Your SlideShare is downloading. ×
Eric Vyncke - IPv6 Security Vendor Point of View
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Eric Vyncke - IPv6 Security Vendor Point of View

992
views

Published on

Eric Vyncke - IPv6 Security Vendor Point of View

Eric Vyncke - IPv6 Security Vendor Point of View


0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
992
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
32
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. IPv6 Security Vendor Point of ViewEric Vyncke, evyncke@cisco.comDistinguished EngineerCisco, CTO/Consulting EngineeringPresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 1
  • 2. ARP Spoofing is now NDP Spoofing: Threats  ARP is replaced by Neighbor Discovery Protocol Nothing authenticated Static entries overwritten by dynamic ones  Stateless Address Autoconfiguration rogue RA (malicious or not) All nodes badly configured DoS Traffic interception (Man In the Middle Attack)  Attack tools exist (from THC – The Hacker Choice) Parasit6 Fakerouter6 ...Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 2
  • 3. ARP Spoofing is now NDP Spoofing: Mitigation  BAD NEWS: nothing like dynamic ARP inspection for IPv6 Will require new hardware on some platforms Not available now  GOOD NEWS: Secure Neighbor Discovery SEND = NDP + crypto IOS 12.4(24)T But not in Windows Vista, 2008 and 7 Crypto means slower...  Other GOOD NEWS: Private VLAN works with IPv6 Port security works with IPv6 801.x works with IPv6 For FTTH & other broadband, DHCP-PD means not need to NDP-proxyPresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 3
  • 4. Securing Link Operations: Cisco Future First Hop Trusted Device Certificate  Advantages server – central administration, central operation – Complexity limited to first hop – Transitioning lot easier – Efficient for threats coming from the link – Efficient for threats coming from outside Time server  Disadvantages – Applicable only to certain topologies – Requires first-hop to learn about end-nodes – First-hop is a bottleneck and single-point of failurePresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 4
  • 5. IPv6 Header Manipulation  Unlimited size of header chain (spec-wise) can make filtering difficult  Potential DoS with poor IPv6 stack implementations More boundary conditions to exploit Can I overrun buffers with a lot of extension headers? Perfectly Valid IPv6 Packet According to the Sniffer Header Should Only Appear Once Destination Header Which Should Occur at Most Twice Destination Options Header Should Be the Last See also: http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.htmlPresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 5
  • 6. Parsing the Extension Header Chain  Finding the layer 4 information is not trivial in IPv6 Skip all known extension header Until either known layer 4 header found => SUCCESS Or unknown extension header/layer 4 header found... => FAILURE IPv6 hdr HopByHop Routing AH TCP data IPv6 hdr HopByHop Routing AH Unknown L4 ??? IPv6 hdr HopByHop Unk. ExtHdr AH TCP dataPresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 6
  • 7. The IPsec Myth: IPsec End-to-End will Save the World  IPv6 mandates the implementation of IPsec  IPv6 does not require the use of IPsec  Some organizations believe that IPsec should be used to secure all flows... Interesting scalability issue (n2 issue with IPsec) Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS, no ACL, no firewall IOS 12.4(20)T can parse the AH Network telemetry is blinded: NetFlow of little use Network services hindered: what about QoS? Recommendation: do not use IPsec end to end within an administrative domain. Suggestion: Reserve IPsec for residential or hostile environment or high profile targets.Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 7
  • 8. PCI DSS Compliance and IPv6  Payment Card Industry Data Security Standard requires the use of NAT for security Yes, weird isn’t it? There is no NAT IPv6 <-> IPv6 in most of the firewalls IETF has just started to work on NAT66   PCI DSS compliance cannot be achieved for IPv6 ?  How important is NAT for ‘security’? Not clear feedback from customers.Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 8
  • 9. The security ‘value’ of NAT-PT Does it really bring something?  Block connection from the outside Same as a stateful firewall  Topology hiding ? Dubious utility Techniques exist to by-pass Counting host by ID field (Steve Bellovin 2002) Counting host by TCP timestamps (Ellie Lupin 2010) Analysis of the TTL field Analysis of e-mail RFC 822 headers  Multiple users hidden behind a single address Forensic is more complexPresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 9
  • 10. What Default Security Policy for CPE? Do we need to do same IPv4 NAT?  Allow only all inside initiated connections?  IPv6 hosts are usually more secure than legacy OS  IPv6 has the benefit of end-to-end connectivity  Even IETF is unclear Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 10
  • 11. Dual-Stack IPS Engines Service HTTPPresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 11
  • 12. Anti-Spam Challenges  Little SMTPv6 emails…  Not a lot of data to test heuristics  How to build an address reputation database? Based on /128? /64 ? /56 ?  Need more customers, more SMTPv6Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 12
  • 13. Summary of Cisco IPv6 Security Products  ASA Firewall Since version 7.0 (released 2005) Flexibility: Dual stack, IPv6 only, IPv4 only SSL VPN for IPv6 (ASA 8.0) Stateful-Failover (ASA 8.2.2)  IOS Firewall IOS 12.3(7)T (released 2005)  IPS Since 6.2 (released 2008)  Email Security Appliance (ESA) under beta testing early 2010  Web Security Appliance (WSA) end 2011Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 13
  • 14. Key Take Away  So, nothing really new in IPv6  Lack of operation experience may hinder security for a while: training is required  Security enforcement is possible, most vendors have IPv6-enabled security features/appliances Control your IPv6 traffic as you do for IPv4  Leverage IPsec to secure IPv6 when suitablePresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 14
  • 15. Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 15
  • 16. Reference Slides For Reference OnlyPresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 16
  • 17. Secure Neighbor Discovery (SEND) RFC 3971  Certification paths Anchored on trusted parties, expected to certify the authority of the routers on some prefixes  Cryptographically Generated Addresses (CGA) IPv6 addresses whose interface identifiers are cryptographically generated  RSA signature option Protect all messages relating to neighbor and router discovery  Timestamp and nonce options Prevent replay attacks  Requires IOS 12.4(24)TPresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 17
  • 18. Cryptographically Generated Addresses CGA RFC 3972 (Simplified)  Each devices has a RSA key pair (no need for cert)  Ultra light check for validity  Prevent spoofing a valid CGA address RSA Keys Modifier Priv Pub Public Key SHA-1 Subnet Prefix Signature CGA Params Subnet Interface Prefix Identifier SEND Messages Crypto. Generated AddressPresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 18
  • 19. Securing Neighbor and Router Advertisements with SEND  Adding a X.509 certificate to RA  Subject Name contains the list of authorized IPv6 prefixes Neighbor Advertisement Trust Source Addr = CGA Anchor CGA param block (incl pub key) X.509 cert Signed X.509 Router Advertisement cert Source Addr = CGA CGA param block (incl pub key) SignedPresentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 19