREE FILTERS - UDP: 19. ICMPV6 AND THE CONNECTION STATE • Receiptof any sort of ICMPv6 message MUST NOT terminate the state record for a UDP flow.
CONNECTION-FREE FILTERS - UDP: 20. UDP-LITE IS A SEPARATE FLOW • UDP-Lite flows [RFC3828] SHOULD be handled in the same way as UDP flows, except that the upper-layer transport protocol identifier for UDP-Lite is not the same as UDP; therefore, UDP packets MUST NOT match UDP-Lite state records, and vice versa.
CONNECTION-FREE FILTERS - IPSEC: 21. IPSEC FILTERING - AH • In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit the forwarding of packets, to and from legitimate node addresses, with destination extension headers of type "Authentication Header (AH)" [RFC4302] in their outer IP extension header chain. The Internet Protocol security (IPsec) suite offers greater flexibility and better overall security than the simple security of stateful packet filtering at network perimeters. Therefore, residential IPv6 gateways need not prohibit IPsec traffic flows.
CONNECTION-FREE FILTERS - IPSEC: 22. IPSEC FILTERING -ESP • Intheir DEFAULT operating mode, IPv6 gateways MUST NOT prohibit the forwarding of packets, to and from legitimate node addresses, with an upper-layer protocol of type "Encapsulating Security Payload (ESP)" [RFC4303] in their outer IP extension header chain.
CONNECTION-FREE FILTERS - IPSEC: 23. IPSEC RELATED ICMPV6 • Ifa gateway forwards an ESP flow, it MUST also forward (in the reverse direction) ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing ESP headers that match the flow state record.
CONNECTION-FREE FILTERS - IPSEC: 24. IKE FOR IPSEC • Intheir DEFAULT operating mode, IPv6 gateways MUST NOT prohibit the forwarding of any UDP packets, to and from legitimate node addresses, with a destination port of 500, i.e., the port reserved by IANA for the Internet Key Exchange (IKE) protocol IKE - see RFC 5996
CONNECTION-FREE FILTERS - IPSEC: 25. ESP FILTERS • In all operating modes, IPv6 gateways SHOULD use filter state records for Encapsulating Security Payload (ESP) [RFC4303] that are indexable by a 3-tuple comprising the • interior node address • the exterior node address • the ESP protocol identifier. • In particular, the IPv4/NAT method of indexing state records also by the security parameters index (SPI) SHOULD NOT be used. • Likewise, any mechanism that depends on detection of Internet Key Exchange (IKE) [RFC5996] initiations SHOULD NOT be used.
CONNECTION-FREE FILTERS - IPSEC: 26. HOST IDENTITY PROTOCOL • In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit the forwarding of packets, to and from legitimate node addresses, with destination extension headers of type "Host Identity Protocol (HIP)" in their outer IP extension header chain. The Host Identity Protocol (HIP) is a secure mechanism for establishing host identity and secure communications between authenticated hosts. Residential IPv6 gateways need not prohibit inbound HIP flows. HIP - See RFC 5201
CONNECTION-FREE FILTERS - MOBILITY: 27. MOBILE IPV6 • The state records for flows initiated by outbound packets that bear a Home Address destination option are distinguished by the addition of the home address of the flow as well as the interior care-of address. IPv6 gateways MUST NOT prohibit the forwarding of any inbound packets bearing type 2 routing headers, which otherwise match a flow state record, and where • A) the address in the destination field of the IPv6 header matches the interior care- of address of the flow, and • B) the Home Address field in the Type 2 Routing Header matches the home address of the flow. Not all usage scenarios of mobility support in IPv6 are expected to be compatible with IPv6 simple security. In particular, exterior mobile nodes are expected to be prohibited from establishing bindings with interior correspondent nodes by the filtering of unsolicited IPv6 Mobile IP inbound Mobility Header messages, unless they are the subject of an IPsec security policy. - RFC 3775
CONNECTION-FREE FILTERS - MOBILITY: 28. MOBILITY FLOWS • Valid sequences of Mobility Header [RFC3775] packets MUST be forwarded for all outbound and explicitly permitted inbound Mobility Header flows.
CONNECTION-FREE FILTERS - MOBILITY: 29. MOBILITY FLOWS • If a gateway forwards a Mobility Header [RFC3775] flow, then it MUST also forward, in both directions, the IPv4 and IPv6 packets that are encapsulated in IPv6 associated with the tunnel between the home agent and the correspondent node.
CONNECTION-FREE FILTERS - MOBILITY: 30. MOBILITY FLOWS - ICMPV6 • If a gateway forwards a Mobility Header [RFC3775] flow, then it MUST also forward (in the reverse direction) ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing any headers that match the associated flow state records.
CONNECTION-ORIENTED FILTERS: TCP 31. TCP HANDSHAKES • All valid sequences of TCP packets (defined in [RFC0793]) MUST be forwarded for outbound flows and explicitly permitted inbound flows. • In particular, both the normal TCP 3-way handshake mode of operation and the simultaneous-open mode of operation MUST be supported. See RFC 793
CONNECTION-ORIENTED FILTERS: TCP 32. TCP WINDOW HANDLING • The TCP window invariant MUST NOT be enforced on flows for which the filter did not detect whether the window-scale option was sent in the 3-way handshake or simultaneous- open. See RFC 1323
CONNECTION-ORIENTED FILTERS: TCP 33. TCP STATEFUL FILTERS • If application transparency is most important, then a stateful packet filter SHOULD have "endpoint-independent filtering" behavior for TCP. • If a more stringent filtering behavior is most important, then a filter SHOULD have "address-dependent filtering” behavior. • The filtering behavior MAY be an option configurable by the network administrator, and it MAY be independent of the filtering behavior for UDP and other protocols. • Filtering behavior SHOULD be endpoint independent by DEFAULT in gateways intended for provisioning without service-provider management.
CONNECTION-ORIENTED FILTERS: TCP 34. UNSOLICITED TCP SYN PACKETS • ByDEFAULT, a gateway MUST respond with an ICMPv6 "Destination Unreachable" error code 1 (Communication with destination administratively prohibited) to any unsolicited inbound SYN packet after waiting at least 6 seconds without first forwarding the associated outbound SYN or SYN/ACK from the interior peer.
CONNECTION-ORIENTED FILTERS: TCP 35. TCP SESSION TIMEOUTS • If a gateway cannot determine whether the endpoints of a TCP flow are active, then it MAY abandon the state record if it has been idle for some time. In such cases, the value of the "established flow idle-timeout" MUST NOT be less than two hours four minutes, as discussed in [RFC5382]. The value of the "transitory flow idle-timeout" MUST NOT be less than four minutes. • The value of the idle-timeouts MAY be configurable by the network administrator.
CONNECTION-ORIENTED FILTERS: TCP 36. ICMPV6 RELATED TO TCP SESSION • Ifa gateway forwards a TCP flow, it MUST also forward ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing TCP headers that match the flow state record. Several TCP mechanisms depend on the reception of ICMPv6 error messages triggered by the transmission of TCP segments. One such mechanism is path MTU discovery, which is required for correct operation of TCP.
CONNECTION-ORIENTED FILTERS: TCP 37. ICMPV6 RELATED TO TCP SESSION STATES • Receiptof any sort of ICMPv6 message MUST NOT terminate the state record for a TCP flow. Several TCP mechanisms depend on the reception of ICMPv6 error messages triggered by the transmission of TCP segments. One such mechanism is path MTU discovery, which is required for correct operation of TCP.
CONNECTION-ORIENTED FILTERS: SCTP 38. SCTP CONNECTION SETUP • All valid sequences of SCTP packets (defined in [RFC4960]) MUST be forwarded for outbound associations and explicitly permitted inbound associations. In particular, both the normal SCTP association establishment and the simultaneous-open mode of operation MUST be supported. The RFC this presentation is based upon - 6092 - includes a lot of information about SCTP security
CONNECTION-ORIENTED FILTERS: SCTP 39. UNSOLICITED INIT REQUESTS • By DEFAULT, a gateway MUST respond with an ICMPv6 "Destination Unreachable" error code 1 (Communication with destination administratively prohibited), to any unsolicited inbound INIT packet after waiting at least 6 seconds without first forwarding the associated outbound INIT from the interior peer.
CONNECTION-ORIENTED FILTERS: SCTP 40. UNSOLICITED INIT REQUESTS • By DEFAULT, a gateway MUST respond with an ICMPv6 "Destination Unreachable" error code 1 (Communication with destination administratively prohibited), to any unsolicited inbound INIT packet after waiting at least 6 seconds without first forwarding the associated outbound INIT from the interior peer.
CONNECTION-ORIENTED FILTERS: SCTP 41. SCTP RELATED ICMPV6 • Ifa gateway forwards an SCTP association, it MUST also forward ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing SCTP headers that match the association state record.
CONNECTION-ORIENTED FILTERS: SCTP 42. SCTP RELATED ICMPV6 • Receiptof any sort of ICMPv6 message MUST NOT terminate the state record for an SCTP association.
CONNECTION-ORIENTED FILTERS: DCCP 43. DCCP FLOWS • All valid sequences of DCCP packets (defined in [RFC4340]) MUST be forwarded for all flows to exterior servers, and for any flows to interior servers that have explicitly permitted service codes. Datagram Congestion Control protocol - DCCP - RFC 4340
CONNECTION-ORIENTED FILTERS: DCCP 44. DCCP FLOW TIMEOUTS •A gateway MAY abandon a DCCP state record if it has been idle for some time. • In such cases, the value of the "open flow idle-timeout" MUST NOT be less than two hours four minutes. • The value of the "transitory flow idle-timeout" MUST NOT be less than eight minutes. • Thevalue of the idle-timeouts MAY be configurable by the network administrator.
CONNECTION-ORIENTED FILTERS: DCCP 45. DCCP FLOW & ICMPV6 • Ifan Internet gateway forwards a DCCP flow, it MUST also forward ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing DCCP headers that match the flow state record.
CONNECTION-ORIENTED FILTERS: DCCP 46. DCCP FLOW & ICMPV6 • Receiptof any sort of ICMPv6 message MUST NOT terminate the state record for a DCCP flow.
CONNECTION-ORIENTED FILTERS 47. THE SHIM6 PROTOCOL • Valid sequences of packets bearing Shim6 payload extension headers in their outer IP extension header chains MUST be forwarded for all outbound and explicitly permitted flows. The content of the Shim6 payload extension header MAY be ignored for the purpose of state tracking. Level 3 Multihoming Shim Protocol for IPv6 RFC 5533
CONNECTION-ORIENTED FILTERS 47. THE SHIM6 PROTOCOL • Valid sequences of packets bearing Shim6 payload extension headers in their outer IP extension header chains MUST be forwarded for all outbound and explicitly permitted flows. The content of the Shim6 payload extension header MAY be ignored for the purpose of state tracking. Level 3 Multihoming Shim Protocol for IPv6 RFC 5533
PUBLISHING SERVICES: 48. INTERNAL SERVICES • Internet gateways with IPv6 simple security capabilities SHOULD implement a protocol to permit applications to solicit inbound traffic without advance knowledge of the addresses of exterior nodes with which they expect to communicate. This is very vague, since the IETF has not agreed on a recommendation.
PUBLISHING SERVICES: 49. DISABLING THE STATEFUL FIREWALL • Internetgateways with IPv6 simple security capabilities MUST provide an easily selected configuration option that permits a "transparent mode" of operation that forwards all unsolicited flows regardless of forwarding direction, i.e., not to use the IPv6 simple security capabilities of the gateway. • Thetransparent mode of operation MAY be the default configuration. This assumes that the IPv6 simple security capabilities replace the role of the IPv4 NAT.
FIREWALL MANAGEMENT: 50. DO NOT LET THE HACKER TAKE OVER... • ByDEFAULT, subscriber-managed residential gateways MUST NOT offer management application services to the exterior network. This assumes that the IPv6 simple security capabilities replace the role of the IPv4 NAT.
NOTE • ”The security functions described in this document may be considered redundant in the event that all IPv6 hosts using a particular gateway have their own IPv6 host firewall capabilities enabled. At the time of this writing, the vast majority of commercially available operating systems with support for IPv6 include IPv6 host firewall capability.” • ”The IETF makes no statement, expressed or implied, as to whether using the capabilities described in this document ultimately improves security for any individual users or for the Internet community as a whole.”
NOW, GO READ THE COMPLETE RFC. http://tools.ietf.org/html/rfc6092 TWITTER @IPV6FRIDAY

Recommandé

IPv6 Autoconfig
IPv6 AutoconfigIPv6 Autoconfig
IPv6 AutoconfigFred Bovy
 
IPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 LanIPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 LanJumping Bean
 
OSPF v3
OSPF v3OSPF v3
OSPF v3Irsandi Hasan
 
Fedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsFedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsTim Martin
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2ehsan nazer
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhsTim Martin
 
IPv6
IPv6IPv6
IPv6Deepraj Bhujel
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Karunakant Rai
 

Recommandé

IPv6 Autoconfig
IPv6 AutoconfigIPv6 Autoconfig
IPv6 AutoconfigFred Bovy
 
IPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 LanIPv6 How To Set Up a Linux IPv6 Lan
IPv6 How To Set Up a Linux IPv6 LanJumping Bean
 
OSPF v3
OSPF v3OSPF v3
OSPF v3Irsandi Hasan
 
Fedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsFedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsTim Martin
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2ehsan nazer
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhsTim Martin
 
IPv6
IPv6IPv6
IPv6Deepraj Bhujel
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Karunakant Rai
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayIKT-Norge
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?Mark Smith
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6Private
 
Ccna 2 chapter 11 2014 v5
Ccna 2 chapter 11 2014 v5Ccna 2 chapter 11 2014 v5
Ccna 2 chapter 11 2014 v5Đồng Quốc Vương
 
IPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadbandIPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadbandAPNIC
 
Io t hurdles_i_pv6_slides_doin
Io t hurdles_i_pv6_slides_doinIo t hurdles_i_pv6_slides_doin
Io t hurdles_i_pv6_slides_doinJonny Doin
 
NAT Traversal
NAT TraversalNAT Traversal
NAT TraversalDavide Carboni
 
Ipv6
Ipv6Ipv6
Ipv6maha5960
 
IPV6 Hands on Lab
IPV6 Hands on Lab IPV6 Hands on Lab
IPV6 Hands on Lab Cisco Canada
 
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsAusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsMark Smith
 
NAT_Final
NAT_FinalNAT_Final
NAT_FinalPratik Bhide
 
From NAT to NAT Traversal
From NAT to NAT TraversalFrom NAT to NAT Traversal
From NAT to NAT TraversalLi-Wei Yao
 
IPv6 ACL
IPv6 ACLIPv6 ACL
IPv6 ACLIrsandi Hasan
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoDigicomp Academy AG
 
IPv6 theoryfinalx
IPv6 theoryfinalxIPv6 theoryfinalx
IPv6 theoryfinalxPawan Sharma
 
IPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryIPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryHeba_a
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planningTim Martin
 
Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalEric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalIKT-Norge
 
IPv6-strategic-planning-framework
IPv6-strategic-planning-frameworkIPv6-strategic-planning-framework
IPv6-strategic-planning-frameworkTim Martin
 
Ipv6 course
Ipv6 courseIpv6 course
Ipv6 courserinnocente
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 SecurityProgreso Training
 
IPv6 Security Challenges: TechNet Augusta 2015
IPv6 Security Challenges: TechNet Augusta 2015IPv6 Security Challenges: TechNet Augusta 2015
IPv6 Security Challenges: TechNet Augusta 2015AFCEA International
 

Contenu connexe

Tendances

Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayIKT-Norge
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?Mark Smith
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6Private
 
IPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadbandIPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadbandAPNIC
 
Io t hurdles_i_pv6_slides_doin
Io t hurdles_i_pv6_slides_doinIo t hurdles_i_pv6_slides_doin
Io t hurdles_i_pv6_slides_doinJonny Doin
 
IPV6 Hands on Lab
IPV6 Hands on Lab IPV6 Hands on Lab
IPV6 Hands on Lab Cisco Canada
 
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsAusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsMark Smith
 
From NAT to NAT Traversal
From NAT to NAT TraversalFrom NAT to NAT Traversal
From NAT to NAT TraversalLi-Wei Yao
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoDigicomp Academy AG
 
IPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryIPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryHeba_a
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planningTim Martin
 
Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalEric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalIKT-Norge
 
IPv6-strategic-planning-framework
IPv6-strategic-planning-frameworkIPv6-strategic-planning-framework
IPv6-strategic-planning-frameworkTim Martin
 

Tendances (20)

Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norway
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
Ccna 2 chapter 11 2014 v5
Ccna 2 chapter 11 2014 v5Ccna 2 chapter 11 2014 v5
Ccna 2 chapter 11 2014 v5
 
IPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadbandIPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadband
 
Io t hurdles_i_pv6_slides_doin
Io t hurdles_i_pv6_slides_doinIo t hurdles_i_pv6_slides_doin
Io t hurdles_i_pv6_slides_doin
 
NAT Traversal
NAT TraversalNAT Traversal
NAT Traversal
 
Ipv6
Ipv6Ipv6
Ipv6
 
IPV6 Hands on Lab
IPV6 Hands on Lab IPV6 Hands on Lab
IPV6 Hands on Lab
 
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other ObservationsAusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
 
NAT_Final
NAT_FinalNAT_Final
NAT_Final
 
From NAT to NAT Traversal
From NAT to NAT TraversalFrom NAT to NAT Traversal
From NAT to NAT Traversal
 
IPv6 ACL
IPv6 ACLIPv6 ACL
IPv6 ACL
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live Demo
 
IPv6 theoryfinalx
IPv6 theoryfinalxIPv6 theoryfinalx
IPv6 theoryfinalx
 
IPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryIPv6 - Neighbour Discovery
IPv6 - Neighbour Discovery
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planning
 
Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalEric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in general
 
IPv6-strategic-planning-framework
IPv6-strategic-planning-frameworkIPv6-strategic-planning-framework
IPv6-strategic-planning-framework
 
Ipv6 course
Ipv6 courseIpv6 course
Ipv6 course
 

En vedette

IPv6 Security Challenges: TechNet Augusta 2015
IPv6 Security Challenges: TechNet Augusta 2015IPv6 Security Challenges: TechNet Augusta 2015
IPv6 Security Challenges: TechNet Augusta 2015AFCEA International
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)Martin Schütte
 
IPv6 and the IP Security Protocol
IPv6 and the IP Security ProtocolIPv6 and the IP Security Protocol
IPv6 and the IP Security ProtocolMiguel Luis
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and RealitySwiss IPv6 Council
 
IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?RIPE NCC
 
Survey on IPv6 security issues
Survey on IPv6 security issuesSurvey on IPv6 security issues
Survey on IPv6 security issuesbathinin1
 
Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...
Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...
Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...Tiny
 
Video Game Collection @ Your Library
Video Game Collection @ Your LibraryVideo Game Collection @ Your Library
Video Game Collection @ Your LibraryMaggie Hommel Thomann
 
Orbul Si Ziaristul
Orbul Si ZiaristulOrbul Si Ziaristul
Orbul Si ZiaristulAlexandru S
 
Why Hire Portent?
Why Hire Portent?Why Hire Portent?
Why Hire Portent?Ian Lurie
 
2007 development of a who growth reference for school aged children and adole...
2007 development of a who growth reference for school aged children and adole...2007 development of a who growth reference for school aged children and adole...
2007 development of a who growth reference for school aged children and adole...Raul Rojas
 
Amazing Nature And Beautiful Wildlife
Amazing Nature And Beautiful WildlifeAmazing Nature And Beautiful Wildlife
Amazing Nature And Beautiful WildlifeAvinash Singh
 
World Tower Sculpture Proposal
World Tower Sculpture ProposalWorld Tower Sculpture Proposal
World Tower Sculpture ProposalBockit
 
Library 101 82208
Library 101 82208Library 101 82208
Library 101 82208librfun
 
Putting Strategy into Your Social Media Outreach
Putting Strategy into Your Social Media OutreachPutting Strategy into Your Social Media Outreach
Putting Strategy into Your Social Media OutreachKivi Leroux Miller
 
Terapia Masculina
Terapia MasculinaTerapia Masculina
Terapia MasculinaAlexandru S
 

En vedette (20)

IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 Security
 
IPv6 Security Challenges: TechNet Augusta 2015
IPv6 Security Challenges: TechNet Augusta 2015IPv6 Security Challenges: TechNet Augusta 2015
IPv6 Security Challenges: TechNet Augusta 2015
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
 
IPv6 and the IP Security Protocol
IPv6 and the IP Security ProtocolIPv6 and the IP Security Protocol
IPv6 and the IP Security Protocol
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?
 
Survey on IPv6 security issues
Survey on IPv6 security issuesSurvey on IPv6 security issues
Survey on IPv6 security issues
 
Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...
Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...
Webinar: Bring Web Content into the Modern Era with Ephox's EditLive! 9 Rich ...
 
Video Game Collection @ Your Library
Video Game Collection @ Your LibraryVideo Game Collection @ Your Library
Video Game Collection @ Your Library
 
Orbul Si Ziaristul
Orbul Si ZiaristulOrbul Si Ziaristul
Orbul Si Ziaristul
 
Rutina[1]
Rutina[1]Rutina[1]
Rutina[1]
 
Why Hire Portent?
Why Hire Portent?Why Hire Portent?
Why Hire Portent?
 
2007 development of a who growth reference for school aged children and adole...
2007 development of a who growth reference for school aged children and adole...2007 development of a who growth reference for school aged children and adole...
2007 development of a who growth reference for school aged children and adole...
 
Amazing Nature And Beautiful Wildlife
Amazing Nature And Beautiful WildlifeAmazing Nature And Beautiful Wildlife
Amazing Nature And Beautiful Wildlife
 
World Tower Sculpture Proposal
World Tower Sculpture ProposalWorld Tower Sculpture Proposal
World Tower Sculpture Proposal
 
Library 101 82208
Library 101 82208Library 101 82208
Library 101 82208
 
Putting Strategy into Your Social Media Outreach
Putting Strategy into Your Social Media OutreachPutting Strategy into Your Social Media Outreach
Putting Strategy into Your Social Media Outreach
 
Terapia Masculina
Terapia MasculinaTerapia Masculina
Terapia Masculina
 
Girls & tech
Girls & techGirls & tech
Girls & tech
 

Similaire à IPV6 SIMPLE SECURITY CAPABILITIES

Module (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptxModule (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptxGeorgeThoreJr
 
IPv6 translation methods
IPv6 translation methodsIPv6 translation methods
IPv6 translation methodsAhmad Hijazi
 
Ccna rse chp9 nat fo i_pv4
Ccna rse chp9 nat fo i_pv4Ccna rse chp9 nat fo i_pv4
Ccna rse chp9 nat fo i_pv4newbie2019
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?APNIC
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterRobb Boyd
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operatorsAPNIC
 
Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...Cisco Canada
 
Address Scopes OpenStack Summit 2016
Address Scopes OpenStack Summit 2016Address Scopes OpenStack Summit 2016
Address Scopes OpenStack Summit 2016carlbaldwin
 
CN L8 — копия.ppt
CN L8 — копия.pptCN L8 — копия.ppt
CN L8 — копия.pptAssemNazirova2
 
Understanding i pv6 2
Understanding i pv6 2Understanding i pv6 2
Understanding i pv6 2srmanjuskp
 
Proxy servers
Proxy serversProxy servers
Proxy serversKumar
 
IPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-onIPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-onAPNIC
 
CCNA v6.0 ITN - Chapter 06
CCNA v6.0 ITN - Chapter 06CCNA v6.0 ITN - Chapter 06
CCNA v6.0 ITN - Chapter 06Irsandi Hasan
 
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...gogo6
 
Tutorial: IPv6-only transition with demo
Tutorial: IPv6-only transition with demoTutorial: IPv6-only transition with demo
Tutorial: IPv6-only transition with demoAPNIC
 

Similaire à IPV6 SIMPLE SECURITY CAPABILITIES (20)

Module (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptxModule (10) NAT for IPV4.pptx
Module (10) NAT for IPV4.pptx
 
IPv6 translation methods
IPv6 translation methodsIPv6 translation methods
IPv6 translation methods
 
IPv6 on the Interop Network
IPv6 on the Interop NetworkIPv6 on the Interop Network
IPv6 on the Interop Network
 
Ccna rse chp9 nat fo i_pv4
Ccna rse chp9 nat fo i_pv4Ccna rse chp9 nat fo i_pv4
Ccna rse chp9 nat fo i_pv4
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
TechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the DatacenterTechWiseTV Workshop: Segment Routing for the Datacenter
TechWiseTV Workshop: Segment Routing for the Datacenter
 
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
28th TWNIC OPM and TWNOG 2017: Security best practices for network operators
 
Infini Band
Infini BandInfini Band
Infini Band
 
CCNA 1 Chapter 6 v5.0 2014
CCNA 1 Chapter 6 v5.0 2014CCNA 1 Chapter 6 v5.0 2014
CCNA 1 Chapter 6 v5.0 2014
 
Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...
 
Address Scopes OpenStack Summit 2016
Address Scopes OpenStack Summit 2016Address Scopes OpenStack Summit 2016
Address Scopes OpenStack Summit 2016
 
CN L8 — копия.ppt
CN L8 — копия.pptCN L8 — копия.ppt
CN L8 — копия.ppt
 
Understanding i pv6 2
Understanding i pv6 2Understanding i pv6 2
Understanding i pv6 2
 
Proxy servers
Proxy serversProxy servers
Proxy servers
 
To Infiniband and Beyond
To Infiniband and BeyondTo Infiniband and Beyond
To Infiniband and Beyond
 
IPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-onIPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-on
 
CCNA v6.0 ITN - Chapter 06
CCNA v6.0 ITN - Chapter 06CCNA v6.0 ITN - Chapter 06
CCNA v6.0 ITN - Chapter 06
 
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
 
Tutorial: IPv6-only transition with demo
Tutorial: IPv6-only transition with demoTutorial: IPv6-only transition with demo
Tutorial: IPv6-only transition with demo
 
L6 6 lowpan
L6 6 lowpanL6 6 lowpan
L6 6 lowpan
 

Plus de Olle E Johansson

Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Olle E Johansson
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handlingOlle E Johansson
 
Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Olle E Johansson
 
The birth and death of PSTN
The birth and death of PSTNThe birth and death of PSTN
The birth and death of PSTNOlle E Johansson
 
WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019Olle E Johansson
 
Kamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffKamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffOlle E Johansson
 
Realtime communication over a dual stack network
Realtime communication over a dual stack networkRealtime communication over a dual stack network
Realtime communication over a dual stack networkOlle E Johansson
 
The Realtime Story - part 2
The Realtime Story - part 2The Realtime Story - part 2
The Realtime Story - part 2Olle E Johansson
 
Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Olle E Johansson
 
Sips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolSips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolOlle E Johansson
 
SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)Olle E Johansson
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Olle E Johansson
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldOlle E Johansson
 
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Olle E Johansson
 
2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIPOlle E Johansson
 
TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6Olle E Johansson
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Olle E Johansson
 
RFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the timeRFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the timeOlle E Johansson
 

Plus de Olle E Johansson (20)

Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handling
 
Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)
 
The birth and death of PSTN
The birth and death of PSTNThe birth and death of PSTN
The birth and death of PSTN
 
WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019
 
Kamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffKamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuff
 
Kamailio on air
Kamailio on airKamailio on air
Kamailio on air
 
Webrtc overview
Webrtc overviewWebrtc overview
Webrtc overview
 
Realtime communication over a dual stack network
Realtime communication over a dual stack networkRealtime communication over a dual stack network
Realtime communication over a dual stack network
 
The Realtime Story - part 2
The Realtime Story - part 2The Realtime Story - part 2
The Realtime Story - part 2
 
Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016
 
Sips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolSips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocol
 
SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer world
 
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
 
2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP
 
TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.
 
RFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the timeRFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the time
 

Dernier

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 

Dernier (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

IPV6 SIMPLE SECURITY CAPABILITIES

  • 1. IPV6 SIMPLE SECURITY CAPABILITIES. 50 issues from RFC 6092 edited by J. Woodyatt, Apple Presentation by Olle E. Johansson, Edvina AB.
  • 2. ABSTRACT • The RFC which this presentation is based upon is focused on IPv6 gateway CPEs - home routers, business Internet gateways. • TheRFC is informational and refers to other RFCs that are standard documents. • TheRFC was contributed to by a large group of very experienced TCP/IP network engineers
  • 3. COPYRIGHT FOR THE RFC Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved.
  • 4. OVERVIEW For the purposes of this document, residential Internet gateways are assumed to be fairly simple devices with a limited subset of the full range of possible features. They function as default routers [RFC4294] for a single local-area network, e.g., an Ethernet network, a Wi-Fi network, or a bridge between two or more such segments. They have only one interface by which they can access the Internet service at any one time, using any of several possible sub-IP mechanisms, including tunnels and transition mechanisms. In referring to the security capabilities of residential gateways, it is reasonable to distinguish between their "interior" network, i.e., the local-area network, and their "exterior" networks, e.g., the public Internet and the networks of Internet service providers. This document is concerned only with the behavior of IP packet filters that police the flow of traffic between the interior IPv6 network and the exterior IPv6 networks of residential Internet gateways.
  • 5. NOT A STANDARD, BUT VERY USEFUL • Even though this RFC is not a standards-track document, it’s a very useful document • If you refer to this document in your procurement process, you have a good reference • Some requirements can of course be discussed - and we hope they will be! • Feedback is of course welcome - on Facebook, Twitter or as a comment on our web page.
  • 6. RECOMMENDED OPERATIONAL GOALS FOR THE FIREWALL • Check all traffic to and from Internet for basic sanity • Allow tracking of application usage by source and destination network addresses and ports • Provide a barrier agains untrusted external influences • Allow manually configured exceptions • Isolate local network DHCPv6 and DNS resolver services from the public Internet RFC 4864
  • 7. 50 RECOMMENDATIONS Read the RFC for details and references to other documents and web pages. The RFC has much more background material. This is just a checklist based on the RFC to simplify your checks with current products and firewall rulesets.
  • 8. STATELESS FILTERS: 1. MULTICAST SOURCE • Packets bearing multicast source address in their outer IPv6 headers MUST NOT be forwarded or transmitted on any interface
  • 9. STATELESS FILTERS: 2. MULTICAST DESTINATION • Packetsbearing multicast destination addresses in their outer IPv6 headers of equal or narrower scope than the configured scope boundary level of the gateway MUST NOT be forwarded in any direction. • The default scope SHOULD be organization-local scope. See RFC 4007 for scopes.
  • 10. STATELESS FILTERS: 3. FORBIDDEN ADDRESSES • Packetsbearing source and/or destination addresses forbidden to appear in the outer headers of packets transmitted over the public Internet MUST NOT be forwarded. See RFC 3879 and 5156.
  • 11. STATELESS FILTERS: 4. BAD EXTENSION HEADERS • Packetsbearing deprecated extension headers prior to their first upper-layer-protocol header SHOULD NOT be forwarded or transmitted over any interface. See RFC 2460 and 5095.
  • 12. STATELESS FILTERS: 5. NON-LOCAL ADDRESSES • Outbound packets MUST NOT be forwarded if the source address in their outer IPv6 header does not have a unicast prefix configured for use by globally reachable nodes on the interior network.
  • 13. STATELESS FILTERS: 6. LOCAL ADDRESSES ON INBOUND PACKETS • Inbound packets MUST NOT be forwarded if the source address in their outer IPv6 header has a global unicast prefix assigned for use by globally reachable nodes on the internal network. Don’t accept spoofed addresses.
  • 14. STATELESS FILTERS: 7. UNIQUE LOCAL ADDRESSES • ByDEFAULT, packets with unique local source and/or destination addresses SHOULD NOT be forwarded to or from the exterior network. ULA: RFC 4193
  • 15. STATELESS FILTERS: 8. DNS QUERIES • By DEFAULT, inbound DNS queries received on the exterior interfaces MUST NOT be processed by any integrated DNS resolving server. A gateway with DNS should serve the internal network only.
  • 16. STATELESS FILTERS: 9. DHCPV6 • Inbound DHCPv6 discovery packets received on exterior interfaces MUST NOT be processed by any integrated DHCPv6 server or relay agent. A gateway with DHCPv6 should serve the internal network only.
  • 17. CONNECTION-FREE FILTERS: 10. ICMPV6 • IPv6 gateways SHOULD NOT forward ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing IP headers that do not match generic upper-layer transport state records RFC 4890 describes filtering of ICMPv6
  • 18. CONNECTION-FREE FILTERS: 11. APPLICATIONS • If application transparency is most important, then a stateful packet filter SHOULD have "endpoint-independent filtering" behavior for generic upper-layer transport protocols. • If a more stringent filtering behavior is most important, then a filter SHOULD have "address-dependent filtering" behavior. • The filtering behavior MAY be an option configurable by the network administrator, and it MAY be independent of the filtering behavior for other protocols. • Filtering behavior SHOULD be endpoint independent by DEFAULT in gateways intended for provisioning without service-provider management. A gateway is said to have "endpoint-independent filt when the exterior address ering" behavior is not evaluated when matc with a flow. A gateway is hing a packet said to have "address-dep behavior when the exterior endent filtering" address of a packet is re the exterior address for quired to match its flow.
  • 19. CONNECTION-FREE FILTERS: 12. TIMEOUT FOR APPLICATIONS • Filter state records for generic upper-layer transport protocols MUST NOT be deleted or recycled until an idle timer not less than two minutes has expired without having forwarded a packet matching the state in some configurable amount of time. • By DEFAULT, the idle timer for such state records is five minutes.
  • 20. CONNECTION-FREE FILTERS: 13. APPLICATION UPDATES • ResidentialIPv6 gateways SHOULD provide a convenient means to update their firmware securely, for the installation of security patches and other manufacturer-recommended changes The Internet security community is never completely at rest. New attack surfaces, and vulnerabilities in them, are typically discovered faster than they can be patched by normal equipment upgrade cycles. It's therefore important for vendors of residential gateway equipment to provide automatic software updates to patch vulnerabilities as they are discovered.
  • 21. CONNECTION-FREE FILTERS - UDP: 14. UDP TIMEOUTS •A state record for a UDP flow where both source and destination ports are outside the well-known port range (ports 0-1023) MUST NOT expire in less than two minutes of idle time. • Thevalue of the UDP state record idle timer MAY be configurable. • The DEFAULT is five minutes. Based on RFC 4787 which describes best practise for IPv4 UDP filtering
  • 22. CONNECTION-FREE FILTERS - UDP: 15. UDP TIMEOUTS •Astate record for a UDP flow where one or both of the source and destination ports are in the well-known port range (ports 0-1023) MAY expire after a period of idle time shorter than two minutes to facilitate the operation of the IANA- registered service assigned to the port in question. Based on RFC 4787 which describes best practise for IPv4 UDP filtering
  • 23. CONNECTION-FREE FILTERS - UDP: 16. CONNECTION STATE REFRESH •A state record for a UDP flow MUST be refreshed when a packet is forwarded from the interior to the exterior, and it MAY be refreshed when a packet is forwarded in the reverse direction. NAT keepalives should come from the inside.
  • 24. CONNECTION-FREE FILTERS - UDP: 17. APPLICATION TRANSPARENCY • If application transparency is most important, then a stateful packet filter SHOULD have "endpoint-independent filtering" behavior for UDP. • If a more stringent filtering behavior is most important, then a filter SHOULD have "address-dependent filtering" behavior. • The filtering behavior MAY be an option configurable by the network administrator, and it MAY be independent of the filtering behavior for TCP and other protocols. • Filtering behavior SHOULD be endpoint independent by DEFAULT in gateways intended for provisioning without service-provider management.
  • 25. CONNECTION-FREE FILTERS - UDP: 18. CONNECTION RELATED ICMP MESSAGES • Ifa gateway forwards a UDP flow, it MUST also forward ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing UDP headers that match the flow state record. See Path MTU Discovery RFC 1981
  • 26. CONNECTION-FREE FILTERS - UDP: 19. ICMPV6 AND THE CONNECTION STATE • Receiptof any sort of ICMPv6 message MUST NOT terminate the state record for a UDP flow.
  • 27. CONNECTION-FREE FILTERS - UDP: 20. UDP-LITE IS A SEPARATE FLOW • UDP-Lite flows [RFC3828] SHOULD be handled in the same way as UDP flows, except that the upper-layer transport protocol identifier for UDP-Lite is not the same as UDP; therefore, UDP packets MUST NOT match UDP-Lite state records, and vice versa.
  • 28. CONNECTION-FREE FILTERS - IPSEC: 21. IPSEC FILTERING - AH • In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit the forwarding of packets, to and from legitimate node addresses, with destination extension headers of type "Authentication Header (AH)" [RFC4302] in their outer IP extension header chain. The Internet Protocol security (IPsec) suite offers greater flexibility and better overall security than the simple security of stateful packet filtering at network perimeters. Therefore, residential IPv6 gateways need not prohibit IPsec traffic flows.
  • 29. CONNECTION-FREE FILTERS - IPSEC: 22. IPSEC FILTERING -ESP • Intheir DEFAULT operating mode, IPv6 gateways MUST NOT prohibit the forwarding of packets, to and from legitimate node addresses, with an upper-layer protocol of type "Encapsulating Security Payload (ESP)" [RFC4303] in their outer IP extension header chain.
  • 30. CONNECTION-FREE FILTERS - IPSEC: 23. IPSEC RELATED ICMPV6 • Ifa gateway forwards an ESP flow, it MUST also forward (in the reverse direction) ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing ESP headers that match the flow state record.
  • 31. CONNECTION-FREE FILTERS - IPSEC: 24. IKE FOR IPSEC • Intheir DEFAULT operating mode, IPv6 gateways MUST NOT prohibit the forwarding of any UDP packets, to and from legitimate node addresses, with a destination port of 500, i.e., the port reserved by IANA for the Internet Key Exchange (IKE) protocol IKE - see RFC 5996
  • 32. CONNECTION-FREE FILTERS - IPSEC: 25. ESP FILTERS • In all operating modes, IPv6 gateways SHOULD use filter state records for Encapsulating Security Payload (ESP) [RFC4303] that are indexable by a 3-tuple comprising the • interior node address • the exterior node address • the ESP protocol identifier. • In particular, the IPv4/NAT method of indexing state records also by the security parameters index (SPI) SHOULD NOT be used. • Likewise, any mechanism that depends on detection of Internet Key Exchange (IKE) [RFC5996] initiations SHOULD NOT be used.
  • 33. CONNECTION-FREE FILTERS - IPSEC: 26. HOST IDENTITY PROTOCOL • In their DEFAULT operating mode, IPv6 gateways MUST NOT prohibit the forwarding of packets, to and from legitimate node addresses, with destination extension headers of type "Host Identity Protocol (HIP)" in their outer IP extension header chain. The Host Identity Protocol (HIP) is a secure mechanism for establishing host identity and secure communications between authenticated hosts. Residential IPv6 gateways need not prohibit inbound HIP flows. HIP - See RFC 5201
  • 34. CONNECTION-FREE FILTERS - MOBILITY: 27. MOBILE IPV6 • The state records for flows initiated by outbound packets that bear a Home Address destination option are distinguished by the addition of the home address of the flow as well as the interior care-of address. IPv6 gateways MUST NOT prohibit the forwarding of any inbound packets bearing type 2 routing headers, which otherwise match a flow state record, and where • A) the address in the destination field of the IPv6 header matches the interior care- of address of the flow, and • B) the Home Address field in the Type 2 Routing Header matches the home address of the flow. Not all usage scenarios of mobility support in IPv6 are expected to be compatible with IPv6 simple security. In particular, exterior mobile nodes are expected to be prohibited from establishing bindings with interior correspondent nodes by the filtering of unsolicited IPv6 Mobile IP inbound Mobility Header messages, unless they are the subject of an IPsec security policy. - RFC 3775
  • 35. CONNECTION-FREE FILTERS - MOBILITY: 28. MOBILITY FLOWS • Valid sequences of Mobility Header [RFC3775] packets MUST be forwarded for all outbound and explicitly permitted inbound Mobility Header flows.
  • 36. CONNECTION-FREE FILTERS - MOBILITY: 29. MOBILITY FLOWS • If a gateway forwards a Mobility Header [RFC3775] flow, then it MUST also forward, in both directions, the IPv4 and IPv6 packets that are encapsulated in IPv6 associated with the tunnel between the home agent and the correspondent node.
  • 37. CONNECTION-FREE FILTERS - MOBILITY: 30. MOBILITY FLOWS - ICMPV6 • If a gateway forwards a Mobility Header [RFC3775] flow, then it MUST also forward (in the reverse direction) ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing any headers that match the associated flow state records.
  • 38. CONNECTION-ORIENTED FILTERS: TCP 31. TCP HANDSHAKES • All valid sequences of TCP packets (defined in [RFC0793]) MUST be forwarded for outbound flows and explicitly permitted inbound flows. • In particular, both the normal TCP 3-way handshake mode of operation and the simultaneous-open mode of operation MUST be supported. See RFC 793
  • 39. CONNECTION-ORIENTED FILTERS: TCP 32. TCP WINDOW HANDLING • The TCP window invariant MUST NOT be enforced on flows for which the filter did not detect whether the window-scale option was sent in the 3-way handshake or simultaneous- open. See RFC 1323
  • 40. CONNECTION-ORIENTED FILTERS: TCP 33. TCP STATEFUL FILTERS • If application transparency is most important, then a stateful packet filter SHOULD have "endpoint-independent filtering" behavior for TCP. • If a more stringent filtering behavior is most important, then a filter SHOULD have "address-dependent filtering” behavior. • The filtering behavior MAY be an option configurable by the network administrator, and it MAY be independent of the filtering behavior for UDP and other protocols. • Filtering behavior SHOULD be endpoint independent by DEFAULT in gateways intended for provisioning without service-provider management.
  • 41. CONNECTION-ORIENTED FILTERS: TCP 34. UNSOLICITED TCP SYN PACKETS • ByDEFAULT, a gateway MUST respond with an ICMPv6 "Destination Unreachable" error code 1 (Communication with destination administratively prohibited) to any unsolicited inbound SYN packet after waiting at least 6 seconds without first forwarding the associated outbound SYN or SYN/ACK from the interior peer.
  • 42. CONNECTION-ORIENTED FILTERS: TCP 35. TCP SESSION TIMEOUTS • If a gateway cannot determine whether the endpoints of a TCP flow are active, then it MAY abandon the state record if it has been idle for some time. In such cases, the value of the "established flow idle-timeout" MUST NOT be less than two hours four minutes, as discussed in [RFC5382]. The value of the "transitory flow idle-timeout" MUST NOT be less than four minutes. • The value of the idle-timeouts MAY be configurable by the network administrator.
  • 43. CONNECTION-ORIENTED FILTERS: TCP 36. ICMPV6 RELATED TO TCP SESSION • Ifa gateway forwards a TCP flow, it MUST also forward ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing TCP headers that match the flow state record. Several TCP mechanisms depend on the reception of ICMPv6 error messages triggered by the transmission of TCP segments. One such mechanism is path MTU discovery, which is required for correct operation of TCP.
  • 44. CONNECTION-ORIENTED FILTERS: TCP 37. ICMPV6 RELATED TO TCP SESSION STATES • Receiptof any sort of ICMPv6 message MUST NOT terminate the state record for a TCP flow. Several TCP mechanisms depend on the reception of ICMPv6 error messages triggered by the transmission of TCP segments. One such mechanism is path MTU discovery, which is required for correct operation of TCP.
  • 45. CONNECTION-ORIENTED FILTERS: SCTP 38. SCTP CONNECTION SETUP • All valid sequences of SCTP packets (defined in [RFC4960]) MUST be forwarded for outbound associations and explicitly permitted inbound associations. In particular, both the normal SCTP association establishment and the simultaneous-open mode of operation MUST be supported. The RFC this presentation is based upon - 6092 - includes a lot of information about SCTP security
  • 46. CONNECTION-ORIENTED FILTERS: SCTP 39. UNSOLICITED INIT REQUESTS • By DEFAULT, a gateway MUST respond with an ICMPv6 "Destination Unreachable" error code 1 (Communication with destination administratively prohibited), to any unsolicited inbound INIT packet after waiting at least 6 seconds without first forwarding the associated outbound INIT from the interior peer.
  • 47. CONNECTION-ORIENTED FILTERS: SCTP 40. UNSOLICITED INIT REQUESTS • By DEFAULT, a gateway MUST respond with an ICMPv6 "Destination Unreachable" error code 1 (Communication with destination administratively prohibited), to any unsolicited inbound INIT packet after waiting at least 6 seconds without first forwarding the associated outbound INIT from the interior peer.
  • 48. CONNECTION-ORIENTED FILTERS: SCTP 41. SCTP RELATED ICMPV6 • Ifa gateway forwards an SCTP association, it MUST also forward ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing SCTP headers that match the association state record.
  • 49. CONNECTION-ORIENTED FILTERS: SCTP 42. SCTP RELATED ICMPV6 • Receiptof any sort of ICMPv6 message MUST NOT terminate the state record for an SCTP association.
  • 50. CONNECTION-ORIENTED FILTERS: DCCP 43. DCCP FLOWS • All valid sequences of DCCP packets (defined in [RFC4340]) MUST be forwarded for all flows to exterior servers, and for any flows to interior servers that have explicitly permitted service codes. Datagram Congestion Control protocol - DCCP - RFC 4340
  • 51. CONNECTION-ORIENTED FILTERS: DCCP 44. DCCP FLOW TIMEOUTS •A gateway MAY abandon a DCCP state record if it has been idle for some time. • In such cases, the value of the "open flow idle-timeout" MUST NOT be less than two hours four minutes. • The value of the "transitory flow idle-timeout" MUST NOT be less than eight minutes. • Thevalue of the idle-timeouts MAY be configurable by the network administrator.
  • 52. CONNECTION-ORIENTED FILTERS: DCCP 45. DCCP FLOW & ICMPV6 • Ifan Internet gateway forwards a DCCP flow, it MUST also forward ICMPv6 "Destination Unreachable" and "Packet Too Big" messages containing DCCP headers that match the flow state record.
  • 53. CONNECTION-ORIENTED FILTERS: DCCP 46. DCCP FLOW & ICMPV6 • Receiptof any sort of ICMPv6 message MUST NOT terminate the state record for a DCCP flow.
  • 54. CONNECTION-ORIENTED FILTERS 47. THE SHIM6 PROTOCOL • Valid sequences of packets bearing Shim6 payload extension headers in their outer IP extension header chains MUST be forwarded for all outbound and explicitly permitted flows. The content of the Shim6 payload extension header MAY be ignored for the purpose of state tracking. Level 3 Multihoming Shim Protocol for IPv6 RFC 5533
  • 55. CONNECTION-ORIENTED FILTERS 47. THE SHIM6 PROTOCOL • Valid sequences of packets bearing Shim6 payload extension headers in their outer IP extension header chains MUST be forwarded for all outbound and explicitly permitted flows. The content of the Shim6 payload extension header MAY be ignored for the purpose of state tracking. Level 3 Multihoming Shim Protocol for IPv6 RFC 5533
  • 56. PUBLISHING SERVICES: 48. INTERNAL SERVICES • Internet gateways with IPv6 simple security capabilities SHOULD implement a protocol to permit applications to solicit inbound traffic without advance knowledge of the addresses of exterior nodes with which they expect to communicate. This is very vague, since the IETF has not agreed on a recommendation.
  • 57. PUBLISHING SERVICES: 49. DISABLING THE STATEFUL FIREWALL • Internetgateways with IPv6 simple security capabilities MUST provide an easily selected configuration option that permits a "transparent mode" of operation that forwards all unsolicited flows regardless of forwarding direction, i.e., not to use the IPv6 simple security capabilities of the gateway. • Thetransparent mode of operation MAY be the default configuration. This assumes that the IPv6 simple security capabilities replace the role of the IPv4 NAT.
  • 58. FIREWALL MANAGEMENT: 50. DO NOT LET THE HACKER TAKE OVER... • ByDEFAULT, subscriber-managed residential gateways MUST NOT offer management application services to the exterior network. This assumes that the IPv6 simple security capabilities replace the role of the IPv4 NAT.
  • 59. NOTE • ”The security functions described in this document may be considered redundant in the event that all IPv6 hosts using a particular gateway have their own IPv6 host firewall capabilities enabled. At the time of this writing, the vast majority of commercially available operating systems with support for IPv6 include IPv6 host firewall capability.” • ”The IETF makes no statement, expressed or implied, as to whether using the capabilities described in this document ultimately improves security for any individual users or for the Internet community as a whole.”
  • 60. NOW, GO READ THE COMPLETE RFC. http://tools.ietf.org/html/rfc6092 TWITTER @IPV6FRIDAY

Notes de l'éditeur

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n
  23. \n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n
  38. \n
  39. \n
  40. \n
  41. \n
  42. \n
  43. \n
  44. \n
  45. \n
  46. \n
  47. \n
  48. \n
  49. \n
  50. \n
  51. \n
  52. \n
  53. \n
  54. \n
  55. \n
  56. \n
  57. \n
  58. \n
  59. \n
  60. \n