SlideShare a Scribd company logo
1 of 27
Download to read offline
IPv6 Security
Where is the challenge?

Marco Hogewoning
External Relations
RIPE NCC
Biggest Hurdle Deploying IPv6




  (NRO: Global IPv6 Deployment Survey)




                                         2
Increased Awareness?




     (Ernst & Young: Global Information Security Survey)




                                                           3
Where is the Risk?
Threat or Vulnerability?

•   Threat: the potential to cause harm
    – DoS,   unauthorised access, viruses


•   Vulnerability: a weakness that can be exploited
    – Bugs,   configuration errors, design flaws


•   Risk: the possibility that a vulnerability will be
    exploited by somebody to cause harm

                                                         5
Human Factor

•   Vulnerabilities exist because of human errors:
    – Coding    errors
    – Configuration       errors
    – Design   flaws
•   Doesn’t mean it is your fault
    – But   a lot of times you can limit the risk




                                                     6
Examples
Is this IPv6 related?
Rogue Router Advertisement

•   IPv6 relies on routers to announce themselves
    using ICMPv6 multicasts
•   Protocol has little to no security
•   Every machine can claim to be a router
    – Reconfigure    clients to another subnet
    – Redirect   or intercept traffic




                                                    8
Rogue Router Advertisement (IPv4)

•   Every machine can start a DHCP server
    – Reconfigure     clients to another subnet
    – Redirect   or intercept traffic
    – NAT44   makes it much easier to hide it
•   ARP spoofing
    – Pretend    I am the router by claiming its MAC address




                                                               9
Protection at Protocol Layer

•   “RA Guard” feature
    – Filter   route announcements on switches
    – On    all ports except for the known router
    – Present     in a lot of equipment already
•   SEcure Neighbor Discovery (SEND)
    – Fix   the protocol by adding verification
    – Add      cryptographic certificates and signatures
    – No    widespread implementation


                                                          10
What About Layer 2?

•   Securing access to the physical network:
    – 802.1x    authentication
    – Disable   unused ports on switches
    – Strengthen    wireless passwords
    – MAC    address counters or filters (port security)
•   Lowers the risk for both protocols
    – Can   protect for other vulnerabilities




                                                          11
Another Example
ND Table Exhaustion

•   An IPv6 subnet contains 264 addresses
•   Scanning the range triggers neighbor discovery
    messages to be send out
•   Can result in denial of service:
    – Too   many packets
    – High   CPU load
    – Exhaust   available memory



                                                     13
“Ping Pong Issue”

•   Can happen on point-to-point links that don’t
    use neighbor discovery (i.e. Sonet)
•   Packet destined for a non-existing address on
    the point-to-point will bounce between the two
    routers
•   Exists in IPv4 as well
    – But   we learned to use small prefixes (/30, /31)



                                                         14
Smurf Attack (IPv4)

•   Send a (spoofed) ICMP ping to a network
    broadcast address
•   Multiple replies go to the source, causing a
    denial of service




                                                   15
ARP Flooding

•   There are 248 MAC addresses possible
    – Minus   a few reserved or in use
•   Send a number of packets while changing the
    source MAC address:
    – Switch   will run out of memory
    – Floods   all packets to all ports




                                                  16
IPv6-Specific Measures

•   ICMPv6 protocol changed in March 2006
    – Prevents      “ping pong” issue
•   Filter or rate limit ICMPv6 Neighbor Discovery
    – Not   advisable, makes the attack easier
•   Do they really need to talk to you?
    – Filter/rate   limit inbound TCP syn packets
    – Rate   limit inbound ICMPv6 (do not block!)
•   Use of /127 on point-to-point links

                                                     17
Local Attacks Still Possible

•   Securing access to the physical network:
    – 802.1x    authentication
    – Disable   unused ports on switches
    – Strengthen    wireless passwords
    – MAC   address counters or filters (port security)
•   Lowers the risk for both protocols
    – Can   protect for other vulnerabilities




                                                         18
Upper Layers
Where are you?
Vulnerabilities are Everywhere

•   Most security incidents caused in the application
    layers:
    – Buffer   overflows
    – SQL   injection
    – Man-in-the-middle    attacks
    – Weak     authentication




                                                        20
General Prevention Methods

•   Don’t run any unnecessary services
•   Keep up to date with software patches
•   Use encryption where possible
•   Use two-factor authentication
•   Keep it simple




                                            21
Source of Incidents




  (PWC: Information Security Survey)




                                       22
The Human Factor

•   Attacks are triggered by somebody


•   Known vulnerabilities are ignored


•   Mistakes can and will happen




                                        23
Capacity Building

•   Test your implementations before deploying
    – Don’t   rely on the glossy brochure
•   Build up knowledge
    – Learn   to identify potential risks
    – Learn   how to deal with them
•   Make use of available resources
    – Training   courses and tutorials
    – Share   your experiences


                                                 24
Improving Security with IPv6

•   Multiple subnets makes it easier to separate
    functions or people
•   Lack of NAT
    – Makes    everything much more visible
    – Security   moves to the end hosts
    – Forces   you to think
•   Somebody might already use IPv6!
    – Using   tunnels to hide what is going on


                                                   25
Conclusion

•   IPv6 might add some vulnerabilities


•   IPv6 is not a threat


•   You are the biggest risk




                                          26
Questions?
 marcoh@ripe.net

More Related Content

What's hot

Chapter 7 security tools i
Chapter 7   security tools iChapter 7   security tools i
Chapter 7 security tools iSyaiful Ahdan
 
SPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor NetworksSPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor NetworksAbhijeet Awade
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikPositive Hack Days
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tatSensePost
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
Capturing Malicious Bots using a beneficial bot and wiki
Capturing Malicious Bots using a beneficial bot and wikiCapturing Malicious Bots using a beneficial bot and wiki
Capturing Malicious Bots using a beneficial bot and wikiTakashi Yamanoue
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N NessusUtkarsh Verma
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selectionamiable_indian
 
CISSP Week 7
CISSP Week 7CISSP Week 7
CISSP Week 7jemtallon
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationJerod Brennen
 
The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security Filip Waeytens
 

What's hot (20)

Chapter 7 security tools i
Chapter 7   security tools iChapter 7   security tools i
Chapter 7 security tools i
 
SPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor NetworksSPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor Networks
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on Honeypots
 
Linta
LintaLinta
Linta
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
Capturing Malicious Bots using a beneficial bot and wiki
Capturing Malicious Bots using a beneficial bot and wikiCapturing Malicious Bots using a beneficial bot and wiki
Capturing Malicious Bots using a beneficial bot and wiki
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N Nessus
 
Attacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network SelectionAttacking Automatic Wireless Network Selection
Attacking Automatic Wireless Network Selection
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUT
 
aaa
aaaaaa
aaa
 
Sectools
SectoolsSectools
Sectools
 
CISSP Week 7
CISSP Week 7CISSP Week 7
CISSP Week 7
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and Mitigation
 
The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security
 
Firewall
FirewallFirewall
Firewall
 

Viewers also liked

Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalEric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalIKT-Norge
 
IPv6 Security Challenges: TechNet Augusta 2015
IPv6 Security Challenges: TechNet Augusta 2015IPv6 Security Challenges: TechNet Augusta 2015
IPv6 Security Challenges: TechNet Augusta 2015AFCEA International
 
Survey on IPv6 security issues
Survey on IPv6 security issuesSurvey on IPv6 security issues
Survey on IPv6 security issuesbathinin1
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and RealitySwiss IPv6 Council
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)Martin Schütte
 
IPv6 and the IP Security Protocol
IPv6 and the IP Security ProtocolIPv6 and the IP Security Protocol
IPv6 and the IP Security ProtocolMiguel Luis
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
 
Socket Programming in C++
Socket Programming in C++Socket Programming in C++
Socket Programming in C++saeed_delphi
 
Implementation & Challenges of IPv6
Implementation & Challenges of IPv6Implementation & Challenges of IPv6
Implementation & Challenges of IPv6 Farwa Ansari
 
Chapter 5: Names, Bindings and Scopes (review Questions and Problem Set)
Chapter 5: Names, Bindings and Scopes (review Questions and Problem Set)Chapter 5: Names, Bindings and Scopes (review Questions and Problem Set)
Chapter 5: Names, Bindings and Scopes (review Questions and Problem Set)Farwa Ansari
 
IPV6 SIMPLE SECURITY CAPABILITIES
IPV6 SIMPLE SECURITY CAPABILITIESIPV6 SIMPLE SECURITY CAPABILITIES
IPV6 SIMPLE SECURITY CAPABILITIESOlle E Johansson
 

Viewers also liked (14)

IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 Security
 
Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in generalEric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in general
 
IPv6 Security Challenges: TechNet Augusta 2015
IPv6 Security Challenges: TechNet Augusta 2015IPv6 Security Challenges: TechNet Augusta 2015
IPv6 Security Challenges: TechNet Augusta 2015
 
Survey on IPv6 security issues
Survey on IPv6 security issuesSurvey on IPv6 security issues
Survey on IPv6 security issues
 
E payment 2
E payment 2E payment 2
E payment 2
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
 
IPv6 and the IP Security Protocol
IPv6 and the IP Security ProtocolIPv6 and the IP Security Protocol
IPv6 and the IP Security Protocol
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
 
Socket Programming in C++
Socket Programming in C++Socket Programming in C++
Socket Programming in C++
 
Implementation & Challenges of IPv6
Implementation & Challenges of IPv6Implementation & Challenges of IPv6
Implementation & Challenges of IPv6
 
Chapter 5: Names, Bindings and Scopes (review Questions and Problem Set)
Chapter 5: Names, Bindings and Scopes (review Questions and Problem Set)Chapter 5: Names, Bindings and Scopes (review Questions and Problem Set)
Chapter 5: Names, Bindings and Scopes (review Questions and Problem Set)
 
IPV6 SIMPLE SECURITY CAPABILITIES
IPV6 SIMPLE SECURITY CAPABILITIESIPV6 SIMPLE SECURITY CAPABILITIES
IPV6 SIMPLE SECURITY CAPABILITIES
 

Similar to IPv6 Security - Where is the Challenge?

Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseThierry Zoller
 
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityFernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityEdgeUno
 
Security concepts
Security conceptsSecurity concepts
Security conceptsartisriva
 
PLNOG 5: Merike Kaeo - Something Old Is New Again
PLNOG 5: Merike Kaeo - Something Old Is New AgainPLNOG 5: Merike Kaeo - Something Old Is New Again
PLNOG 5: Merike Kaeo - Something Old Is New AgainPROIDEA
 
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?Rob Gillen
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminskyDan Kaminsky
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesSagi Brody
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
 
fgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdffgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdfFernandoGont
 
25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloudshira koper
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
Unauthorized Wireless Network Connections
Unauthorized Wireless Network ConnectionsUnauthorized Wireless Network Connections
Unauthorized Wireless Network ConnectionsJohn Rhoton
 
gkk_2021123rg5hSecurity essentials domain 2
gkk_2021123rg5hSecurity essentials   domain 2gkk_2021123rg5hSecurity essentials   domain 2
gkk_2021123rg5hSecurity essentials domain 2Anne Starr
 
gkk20211e4djwew4dSecurity essentials domain 2
gkk20211e4djwew4dSecurity essentials   domain 2gkk20211e4djwew4dSecurity essentials   domain 2
gkk20211e4djwew4dSecurity essentials domain 2Anne Starr
 
gkkSecurity essentials domain 2
gkkSecurity essentials   domain 2gkkSecurity essentials   domain 2
gkkSecurity essentials domain 2Anne Starr
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Pathshibaehed
 

Similar to IPv6 Security - Where is the Challenge? (20)

Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash Course
 
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityFernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
 
Security concepts
Security conceptsSecurity concepts
Security concepts
 
PLNOG 5: Merike Kaeo - Something Old Is New Again
PLNOG 5: Merike Kaeo - Something Old Is New AgainPLNOG 5: Merike Kaeo - Something Old Is New Again
PLNOG 5: Merike Kaeo - Something Old Is New Again
 
DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?DevLink - WiFu: You think your wireless is secure?
DevLink - WiFu: You think your wireless is secure?
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
fgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdffgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdf
 
25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud25 years of firewalls and network filtering - From antiquity to the cloud
25 years of firewalls and network filtering - From antiquity to the cloud
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
Unauthorized Wireless Network Connections
Unauthorized Wireless Network ConnectionsUnauthorized Wireless Network Connections
Unauthorized Wireless Network Connections
 
gkk_2021123rg5hSecurity essentials domain 2
gkk_2021123rg5hSecurity essentials   domain 2gkk_2021123rg5hSecurity essentials   domain 2
gkk_2021123rg5hSecurity essentials domain 2
 
gkk20211e4djwew4dSecurity essentials domain 2
gkk20211e4djwew4dSecurity essentials   domain 2gkk20211e4djwew4dSecurity essentials   domain 2
gkk20211e4djwew4dSecurity essentials domain 2
 
gkkSecurity essentials domain 2
gkkSecurity essentials   domain 2gkkSecurity essentials   domain 2
gkkSecurity essentials domain 2
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
 

More from RIPE NCC

Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionRIPE NCC
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in TechRIPE NCC
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfRIPE NCC
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISRIPE NCC
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopRIPE NCC
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfRIPE NCC
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfRIPE NCC
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsRIPE NCC
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing SecurityRIPE NCC
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfRIPE NCC
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasRIPE NCC
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasRIPE NCC
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasRIPE NCC
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet InfrastructureRIPE NCC
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenRIPE NCC
 
IPv6 in the Nordics (and why it’s important)
IPv6 in the Nordics (and why it’s important)IPv6 in the Nordics (and why it’s important)
IPv6 in the Nordics (and why it’s important)RIPE NCC
 

More from RIPE NCC (20)

Traces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate ActionTraces of Power: Internet Governance and Climate Action
Traces of Power: Internet Governance and Climate Action
 
Governing Environmental Sustainability in Tech
Governing Environmental Sustainability in TechGoverning Environmental Sustainability in Tech
Governing Environmental Sustainability in Tech
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdfGerardo-Viviers-RPKI-presentation-DKNOG14.pdf
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RISLIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshopIntro to RIPE and RIPE NCC: RIPE Atlas workshop
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
 
RIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement ToolsRIPE NCC Internet Measurement Tools
RIPE NCC Internet Measurement Tools
 
IPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the BalticsIPv6 in Central Europe and the Baltics
IPv6 in Central Europe and the Baltics
 
RPKI For Routing Security
RPKI For Routing SecurityRPKI For Routing Security
RPKI For Routing Security
 
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdfSEEDIG 8 - Alena Muravska RIPE NCC.pdf
SEEDIG 8 - Alena Muravska RIPE NCC.pdf
 
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE AtlasKnow Your Network: Why Every Network Operator Should Host RIPE Atlas
Know Your Network: Why Every Network Operator Should Host RIPE Atlas
 
Minimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE AtlasMinimising Impact When Incidents Occur With RIPE Atlas
Minimising Impact When Incidents Occur With RIPE Atlas
 
RIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement ServicesRIPE NCC Internet Measurement Services
RIPE NCC Internet Measurement Services
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
Spotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE AtlasSpotting Latency Issues with RIPE Atlas
Spotting Latency Issues with RIPE Atlas
 
111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure111 views of Swiss Internet Infrastructure
111 views of Swiss Internet Infrastructure
 
The RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in SwedenThe RIPE NCC’s View of IPv6 in Sweden
The RIPE NCC’s View of IPv6 in Sweden
 
IPv6 in the Nordics (and why it’s important)
IPv6 in the Nordics (and why it’s important)IPv6 in the Nordics (and why it’s important)
IPv6 in the Nordics (and why it’s important)
 

Recently uploaded

.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptxHansamali Gamage
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameKapil Thakar
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxKaustubhBhavsar6
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdfThe Good Food Institute
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024Brian Pichman
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)IES VE
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1DianaGray10
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud DataEric D. Schabell
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)codyslingerland1
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveIES VE
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Muhammad Tiham Siddiqui
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationKnoldus Inc.
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosErol GIRAUDY
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FESTBillieHyde
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.IPLOOK Networks
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInThousandEyes
 

Recently uploaded (20)

.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First Frame
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
How to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptxHow to become a GDSC Lead GDSC MI AOE.pptx
How to become a GDSC Lead GDSC MI AOE.pptx
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data
 
SheDev 2024
SheDev 2024SheDev 2024
SheDev 2024
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its application
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenarios
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FEST
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
 

IPv6 Security - Where is the Challenge?

  • 1. IPv6 Security Where is the challenge? Marco Hogewoning External Relations RIPE NCC
  • 2. Biggest Hurdle Deploying IPv6 (NRO: Global IPv6 Deployment Survey) 2
  • 3. Increased Awareness? (Ernst & Young: Global Information Security Survey) 3
  • 4. Where is the Risk?
  • 5. Threat or Vulnerability? • Threat: the potential to cause harm – DoS, unauthorised access, viruses • Vulnerability: a weakness that can be exploited – Bugs, configuration errors, design flaws • Risk: the possibility that a vulnerability will be exploited by somebody to cause harm 5
  • 6. Human Factor • Vulnerabilities exist because of human errors: – Coding errors – Configuration errors – Design flaws • Doesn’t mean it is your fault – But a lot of times you can limit the risk 6
  • 8. Rogue Router Advertisement • IPv6 relies on routers to announce themselves using ICMPv6 multicasts • Protocol has little to no security • Every machine can claim to be a router – Reconfigure clients to another subnet – Redirect or intercept traffic 8
  • 9. Rogue Router Advertisement (IPv4) • Every machine can start a DHCP server – Reconfigure clients to another subnet – Redirect or intercept traffic – NAT44 makes it much easier to hide it • ARP spoofing – Pretend I am the router by claiming its MAC address 9
  • 10. Protection at Protocol Layer • “RA Guard” feature – Filter route announcements on switches – On all ports except for the known router – Present in a lot of equipment already • SEcure Neighbor Discovery (SEND) – Fix the protocol by adding verification – Add cryptographic certificates and signatures – No widespread implementation 10
  • 11. What About Layer 2? • Securing access to the physical network: – 802.1x authentication – Disable unused ports on switches – Strengthen wireless passwords – MAC address counters or filters (port security) • Lowers the risk for both protocols – Can protect for other vulnerabilities 11
  • 13. ND Table Exhaustion • An IPv6 subnet contains 264 addresses • Scanning the range triggers neighbor discovery messages to be send out • Can result in denial of service: – Too many packets – High CPU load – Exhaust available memory 13
  • 14. “Ping Pong Issue” • Can happen on point-to-point links that don’t use neighbor discovery (i.e. Sonet) • Packet destined for a non-existing address on the point-to-point will bounce between the two routers • Exists in IPv4 as well – But we learned to use small prefixes (/30, /31) 14
  • 15. Smurf Attack (IPv4) • Send a (spoofed) ICMP ping to a network broadcast address • Multiple replies go to the source, causing a denial of service 15
  • 16. ARP Flooding • There are 248 MAC addresses possible – Minus a few reserved or in use • Send a number of packets while changing the source MAC address: – Switch will run out of memory – Floods all packets to all ports 16
  • 17. IPv6-Specific Measures • ICMPv6 protocol changed in March 2006 – Prevents “ping pong” issue • Filter or rate limit ICMPv6 Neighbor Discovery – Not advisable, makes the attack easier • Do they really need to talk to you? – Filter/rate limit inbound TCP syn packets – Rate limit inbound ICMPv6 (do not block!) • Use of /127 on point-to-point links 17
  • 18. Local Attacks Still Possible • Securing access to the physical network: – 802.1x authentication – Disable unused ports on switches – Strengthen wireless passwords – MAC address counters or filters (port security) • Lowers the risk for both protocols – Can protect for other vulnerabilities 18
  • 20. Vulnerabilities are Everywhere • Most security incidents caused in the application layers: – Buffer overflows – SQL injection – Man-in-the-middle attacks – Weak authentication 20
  • 21. General Prevention Methods • Don’t run any unnecessary services • Keep up to date with software patches • Use encryption where possible • Use two-factor authentication • Keep it simple 21
  • 22. Source of Incidents (PWC: Information Security Survey) 22
  • 23. The Human Factor • Attacks are triggered by somebody • Known vulnerabilities are ignored • Mistakes can and will happen 23
  • 24. Capacity Building • Test your implementations before deploying – Don’t rely on the glossy brochure • Build up knowledge – Learn to identify potential risks – Learn how to deal with them • Make use of available resources – Training courses and tutorials – Share your experiences 24
  • 25. Improving Security with IPv6 • Multiple subnets makes it easier to separate functions or people • Lack of NAT – Makes everything much more visible – Security moves to the end hosts – Forces you to think • Somebody might already use IPv6! – Using tunnels to hide what is going on 25
  • 26. Conclusion • IPv6 might add some vulnerabilities • IPv6 is not a threat • You are the biggest risk 26