• Like
02 ipv6-cpe-panel security
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

02 ipv6-cpe-panel security



Published in Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. IPv6 residential gateway securityEric VynckeCisco Systems CTO/Consulting Engineeringevyncke@cisco.com 1
  • 2. The Security Questionswhen adding IPv6 to a RG/CPE  Is IPv6 more or less secure than IPv4? Roughly equivalent (lack of knowledge makes IPv6 less secure for now)  Which security policy for IPv6? Same as for IPv4? (including the ‘NAT security’) Same as in 2000 when IPv4 CPE were designed?  How congruent must be the IPv* policies? draft-vyncke-advanced-ipv6-security-00.txt> 2
  • 3. Typical IPv4 Security  Apply spoofing anti-spoofing (and anti-bogons)  Allow all traffic inside to outside  Only allow traffic outside to inside if it matches an outbound flow  Drop the rest  Specific TCP/UDP ports could be blocked (such as 445/ TCP) or opened  Often co-located with the NAT function (cfr iptables) draft-vyncke-advanced-ipv6-security-00.txt> 3
  • 4. IPv6 Changes a Few Things  Link-local / ULA are completely isolated from ‘bad’ Internet Good for security  Home device are globally reachable Perhaps less good for security draft-vyncke-advanced-ipv6-security-00.txt> 4
  • 5. CPE to CPE Communication IPv4 vs. IPv6   SP want to see all user to user traffic   IPv4 WAN addresses must communicate Usually in the same layer 2 domain… tricks to force traffic to BNG   IPv6 WAN addresses have no reason to communicate IPv6 LAN addresses must communicate (easy: this is routed) SP BNG 2001:db8:bad::/64 Eric’s CPE Ole’s CPE2001:db8:café::/64 2001:db8:bad::/64 draft-vyncke-advanced-ipv6-security-00.txt> 5
  • 6. IPv6 Simple Security  An IETF work item from James Woodyatt, Apple  Advices a security policy for IPv6 which is mostly congruent with the IPv4 one: Basic anti-bogons/spoofing Outbound permitted Inbound permitted  Benefits: Guidelines for the CPE implementers Technically doable & easy Congruent with IPv4 (easier for user)  Cons: Break the open host to host promise of IPv6 draft-vyncke-advanced-ipv6-security-00.txt> 6
  • 7. What has changed between v4 & v6?  IPv4 CPE designed pre-2000 Hosts were weak, vulnerable CPE were CPU and memory constraints NAT prevents any easy & direct host to host communication Security technique: mainly firewall  IPv6 CPE are designed in 2010 Humm… Wishful IPv6 hosts are much stronger and resistant thinking for sensors, CPE have more CPU and memory webcams and other small/ Host to host communication is possible embedded OS New security techniques: Intrusion Prevention System, reputation of IP addresses, centralized & automatic updates draft-vyncke-advanced-ipv6-security-00.txt> 7
  • 8. Proposal: less simple security  Why not use modern techniques for IPv6 CPE? IPS Automated updates (policies & engines) Address reputation Cloud computing …  Individual I-D: draft-vyncke-advanced-ipv6-security draft-vyncke-advanced-ipv6-security-00.txt> 8
  • 9. Overview  7 policies are identified. These are largely based on features which are commonly available in “advanced” security gear for enterprises today  Home edge router is not something that is purchased and thrown away when obsolete. Instead, it is actively updated like many other consumer devices are today (PCs, iPods and iPhones, etc.)  Business model may include a paid subscription service from the manufacturer, a participating service or content provider, consortium, etc. draft-vyncke-advanced-ipv6-security-00.txt> 9
  • 10. Advanced Security Dynamic Update IPS User control Feedback draft-vyncke-advanced-ipv6-security-00.txt> 10
  • 11. Why is this important to IPv6?  Security policy can be adjusted to match the threat as IPv6 attacks arrive  We don’t break end-to-end IPv6, unless we absolutely have to  While providing arguably better security, troubleshooting, etc. than we would otherwise draft-vyncke-advanced-ipv6-security-00.txt> 11
  • 12. Conclusion  IPv6 is as (in)secure as IPv4  User education will be key  IPv6@2010 is different than IPv4@2000 More secure hosts More powerful CPE End-to-end connectivity could/should be restored draft-vyncke-advanced-ipv6-security-00.txt> 12