Your SlideShare is downloading. ×
IPv6 Security - Where is the Challenge?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

IPv6 Security - Where is the Challenge?

331
views

Published on

Presentation given by Marco Hogewoning at MENOG 12 / RIPE NCC Regional Meeting, Dubai on 6 March 2013

Presentation given by Marco Hogewoning at MENOG 12 / RIPE NCC Regional Meeting, Dubai on 6 March 2013

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
331
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. IPv6 SecurityWhere is the challenge?Marco HogewoningExternal RelationsRIPE NCC
  • 2. Biggest Hurdle Deploying IPv6 (NRO: Global IPv6 Deployment Survey) 2
  • 3. Increased Awareness? (Ernst & Young: Global Information Security Survey) 3
  • 4. Where is the Risk?
  • 5. Threat or Vulnerability?• Threat: the potential to cause harm – DoS, unauthorised access, viruses• Vulnerability: a weakness that can be exploited – Bugs, configuration errors, design flaws• Risk: the possibility that a vulnerability will be exploited by somebody to cause harm 5
  • 6. Human Factor• Vulnerabilities exist because of human errors: – Coding errors – Configuration errors – Design flaws• Doesn’t mean it is your fault – But a lot of times you can limit the risk 6
  • 7. ExamplesIs this IPv6 related?
  • 8. Rogue Router Advertisement• IPv6 relies on routers to announce themselves using ICMPv6 multicasts• Protocol has little to no security• Every machine can claim to be a router – Reconfigure clients to another subnet – Redirect or intercept traffic 8
  • 9. Rogue Router Advertisement (IPv4)• Every machine can start a DHCP server – Reconfigure clients to another subnet – Redirect or intercept traffic – NAT44 makes it much easier to hide it• ARP spoofing – Pretend I am the router by claiming its MAC address 9
  • 10. Protection at Protocol Layer• “RA Guard” feature – Filter route announcements on switches – On all ports except for the known router – Present in a lot of equipment already• SEcure Neighbor Discovery (SEND) – Fix the protocol by adding verification – Add cryptographic certificates and signatures – No widespread implementation 10
  • 11. What About Layer 2?• Securing access to the physical network: – 802.1x authentication – Disable unused ports on switches – Strengthen wireless passwords – MAC address counters or filters (port security)• Lowers the risk for both protocols – Can protect for other vulnerabilities 11
  • 12. Another Example
  • 13. ND Table Exhaustion• An IPv6 subnet contains 264 addresses• Scanning the range triggers neighbor discovery messages to be send out• Can result in denial of service: – Too many packets – High CPU load – Exhaust available memory 13
  • 14. “Ping Pong Issue”• Can happen on point-to-point links that don’t use neighbor discovery (i.e. Sonet)• Packet destined for a non-existing address on the point-to-point will bounce between the two routers• Exists in IPv4 as well – But we learned to use small prefixes (/30, /31) 14
  • 15. Smurf Attack (IPv4)• Send a (spoofed) ICMP ping to a network broadcast address• Multiple replies go to the source, causing a denial of service 15
  • 16. ARP Flooding• There are 248 MAC addresses possible – Minus a few reserved or in use• Send a number of packets while changing the source MAC address: – Switch will run out of memory – Floods all packets to all ports 16
  • 17. IPv6-Specific Measures• ICMPv6 protocol changed in March 2006 – Prevents “ping pong” issue• Filter or rate limit ICMPv6 Neighbor Discovery – Not advisable, makes the attack easier• Do they really need to talk to you? – Filter/rate limit inbound TCP syn packets – Rate limit inbound ICMPv6 (do not block!)• Use of /127 on point-to-point links 17
  • 18. Local Attacks Still Possible• Securing access to the physical network: – 802.1x authentication – Disable unused ports on switches – Strengthen wireless passwords – MAC address counters or filters (port security)• Lowers the risk for both protocols – Can protect for other vulnerabilities 18
  • 19. Upper LayersWhere are you?
  • 20. Vulnerabilities are Everywhere• Most security incidents caused in the application layers: – Buffer overflows – SQL injection – Man-in-the-middle attacks – Weak authentication 20
  • 21. General Prevention Methods• Don’t run any unnecessary services• Keep up to date with software patches• Use encryption where possible• Use two-factor authentication• Keep it simple 21
  • 22. Source of Incidents (PWC: Information Security Survey) 22
  • 23. The Human Factor• Attacks are triggered by somebody• Known vulnerabilities are ignored• Mistakes can and will happen 23
  • 24. Capacity Building• Test your implementations before deploying – Don’t rely on the glossy brochure• Build up knowledge – Learn to identify potential risks – Learn how to deal with them• Make use of available resources – Training courses and tutorials – Share your experiences 24
  • 25. Improving Security with IPv6• Multiple subnets makes it easier to separate functions or people• Lack of NAT – Makes everything much more visible – Security moves to the end hosts – Forces you to think• Somebody might already use IPv6! – Using tunnels to hide what is going on 25
  • 26. Conclusion• IPv6 might add some vulnerabilities• IPv6 is not a threat• You are the biggest risk 26
  • 27. Questions? marcoh@ripe.net