IPv6 SecurityWhere is the challenge?Marco HogewoningExternal RelationsRIPE NCC
Biggest Hurdle Deploying IPv6  (NRO: Global IPv6 Deployment Survey)                                         2
Increased Awareness?     (Ernst & Young: Global Information Security Survey)                                              ...
Where is the Risk?
Threat or Vulnerability?•   Threat: the potential to cause harm    – DoS,   unauthorised access, viruses•   Vulnerability:...
Human Factor•   Vulnerabilities exist because of human errors:    – Coding    errors    – Configuration       errors    – D...
ExamplesIs this IPv6 related?
Rogue Router Advertisement•   IPv6 relies on routers to announce themselves    using ICMPv6 multicasts•   Protocol has lit...
Rogue Router Advertisement (IPv4)•   Every machine can start a DHCP server    – Reconfigure     clients to another subnet  ...
Protection at Protocol Layer•   “RA Guard” feature    – Filter   route announcements on switches    – On    all ports exce...
What About Layer 2?•   Securing access to the physical network:    – 802.1x    authentication    – Disable   unused ports ...
Another Example
ND Table Exhaustion•   An IPv6 subnet contains 264 addresses•   Scanning the range triggers neighbor discovery    messages...
“Ping Pong Issue”•   Can happen on point-to-point links that don’t    use neighbor discovery (i.e. Sonet)•   Packet destin...
Smurf Attack (IPv4)•   Send a (spoofed) ICMP ping to a network    broadcast address•   Multiple replies go to the source, ...
ARP Flooding•   There are 248 MAC addresses possible    – Minus   a few reserved or in use•   Send a number of packets whi...
IPv6-Specific Measures•   ICMPv6 protocol changed in March 2006    – Prevents      “ping pong” issue•   Filter or rate lim...
Local Attacks Still Possible•   Securing access to the physical network:    – 802.1x    authentication    – Disable   unus...
Upper LayersWhere are you?
Vulnerabilities are Everywhere•   Most security incidents caused in the application    layers:    – Buffer   overflows    –...
General Prevention Methods•   Don’t run any unnecessary services•   Keep up to date with software patches•   Use encryptio...
Source of Incidents  (PWC: Information Security Survey)                                       22
The Human Factor•   Attacks are triggered by somebody•   Known vulnerabilities are ignored•   Mistakes can and will happen...
Capacity Building•   Test your implementations before deploying    – Don’t   rely on the glossy brochure•   Build up knowl...
Improving Security with IPv6•   Multiple subnets makes it easier to separate    functions or people•   Lack of NAT    – Ma...
Conclusion•   IPv6 might add some vulnerabilities•   IPv6 is not a threat•   You are the biggest risk                     ...
Questions? marcoh@ripe.net
Upcoming SlideShare
Loading in …5
×

IPv6 Security - Where is the Challenge?

544 views
429 views

Published on

Presentation given by Marco Hogewoning at MENOG 12 / RIPE NCC Regional Meeting, Dubai on 6 March 2013

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
544
On SlideShare
0
From Embeds
0
Number of Embeds
42
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

IPv6 Security - Where is the Challenge?

  1. 1. IPv6 SecurityWhere is the challenge?Marco HogewoningExternal RelationsRIPE NCC
  2. 2. Biggest Hurdle Deploying IPv6 (NRO: Global IPv6 Deployment Survey) 2
  3. 3. Increased Awareness? (Ernst & Young: Global Information Security Survey) 3
  4. 4. Where is the Risk?
  5. 5. Threat or Vulnerability?• Threat: the potential to cause harm – DoS, unauthorised access, viruses• Vulnerability: a weakness that can be exploited – Bugs, configuration errors, design flaws• Risk: the possibility that a vulnerability will be exploited by somebody to cause harm 5
  6. 6. Human Factor• Vulnerabilities exist because of human errors: – Coding errors – Configuration errors – Design flaws• Doesn’t mean it is your fault – But a lot of times you can limit the risk 6
  7. 7. ExamplesIs this IPv6 related?
  8. 8. Rogue Router Advertisement• IPv6 relies on routers to announce themselves using ICMPv6 multicasts• Protocol has little to no security• Every machine can claim to be a router – Reconfigure clients to another subnet – Redirect or intercept traffic 8
  9. 9. Rogue Router Advertisement (IPv4)• Every machine can start a DHCP server – Reconfigure clients to another subnet – Redirect or intercept traffic – NAT44 makes it much easier to hide it• ARP spoofing – Pretend I am the router by claiming its MAC address 9
  10. 10. Protection at Protocol Layer• “RA Guard” feature – Filter route announcements on switches – On all ports except for the known router – Present in a lot of equipment already• SEcure Neighbor Discovery (SEND) – Fix the protocol by adding verification – Add cryptographic certificates and signatures – No widespread implementation 10
  11. 11. What About Layer 2?• Securing access to the physical network: – 802.1x authentication – Disable unused ports on switches – Strengthen wireless passwords – MAC address counters or filters (port security)• Lowers the risk for both protocols – Can protect for other vulnerabilities 11
  12. 12. Another Example
  13. 13. ND Table Exhaustion• An IPv6 subnet contains 264 addresses• Scanning the range triggers neighbor discovery messages to be send out• Can result in denial of service: – Too many packets – High CPU load – Exhaust available memory 13
  14. 14. “Ping Pong Issue”• Can happen on point-to-point links that don’t use neighbor discovery (i.e. Sonet)• Packet destined for a non-existing address on the point-to-point will bounce between the two routers• Exists in IPv4 as well – But we learned to use small prefixes (/30, /31) 14
  15. 15. Smurf Attack (IPv4)• Send a (spoofed) ICMP ping to a network broadcast address• Multiple replies go to the source, causing a denial of service 15
  16. 16. ARP Flooding• There are 248 MAC addresses possible – Minus a few reserved or in use• Send a number of packets while changing the source MAC address: – Switch will run out of memory – Floods all packets to all ports 16
  17. 17. IPv6-Specific Measures• ICMPv6 protocol changed in March 2006 – Prevents “ping pong” issue• Filter or rate limit ICMPv6 Neighbor Discovery – Not advisable, makes the attack easier• Do they really need to talk to you? – Filter/rate limit inbound TCP syn packets – Rate limit inbound ICMPv6 (do not block!)• Use of /127 on point-to-point links 17
  18. 18. Local Attacks Still Possible• Securing access to the physical network: – 802.1x authentication – Disable unused ports on switches – Strengthen wireless passwords – MAC address counters or filters (port security)• Lowers the risk for both protocols – Can protect for other vulnerabilities 18
  19. 19. Upper LayersWhere are you?
  20. 20. Vulnerabilities are Everywhere• Most security incidents caused in the application layers: – Buffer overflows – SQL injection – Man-in-the-middle attacks – Weak authentication 20
  21. 21. General Prevention Methods• Don’t run any unnecessary services• Keep up to date with software patches• Use encryption where possible• Use two-factor authentication• Keep it simple 21
  22. 22. Source of Incidents (PWC: Information Security Survey) 22
  23. 23. The Human Factor• Attacks are triggered by somebody• Known vulnerabilities are ignored• Mistakes can and will happen 23
  24. 24. Capacity Building• Test your implementations before deploying – Don’t rely on the glossy brochure• Build up knowledge – Learn to identify potential risks – Learn how to deal with them• Make use of available resources – Training courses and tutorials – Share your experiences 24
  25. 25. Improving Security with IPv6• Multiple subnets makes it easier to separate functions or people• Lack of NAT – Makes everything much more visible – Security moves to the end hosts – Forces you to think• Somebody might already use IPv6! – Using tunnels to hide what is going on 25
  26. 26. Conclusion• IPv6 might add some vulnerabilities• IPv6 is not a threat• You are the biggest risk 26
  27. 27. Questions? marcoh@ripe.net

×