www.progreso.com.sg1
IPv6 Cyber Security:
What Security Issues have you Missed Out?
6 September 2013
www.progreso.com.sg2
Agenda
 IPv6 Security Myths
 IPv6 Security Compromises
 Network Reconnaissance in IPv6
 IPv6 for ...
www.progreso.com.sg3
Myth on Increased Security
 IPv6 is more secure than IPv4, since
security was considered during the
...
www.progreso.com.sg4
Myth on End-to-end Principle
 IPv6 will return the end-to-end
principle to the Internet,
hence secur...
www.progreso.com.sg5
Myth on NAT
 IPv6 networks will be NAT-free.
www.progreso.com.sg6
Myth on Host Reconnaissance
 The massive IPv6 address space will make host
scanning unfeasible.
www.progreso.com.sg7
Agenda
 IPv6 Security Myths
 IPv6 Security Compromises
 Network Reconnaissance in IPv6
 IPv6 for ...
www.progreso.com.sg8
The New Cyber Landscape
- Multiple threat vectors
www.progreso.com.sg9
Attack Vectors on IPv6
 IPv6 addressing architecture
 Network reconnaissance
 Spoofing and smurf a...
www.progreso.com.sg10
Hacking Groups
Script kiddies
Political
Hacktivists
Crime Rings
State
Sponsored
Teams
www.progreso.com.sg11
Kiddie Scripts
www.progreso.com.sg12
Nmap Scanning
www.progreso.com.sg13
Vulnerability Scanning using Nessus
www.progreso.com.sg14
Packet Crafting
www.progreso.com.sg15
Agenda
 IPv6 Security Myths
 IPv6 Security Compromises
 Network Reconnaissance in IPv6
 IPv6 for...
www.progreso.com.sg16
Dissecting an IPv6 Address
Global Routing Prefix
(length = a)
Subnet ID
(length = b)
Interface ID
(l...
www.progreso.com.sg17
Methods of Generating the IID
 EUI-64: Embedding the MAC
 Employ low-byte addresses
 Embed IPv4 a...
www.progreso.com.sg18
EUI-64
IEEE OUI ff-fe Lower 24 bits of MAC
Known/searchable
(24 bits)
Fixed
(16 bits)
Unknown
(24 bi...
www.progreso.com.sg19
Low-Byte Addresses
2001:db8:1234:5678:0000:0000:0000:1234
2001:db8:1234:5678:0000:0000:0000:0001
200...
www.progreso.com.sg20
Embedded IPv4 Addresses
2001:db8:1234:5678:0000:0000:c0a8:0101
2001:db8:1234:5678:0000:0000:0808:080...
www.progreso.com.sg21
Wordy Addresses
264 232
2001:db8:1234:5678:dec:1ded:c0:ffee
Dictionary-based scanning
2a03:2880:2110...
www.progreso.com.sg22
Privacy/Temporary Addresses
 RFC 4941
2001:db8:1234:5678:e24a:71c:d93f:7b0
2001:db8:1234:5678:0000:...
www.progreso.com.sg23
Transition/Coexistence Technologies
6to4 = 2002:c0a1:c0fe:1:2e0:18ff:fefb:7a25/48
ISATAP = fe80::5ef...
www.progreso.com.sg24
Agenda
 IPv6 Security Myths
 IPv6 Security Compromises
 Network Reconnaissance in IPv6
 IPv6 for...
www.progreso.com.sg25
IPv6 Education and Training
www.progreso.com.sg26
Upgrade Security Tools
www.progreso.com.sg27
Additional Configurations
www.progreso.com.sg28
Risks of Tunneling Protocols
www.progreso.com.sg29
New Features Adds Complexity
www.progreso.com.sg30
Agenda
 IPv6 Security Myths
 IPv6 Security Compromises
 Network Reconnaissance in IPv6
 IPv6 for...
www.progreso.com.sg31
Transitions and Cybersecurity
www.progreso.com.sg32
Apply Rigorous Oversight
www.progreso.com.sg33
Leverage Accredited IPv6 Test Program
www.progreso.com.sg34
Don’t Get Intimidated
www.progreso.com.sg35
Incremental Deployment
www.progreso.com.sg36
Don’t Lose Sleep Over Dual Stacking
www.progreso.com.sg37
Agenda
 IPv6 Security Myths
 Network Reconnaissance in IPv6
 IPv6 for Security Practitioners
 En...
www.progreso.com.sg38
IPv6 Security Measures
 Endpoint security
 Standalone firewalls
 Packet filters
 Data link level...
www.progreso.com.sg39
IPv6 Security Implementation Concerns
 IPv6 protocol stack vulnerabilities
 Lack of IPv6 exposure ...
www.progreso.com.sg40
Call to Action
 IPv6 is the future of the Internet
 There are significant differences between IPv4...
www.progreso.com.sg41
Are You Ready?
IPv6 Security
Upcoming SlideShare
Loading in …5
×

IPv6 Security

265 views
221 views

Published on

Presented on 6 September 2013 in a seminar organised by Progreso Training.

Sign up for free seminars at http://progresotraining.eventbrite.sg or http://www.progreso.com.sg/training/event_view_all.php for an overview of IPv6 Security.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
265
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

IPv6 Security

  1. 1. www.progreso.com.sg1 IPv6 Cyber Security: What Security Issues have you Missed Out? 6 September 2013
  2. 2. www.progreso.com.sg2 Agenda  IPv6 Security Myths  IPv6 Security Compromises  Network Reconnaissance in IPv6  IPv6 for Security Practitioners  Ensuring Cybersecurity in IPv6 Transitions  IPv6 Security Implementations
  3. 3. www.progreso.com.sg3 Myth on Increased Security  IPv6 is more secure than IPv4, since security was considered during the design of the protocol and not as an afterthought.
  4. 4. www.progreso.com.sg4 Myth on End-to-end Principle  IPv6 will return the end-to-end principle to the Internet, hence security architectures will switch from the network to the hosts.
  5. 5. www.progreso.com.sg5 Myth on NAT  IPv6 networks will be NAT-free.
  6. 6. www.progreso.com.sg6 Myth on Host Reconnaissance  The massive IPv6 address space will make host scanning unfeasible.
  7. 7. www.progreso.com.sg7 Agenda  IPv6 Security Myths  IPv6 Security Compromises  Network Reconnaissance in IPv6  IPv6 for Security Practitioners  Ensuring Cybersecurity in IPv6 Transitions  IPv6 Security Implementations
  8. 8. www.progreso.com.sg8 The New Cyber Landscape - Multiple threat vectors
  9. 9. www.progreso.com.sg9 Attack Vectors on IPv6  IPv6 addressing architecture  Network reconnaissance  Spoofing and smurf attacks  Worms and viruses  Main packet header + extension header issues  IPv6 layer-2 and layer-3 security compromises  Security on the routing infrastructure  Vulnerabilities in transition mechanisms
  10. 10. www.progreso.com.sg10 Hacking Groups Script kiddies Political Hacktivists Crime Rings State Sponsored Teams
  11. 11. www.progreso.com.sg11 Kiddie Scripts
  12. 12. www.progreso.com.sg12 Nmap Scanning
  13. 13. www.progreso.com.sg13 Vulnerability Scanning using Nessus
  14. 14. www.progreso.com.sg14 Packet Crafting
  15. 15. www.progreso.com.sg15 Agenda  IPv6 Security Myths  IPv6 Security Compromises  Network Reconnaissance in IPv6  IPv6 for Security Practitioners  Ensuring Cybersecurity in IPv6 Transitions  IPv6 Security Implementations
  16. 16. www.progreso.com.sg16 Dissecting an IPv6 Address Global Routing Prefix (length = a) Subnet ID (length = b) Interface ID (length = 128 - a – b)
  17. 17. www.progreso.com.sg17 Methods of Generating the IID  EUI-64: Embedding the MAC  Employ low-byte addresses  Embed IPv4 address  “Wordy” address  Privacy or temporary address  Transition/Coexistence mechanisms
  18. 18. www.progreso.com.sg18 EUI-64 IEEE OUI ff-fe Lower 24 bits of MAC Known/searchable (24 bits) Fixed (16 bits) Unknown (24 bits) 264 224
  19. 19. www.progreso.com.sg19 Low-Byte Addresses 2001:db8:1234:5678:0000:0000:0000:1234 2001:db8:1234:5678:0000:0000:0000:0001 2001:db8:1234:5678:0000:0000:0000:8888 264 216 or 28
  20. 20. www.progreso.com.sg20 Embedded IPv4 Addresses 2001:db8:1234:5678:0000:0000:c0a8:0101 2001:db8:1234:5678:0000:0000:0808:0808 264 232 8.8.8.8 192.168.1.1
  21. 21. www.progreso.com.sg21 Wordy Addresses 264 232 2001:db8:1234:5678:dec:1ded:c0:ffee Dictionary-based scanning 2a03:2880:2110:3f02:face:b00c::
  22. 22. www.progreso.com.sg22 Privacy/Temporary Addresses  RFC 4941 2001:db8:1234:5678:e24a:71c:d93f:7b0 2001:db8:1234:5678:0000:0000:0000:8888 Host is still compromised!
  23. 23. www.progreso.com.sg23 Transition/Coexistence Technologies 6to4 = 2002:c0a1:c0fe:1:2e0:18ff:fefb:7a25/48 ISATAP = fe80::5efe:c0a1:c0fe NAT64 = 64:ff9b::c0a1:c0fe
  24. 24. www.progreso.com.sg24 Agenda  IPv6 Security Myths  IPv6 Security Compromises  Network Reconnaissance in IPv6  IPv6 for Security Practitioners  Ensuring Cybersecurity in IPv6 Transitions  IPv6 Security Implementations
  25. 25. www.progreso.com.sg25 IPv6 Education and Training
  26. 26. www.progreso.com.sg26 Upgrade Security Tools
  27. 27. www.progreso.com.sg27 Additional Configurations
  28. 28. www.progreso.com.sg28 Risks of Tunneling Protocols
  29. 29. www.progreso.com.sg29 New Features Adds Complexity
  30. 30. www.progreso.com.sg30 Agenda  IPv6 Security Myths  IPv6 Security Compromises  Network Reconnaissance in IPv6  IPv6 for Security Practitioners  Ensuring Cybersecurity in IPv6 Transitions  IPv6 Security Implementations
  31. 31. www.progreso.com.sg31 Transitions and Cybersecurity
  32. 32. www.progreso.com.sg32 Apply Rigorous Oversight
  33. 33. www.progreso.com.sg33 Leverage Accredited IPv6 Test Program
  34. 34. www.progreso.com.sg34 Don’t Get Intimidated
  35. 35. www.progreso.com.sg35 Incremental Deployment
  36. 36. www.progreso.com.sg36 Don’t Lose Sleep Over Dual Stacking
  37. 37. www.progreso.com.sg37 Agenda  IPv6 Security Myths  Network Reconnaissance in IPv6  IPv6 for Security Practitioners  Ensuring Cybersecurity in IPv6 Transitions  IPv6 Security Implementations
  38. 38. www.progreso.com.sg38 IPv6 Security Measures  Endpoint security  Standalone firewalls  Packet filters  Data link level security
  39. 39. www.progreso.com.sg39 IPv6 Security Implementation Concerns  IPv6 protocol stack vulnerabilities  Lack of IPv6 exposure and operational experience  Unintentional connectivity via tunneling  Lack of first-hop security features Application TCP UDP IPv4 IPv6 Data Link
  40. 40. www.progreso.com.sg40 Call to Action  IPv6 is the future of the Internet  There are significant differences between IPv4 and IPv6  Don’t lag behind in IPv6 knowledge  Join now to learn more!
  41. 41. www.progreso.com.sg41 Are You Ready?

×