Training Presentation


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • This is the first of a six part set of slides, with some of them being much more technical than this one.
  • Creative Commons Attribution 2.0 UK: England & Wales Licence You can use it for free or for profit and you can modify it, as long as you acknowledge this source: “ Irish IPv6 Task Force”
  • Training Presentation

    1. 1. Irish IPv6 Task Force IPv6 and Security
    2. 2. Irish IPv6 Task Force IPv6 Training Slide-sets <ul><li>The Bigger Picture: Why is IPv6 so Important? </li></ul><ul><li>IPv6 Deployment & Strategy (technical) </li></ul><ul><li>Introduction to IPv6 Fundamentals (technical) </li></ul><ul><li>The Business Case for IPv6 </li></ul><ul><li>Mobile IPv6 (technical) </li></ul><ul><li>IPv6 Quality of Service (technical) </li></ul><ul><li>IPv6 Security (technical) <- This slide set is seventh in a series </li></ul>
    3. 3. Presentation Structure <ul><li>Introduction to Security Problems </li></ul><ul><li>What's new with IPv6& IPv6 Overview </li></ul><ul><li>Problem solved? </li></ul><ul><li>IPv6 and the “Anatomy of a Hack” </li></ul><ul><li>Final thoughts </li></ul>
    4. 4. Introduction to Security Problems
    5. 5. Introduction to Security Problems <ul><li>Security - i sn ’ t it all solved? </li></ul><ul><li>Conventional threats </li></ul><ul><li>Wireless systems now </li></ul><ul><li>A vision of the future </li></ul><ul><li>Protection now </li></ul><ul><li>Protection in the future </li></ul>
    6. 6. Whats the problem? <ul><li>We have firewalls and Intrusion Detection Systems –so we’re safe from outside attack </li></ul><ul><ul><li>They never give false positives and are trivial to configure </li></ul></ul><ul><li>VPNs, RADIUS, SSH, etc. allow secure remote access </li></ul><ul><ul><li>These are all user friendly and easy to use </li></ul></ul><ul><li>PKI can be used to determine identity </li></ul><ul><ul><li>And DNSsec is in operation world-wide </li></ul></ul><ul><li>S/MIME or PGP protects mail </li></ul><ul><ul><li>We all use secure email </li></ul></ul><ul><li>SSL/TLS protects web access </li></ul><ul><ul><li>Phishing attacks don’t work </li></ul></ul><ul><li>Virus scanning is effective </li></ul><ul><ul><li>So virii are a thing of the past </li></ul></ul><ul><li>Security patches can be applied centrally –SMS </li></ul><ul><ul><li>The patches never break anything </li></ul></ul><ul><li>IPv6 has complete built-in security </li></ul><ul><ul><li>Which is widely deployed </li></ul></ul><ul><li>And Pigs can fly! </li></ul>
    7. 7. Why is there a problem? <ul><li>Hostile environment (motivations for attack vary) </li></ul><ul><ul><li>Industrial Espionage </li></ul></ul><ul><ul><li>Ddos threats/extortion </li></ul></ul><ul><li>Lack of security consciousness </li></ul><ul><li>Lots of potential points of attack </li></ul><ul><li>Policies are often seen as unacceptable </li></ul><ul><li>No regulatory framework </li></ul><ul><li>Legal aspects unclear </li></ul>
    8. 8. Pearls of wisdom <ul><li>If you believe that encryption (or firewalls or Intrusion Detection Systems) are the answer to all your security problems, then you probably asked the wrong question. </li></ul><ul><li>Security is about securing a system . </li></ul><ul><li>Security is a process NOT a product. </li></ul><ul><li>Over-concentration on technology is deeply naïve. </li></ul><ul><li>However if you do major changes, like IPv4 to IPv6,you must ensure you have not introduced new problems. </li></ul>
    9. 9. Network Threats <ul><li>Passive tap </li></ul><ul><li>Active tap </li></ul><ul><li>Denial of service </li></ul><ul><li>Faking/replay </li></ul><ul><li>Traffic analysis </li></ul>
    10. 10. Other Threats <ul><li>Physical attack </li></ul><ul><li>Trojan Horses, viruses, worms, logic bombs </li></ul><ul><li>Passwords </li></ul><ul><li>Loopholes </li></ul><ul><li>Collusion </li></ul><ul><li>Accidental access </li></ul><ul><li>Tempest </li></ul><ul><li>Social Engineering </li></ul>
    11. 11. Cost Effective Security <ul><li>Absolute security? </li></ul><ul><ul><li>It is fictional in network connected system. </li></ul></ul><ul><li>Security = delay = cost to an attacker. </li></ul><ul><li>Security costs to implement. </li></ul><ul><li>So it is a compromise </li></ul><ul><ul><li>Evaluate risks </li></ul></ul><ul><ul><li>Evaluate cost of losses </li></ul></ul><ul><ul><li>Don’t spend more than this </li></ul></ul><ul><ul><li>This is difficult because </li></ul></ul><ul><ul><ul><li>don’t know motivation of attacker </li></ul></ul></ul><ul><ul><ul><li>don’t know value of information or goodwill </li></ul></ul></ul>
    12. 12. New Problems <ul><li>Infrastructure doesn’t protect data </li></ul><ul><li>Applications can’t be trusted to secure data </li></ul><ul><li>New forms of virii? </li></ul><ul><li>Security in mobile devices not standardised (many OS) </li></ul><ul><li>Devices easy to lose (or steal) or break </li></ul><ul><li>Radio is a broadcast medium </li></ul><ul><li>Most mobile devices come with security disabled </li></ul><ul><li>Data loss is painful; the more so the more one relies on it </li></ul>
    13. 13. What is new with IPv6 & IPv6 Overview
    14. 14. What is new with IPv6? <ul><li>Security was considered from the beginning in IPv6 </li></ul><ul><ul><li>One can rely on certain features existing </li></ul></ul><ul><li>When new services were considered, their security was part of IPv6 thinking </li></ul><ul><li>Some of the areas where the thinking is obvious are: </li></ul><ul><ul><li>Threats to Mobile access and Mobile IP </li></ul></ul><ul><ul><li>Cryptographically generated addresses </li></ul></ul><ul><ul><li>Protocols for Authentication and Network Access </li></ul></ul><ul><ul><li>IPsec </li></ul></ul><ul><ul><ul><li>Making intrusion harder </li></ul></ul></ul>
    15. 15. IPv6 Overview <ul><li>Expands addresses to 128 bits </li></ul><ul><li>Formalised address boundaries </li></ul><ul><li>IPSec (backported to IPv4 some time ago) </li></ul><ul><li>Quality of Service (QoS) typing </li></ul><ul><li>Stateless and stateful address autoconfiguration </li></ul><ul><li>Dynamic address renumbering </li></ul><ul><li>Transition tunnels and translators </li></ul><ul><li>Robust resistance to brute force scanning </li></ul><ul><li>No broadcast addresses </li></ul><ul><li>It is NOT just IPv4 with bigger addresses! </li></ul>
    16. 16. IPv6 Overview <ul><li>IPv6 has been around for many years </li></ul><ul><li>IPv6 is still under development </li></ul><ul><li>IPv6 will have new bugs that don't exist in IPv4 </li></ul><ul><li>Few bugs derive exclusively from the IP layer </li></ul><ul><li>Few vulnerabilities derive exclusively from the IP layer </li></ul><ul><li>A lot of IPv6 is very similar to IPv4 </li></ul><ul><li>Lessons learned in IPv4 should give IPv6 a better start </li></ul>
    17. 17. IPv6 and IPsec <ul><li>General IP Security mechanisms </li></ul><ul><li>provides </li></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><li>key management -requires a PKI infrastructure (IKEv2) </li></ul></ul><ul><li>applicable to use over LANs, across public & private WANs, & for the Internet </li></ul><ul><li>IPSec is not a single protocol. Instead, IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication. </li></ul><ul><li>IPSec is mandated in IPv6 –you can rely on for end-to-end security </li></ul>
    18. 18. What is IPsec? <ul><li>Work done by the IETF IPsec Working Group </li></ul><ul><li>Applies to both IPv4 and IPv6 and its implementation is: </li></ul><ul><ul><li>Mandatory for IPv6 </li></ul></ul><ul><ul><li>Optional for IPv4 </li></ul></ul><ul><li>IPsec Architecture: RFC 2401 </li></ul><ul><li>IPsec services </li></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><li>Replay protection </li></ul></ul><ul><li>IPsec modes: Transport Mode & Tunnel Mode </li></ul><ul><li>IPsec protocols: AH (RFC 2402) & ESP (RFC 2406) </li></ul>
    19. 19. IPsec Architecture (RFC2401) <ul><li>Security Policies: Which traffic is treated? </li></ul><ul><li>Security Associations: How is traffic processed? </li></ul><ul><li>Security Protocols: Which protocols (extension headers) are used? </li></ul><ul><li>Key Management: Internet Key Exchange (IKEv2) </li></ul><ul><li>Algorithms: Authentication and Encryption </li></ul>
    20. 20. IPsec Modes <ul><li>Transport </li></ul><ul><ul><li>Above the IP level </li></ul></ul><ul><ul><li>Below the Transport Level </li></ul></ul><ul><ul><li>Only the IP datagram payload is protected </li></ul></ul><ul><ul><li>Usage </li></ul></ul><ul><ul><ul><li>Host to Host Service </li></ul></ul></ul><ul><li>Tunnel Mode </li></ul><ul><ul><li>IP within IP </li></ul></ul><ul><ul><li>Below the Transport Level </li></ul></ul><ul><ul><li>All the tunneled IP datagrams are protected </li></ul></ul><ul><ul><li>Usage </li></ul></ul><ul><ul><ul><li>Host to Host Service </li></ul></ul></ul><ul><ul><ul><li>Gateway to Gateway </li></ul></ul></ul><ul><ul><ul><li>Host to Gateway </li></ul></ul></ul>
    21. 21. IPsec Protocols <ul><li>Authentication Header (AH) </li></ul><ul><ul><li>RFC 2402 </li></ul></ul><ul><ul><li>Provides </li></ul></ul><ul><ul><ul><li>Connectionless Integrity </li></ul></ul></ul><ul><ul><ul><li>Data origin authentication </li></ul></ul></ul><ul><ul><ul><li>Replay protection </li></ul></ul></ul><ul><li>Encapsulating Security Payload Header (ESP) </li></ul><ul><ul><li>RFC 2406 </li></ul></ul><ul><ul><li>Provides </li></ul></ul><ul><ul><ul><li>Connectionless Integrity </li></ul></ul></ul><ul><ul><ul><li>Data origin authentication </li></ul></ul></ul><ul><ul><ul><li>Replay protection </li></ul></ul></ul><ul><ul><ul><li>Confidentiality </li></ul></ul></ul>
    22. 22. IPsec Protocols, modes and combinations Encrypts and authenticates inner IP datagram Encrypts IP payload and authenticates IP payload but not IP header ESP with Authentication Encrypts inner IP datagram Encrypts IP payload ESP Authenticates entire inner IP datagram (header & payload) and selected portions of the outer IP header Authenticates IP payload and selected portions of IP header AH Tunnel Mode Transport Mode
    23. 23. IPsec Key Management <ul><li>Manual </li></ul><ul><ul><li>Keys configured statically on each system </li></ul></ul><ul><li>Automatic: IKEv2 (RFC 4306 - Internet Key Exchange (IKEv2) Protocol) </li></ul><ul><ul><li>IKE performs mutual authentication between two parties and establishes an IKE security association (SA) that includes shared secret information that can be used to efficiently establish Security Associations for Enciphering and or Authenticating purposes </li></ul></ul><ul><ul><li>Also automatically establishes a common set of cryptographic algorithms to be used. </li></ul></ul>
    24. 24. Problem solved?
    25. 25. Problem Solved? <ul><li>IPsec doesn’t solve all our problems </li></ul><ul><li>Other Issues to consider </li></ul><ul><ul><li>Transition Mechanisms </li></ul></ul><ul><ul><ul><li>All the ways you didn’t know of getting in and out of your network </li></ul></ul></ul><ul><ul><li>Scanning and Addresses </li></ul></ul><ul><ul><li>Broadcasts </li></ul></ul>
    26. 26. Transition Mechanisms <ul><li>Intended to promote IPv6 adoption and interoperability </li></ul><ul><li>Compatibility addresses aid IPv4 – IPv6 communications </li></ul><ul><li>SIT (Six in Tunnel) / 6in4 </li></ul><ul><li>6to4 Automatic SIT tunnels </li></ul><ul><li>IPv6 over UDP in various encapsulations </li></ul><ul><li>6over4 </li></ul><ul><li>Proxy Services, Services, and Protocol Bouncers </li></ul><ul><li>DSTM and 4in6 provides reverse transition support </li></ul><ul><li>Translators (NAT-PT, TRT) </li></ul>
    27. 27. 6to4/SIT <ul><li>Simple Internet Transition / Six In Tunnel </li></ul><ul><li>Protocol 41 (iPv6) in IPv4 </li></ul><ul><li>Basis for several IPv6 tunnel schemes </li></ul><ul><ul><li>Static SIT tunnels use preconfigured endpoints </li></ul></ul><ul><ul><li>Tunneling at the heart of ISATAP routed addresses </li></ul></ul><ul><li>Can pass “many” IPv4 NAT devices (proto 41 forwarding) </li></ul><ul><ul><li>Not reliable and not preferred over NAT </li></ul></ul><ul><li>Most tunnel brokers provide IPv6 through SIT tunnels </li></ul><ul><ul><li>Some (OCCAID, Hurricane Electric) only provide 6in4 tunnels </li></ul></ul><ul><li>6to4 provides autoconfigured 6in4 tunnels </li></ul><ul><ul><li>2002::/16 prefix </li></ul></ul><ul><ul><li>Assigns a /48 IPv6 network to every IPv4 address! </li></ul></ul><ul><ul><li>No tunnel brokers or static configuration required </li></ul></ul>
    28. 28. IPv6 over UDP <ul><li>IPv6 over UDP (default - port 3544/udp) </li></ul><ul><li>Intended to provide IPv6 tunnels over IPv4 NAT devices </li></ul><ul><li>Both endpoints may be NATed and/or firewalled! </li></ul><ul><li>Can bypass most firewalls (uses outbound UDP sockets) </li></ul><ul><li>Uses a robust NAT traversal similar to STUN (RFC 3489) </li></ul><ul><li>Provides peer-to-peer IPv6 connectivity for clients over NAT devices </li></ul><ul><li>Clients requires a Teredo server and relay on public IPv4 </li></ul><ul><li>Teredo servers carry no production traffic </li></ul><ul><li>Teredo relays are currently advertized in BGP </li></ul><ul><li>Miredo project provides Teredo support on Linux and FreeBSD </li></ul><ul><li>IANA assigned address prefix 2001:0::/32 </li></ul><ul><li>IETF Standard RFC 4380 </li></ul>
    29. 29. More IPv6 over UDP <ul><li>UDP based transports work well over IPv4 NAT </li></ul><ul><ul><li>Also bypasses most firewalls – including stateful firewalls </li></ul></ul><ul><ul><li>Some may be “STUN” enabled </li></ul></ul><ul><li>TSP - Tunnel Setup Protocol (3653/udp) </li></ul><ul><ul><li>Promoted by FreeNet6 / Hexago </li></ul></ul><ul><ul><li>Also used with 4in6 for DSTM </li></ul></ul><ul><ul><li>Still an IETF draft </li></ul></ul><ul><li>AICCU - Automatic IPv6 Connectivity Client Utility (8374/udp) </li></ul><ul><ul><li>SixXS in Europe (HEAnet host the SixXS pop in Ireland) </li></ul></ul><ul><li>OpenVPN (1194/udp v2 – 5100/udp v1) </li></ul><ul><ul><li>Used by the German “Join” project as an IPv6 tunnel broker </li></ul></ul><ul><ul><li>Uses ESPinUDP (IPSec NAT-T) encapsulation </li></ul></ul><ul><ul><li>Directly tunnels IPv6 in IPv4 without additional tunneling layers </li></ul></ul>
    30. 30. Other methods <ul><li>IPv6 can be transported over anything that transports IPv4. </li></ul><ul><li>PPP – Native or tunneled IPv4 using 6in4 </li></ul><ul><li>IPSec / IPSec NAT-T </li></ul><ul><ul><li>Encrypted tunnel </li></ul></ul><ul><ul><li>Encapsulation and transport of IPv6 over IPv4 using 6in4 </li></ul></ul><ul><ul><li>NAT-T provides a further UDP transport, but provides no STUN support (yet) </li></ul></ul><ul><li>6over4 - Uses IPv4 multicast </li></ul><ul><li>ISATAP - Complex setup using 6in4 - Large enterprises </li></ul><ul><li>Generic Routing Encapsulation (GRE) </li></ul><ul><ul><li>IPv6/4 over IPv4 </li></ul></ul><ul><ul><li>IPv4/6 over IPv6 </li></ul></ul>
    31. 31. Less known methods <ul><li>Used to avoid detection. </li></ul><ul><li>Ping Tunnel </li></ul><ul><ul><li>Tunneling over ICMP Echo / Echo Reply </li></ul></ul><ul><li>Htunnel (tunnel over http, including proxies) </li></ul><ul><li>TCPtunnel </li></ul><ul><ul><li>Covert Channel in TCP header bits </li></ul></ul><ul><li>Covert Channel Tunneling Tool (CCTT) </li></ul><ul><ul><li>Brings several covert tunneling encapsulations under one roof </li></ul></ul><ul><ul><li>Tunneling over ICMP </li></ul></ul><ul><ul><li>Tunneling over HTTP </li></ul></ul><ul><ul><li>Tunneling over DNS </li></ul></ul><ul><ul><li>Tunneling over NTP </li></ul></ul>
    32. 32. The IPv6 Underground <ul><li>Already active on IPv6 </li></ul><ul><li>IPv6 only IRC channels </li></ul><ul><li>IPv6 only FTP sites </li></ul><ul><li>IPv6 only Web sites </li></ul><ul><li>Many IRC bots have IPv6 patches </li></ul><ul><li>IPv6 has been used for communications tunnels </li></ul><ul><li>IPv6 can be used to hide backdoors </li></ul><ul><li>IPv6 can be used to bypass firewalls </li></ul><ul><li>IPv6 can enable end to end peer to peer connectivity </li></ul><ul><ul><li>Even when all clients are behind NAT </li></ul></ul><ul><ul><li>Using 3 rd party STUN or Teredo servers </li></ul></ul><ul><ul><li>Public servers carry no “malicious traffic” </li></ul></ul>
    33. 33. Scanning and addresses <ul><li>Several orders of magnitude harder to scan 1 IPv6 subnet than all of IPv4 </li></ul><ul><li>“ Efficient” (dense) allocations == Feature Rich Targets </li></ul><ul><li>Sparse allocations make brute force scanning impractical </li></ul><ul><ul><li>Scanning for backdoors impractical </li></ul></ul><ul><ul><ul><li>By attackers </li></ul></ul></ul><ul><ul><ul><li>By defenders </li></ul></ul></ul><ul><ul><li>Scanning for proxies impractical </li></ul></ul><ul><ul><li>Scan-based worms can not propagate </li></ul></ul><ul><ul><ul><li>No more slammer </li></ul></ul></ul><ul><ul><ul><li>No more blaster </li></ul></ul></ul><ul><li>Cripples brute force scanning for open relays for Spam </li></ul><ul><li>Reduces hacker “hijack wars” and “shelling matches” </li></ul><ul><li>Use of trivial EUI-64 derived addresses can degrade this </li></ul><ul><ul><li>EUI-64 derived from interface MAC addresses </li></ul></ul><ul><ul><li>Remains constant across subnets </li></ul></ul><ul><ul><li>Potential privacy issues </li></ul></ul>
    34. 34. IPv6 and Broadcasts <ul><li>Mostly good news </li></ul><ul><li>No broadcast addresses </li></ul><ul><ul><li>No local broadcast </li></ul></ul><ul><ul><li>No directed broadcast </li></ul></ul><ul><ul><li>No global broadcast </li></ul></ul><ul><li>Broadcast functions handled by various multicast addresses </li></ul><ul><ul><li>Multicast addresses may never be source addresses </li></ul></ul><ul><ul><li>Some mutlicast addresses and functions can still have a large scope </li></ul></ul><ul><li>No more broadcast scanning for nodes </li></ul><ul><li>No more directed broadcast “food fights” </li></ul><ul><li>No help with local broadcast DDoS Zombies </li></ul>
    35. 35. IPv6 and the “Anatomy of a Hack”
    36. 36. IPv6 and the Anatomy of a Hack <ul><li>Basic layers in the Anatomy of a Hack </li></ul><ul><ul><li>Identify targets </li></ul></ul><ul><ul><li>Initial Compromise (Gain access) </li></ul></ul><ul><ul><li>Acquire shell </li></ul></ul><ul><ul><li>Elevate privilege </li></ul></ul><ul><ul><li>Clean up traces </li></ul></ul><ul><ul><li>Secure communications and future access </li></ul></ul><ul><li>IPv6 impacts some, but not all, layers of this model </li></ul>
    37. 37. Identify Targets <ul><li>Brute force scanning is impractical </li></ul><ul><ul><li>Targets have to be individually chosen </li></ul></ul><ul><li>Port probes are possible once system is identified </li></ul><ul><li>Security access may be on alternate addresses </li></ul><ul><li>Services may be dispersed across multiple addresses </li></ul><ul><ul><li>Security services, ssh, on unpublished addresses </li></ul></ul><ul><ul><li>Public services, web, smtp, ftp, on published addresses </li></ul></ul><ul><ul><li>No substitute for firewalls </li></ul></ul><ul><li>Result, Advantage defender </li></ul>
    38. 38. Initial Compromise <ul><li>Access to other systems may be acquired from compromised systems secured by IPv6 tunnels </li></ul><ul><li>Multiple systems may be accessed and routed out through single hosts anchoring IPv6 tunnels </li></ul><ul><li>Additional global routing may contribute to accessing systems behind firewalls or on private IPv4 address space </li></ul><ul><li>IPv6 traffic may be detected (if you know what to look for) </li></ul><ul><li>Result, a Draw </li></ul>
    39. 39. Securing Access <ul><li>IPv6 aids in hiding backdoors </li></ul><ul><li>Many IDS systems do not detect IPv6 traffic </li></ul><ul><li>Many IDS systems do not detect communications tunnels </li></ul><ul><li>Properly configured IDS systems can detect IPv6 traffic </li></ul><ul><li>Security scanners may not scan for IPv6 backdoors </li></ul><ul><li>IPv6 is easy to set up without interfering with IPv4 operations </li></ul><ul><li>Bots and malware may connect back to multiple addresses </li></ul><ul><li>Result, Advantage Attacker </li></ul>
    40. 40. Final thoughts
    41. 41. Firewalls <ul><li>Not all firewalls configured to block protocol 41 by default </li></ul><ul><ul><li>(Most now are) </li></ul></ul><ul><li>IPv4 firewalls can not see TCP or UDP in tunnels (Toredo, SIT) </li></ul><ul><li>IPv6 firewalls can not see protocol 41 (or UDP) on IPv4 </li></ul><ul><li>Teredo, TSP, AYIYA, and OpenVPN (UDP) can bypass firewalls </li></ul><ul><li>All tunnels should terminate at the firewall or security perimeter </li></ul><ul><li>Unroll all encapsulations and pass IPv6 traffic natively </li></ul><ul><li>Tunnels should be prohibited from within corporate networks </li></ul><ul><li>6to4 auto tunnels should be limited to external sites / clients </li></ul><ul><li>Provide an external gateway for supported tunneling protocols </li></ul>
    42. 42. Providing IPv6 <ul><li>To provide IPv6 to a network, you must support it </li></ul><ul><li>Tunnels should be terminated security perimeters (firewalls) </li></ul><ul><li>6to4 / 6in4 should be prohibited within a corporate network </li></ul><ul><li>Native IPv6 should be provided within the corporate network </li></ul><ul><li>Router advertisements should be monitored for anomalies </li></ul><ul><li>Prefixes should be monitored for unexpected changes </li></ul><ul><li>Unusual router advertisements should be investigated </li></ul><ul><li>IDS systems should detect rogue routers and prefixes </li></ul><ul><li>EUI policy should be defined and enforced </li></ul>
    43. 43. Avoiding IPv6 <ul><li>To avoid having IPv6 on a network, you must support it </li></ul><ul><li>Tunneling protocols and transports should be blocked </li></ul><ul><ul><li>At all security perimeters </li></ul></ul><ul><ul><li>At routers and subnet boundaries </li></ul></ul><ul><ul><li>All tunneling protocols must be recognized </li></ul></ul><ul><li>IDS / IPS systems should monitor for IPv6 link protocols </li></ul><ul><ul><li>Neighbor discovery </li></ul></ul><ul><ul><li>Router advertisements </li></ul></ul><ul><li>NIDS systems should detect IPv6 – native and tunneled </li></ul><ul><ul><li>Unroll all encapsulated traffic to get at core protocols </li></ul></ul><ul><ul><li>Watch for encrypted encapsulations </li></ul></ul><ul><li>Host systems should be monitored for IPv6 </li></ul>
    44. 44. Ignoring IPv6 <ul><li>If you don't provide or prevent IPv6, you will have IPv6 </li></ul><ul><ul><li>You won't control it </li></ul></ul><ul><ul><li>You won't recognize it </li></ul></ul><ul><ul><li>You won't be managing it </li></ul></ul><ul><ul><li>It will still be globally addressable </li></ul></ul><ul><ul><li>It will still be fully routable (independent of IPv4 routing) </li></ul></ul><ul><ul><li>Others will be providing IPv6 routes and routers, not you </li></ul></ul><ul><li>Others providing IPv6 will not have your best interest at heart </li></ul>
    45. 45. Summary <ul><li>IPv6 carries a number of advantages </li></ul><ul><ul><li>Improved addressing </li></ul></ul><ul><ul><li>Improved security </li></ul></ul><ul><ul><li>Improved routing </li></ul></ul><ul><li>IPv6 advantages can be used against networks </li></ul><ul><ul><li>Backdoors hidden </li></ul></ul><ul><ul><li>Communications channels hidden </li></ul></ul><ul><ul><li>Security mechanisms bypassed </li></ul></ul><ul><li>IPv6 is easier and cheaper to provide than prevent </li></ul><ul><li>Time for ignoring IPv6 is past </li></ul><ul><li>Time for understanding and using IPv6 is now </li></ul>
    46. 46. Acknowledgements <ul><li>This presentation includes some material from these other sources: </li></ul><ul><li>The 6DISS project </li></ul><ul><li>“ Security Implications of IPv6”, Micheal H. Warfield, Internet Security Systems </li></ul>
    47. 47. Contact <ul><li>Mícheál Ó Foghlú </li></ul><ul><li>Research Director </li></ul><ul><li>Telecommunications Software & Systems Group </li></ul><ul><li>Waterford Institute of Technology </li></ul><ul><li>Cork Road </li></ul><ul><li>Waterford </li></ul><ul><li>Ireland </li></ul><ul><li>+353 51 302963 (w) </li></ul><ul><li>[email_address] </li></ul><ul><li> </li></ul><ul><li> (Personal Blog) </li></ul>
    48. 48. Further Information <ul><li>Web Sites: </li></ul><ul><li>National Irish IPv6 Centre </li></ul><ul><li>Irish IPv6 Task Force </li></ul><ul><li>IPv6 ePrints Server (Public Documents) </li></ul><ul><li>IPv6 Dissemination (Public Training) </li></ul><ul><li>Individual Documents/Presentations: </li></ul><ul><li> (Iljitsch van Beijnum, 7th March 2007) </li></ul><ul><li> (Geoff Huston APNIC, 2006) </li></ul><ul><li> (IPv6 Forum Roadmap & Vision, 2006) </li></ul><ul><li> (Doug Montgomery NIST, 2005) </li></ul>
    49. 49. Thank you! This presentation has been shared under the Creative Commons Attribution 2.0 UK: England & Wales Licence ( by the Irish IPv6 Task Force ( ) Please acknowledge this source if you use it for free or for profit
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.