Your SlideShare is downloading. ×
IPv6 Security - Where is the Challenge
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

IPv6 Security - Where is the Challenge


Published on

Presentation given by Marco Hogewoning at SEE 2, Skopje, Macedonia on 23 April 2013.

Presentation given by Marco Hogewoning at SEE 2, Skopje, Macedonia on 23 April 2013.

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. IPv6 SecurityWhere is the challenge?Marco HogewoningExternal RelationsRIPE NCCSunday, April 21, 2013
  • 2. Biggest Hurdle Deploying IPv62(NRO: Global IPv6 Deployment Survey)Sunday, April 21, 2013
  • 3. Increased Awareness?3(Ernst & Young: Global Information Security Survey)Sunday, April 21, 2013
  • 4. Where is the Risk?Sunday, April 21, 2013
  • 5. Threat or Vulnerability?• Threat: the potential to cause harm– DoS, unauthorised access, viruses• Vulnerability: a weakness that can be exploited– Bugs, configuration errors, design flaws• Risk: the possibility that a vulnerability will beexploited by somebody to cause harm5Sunday, April 21, 2013
  • 6. Human Factor• Vulnerabilities exist because of human errors:– Coding errors– Configuration errors– Design flaws• Doesn’t mean it is your fault– But a lot of times you can limit the risk6Sunday, April 21, 2013
  • 7. ExamplesIs this IPv6 related?Sunday, April 21, 2013
  • 8. Rogue Router Advertisement• IPv6 relies on routers to announce themselvesusing ICMPv6 multicasts• Protocol has little to no security• Every machine can claim to be a router– Reconfigure clients to another subnet– Redirect or intercept traffic8Sunday, April 21, 2013
  • 9. Rogue Router Advertisement (IPv4)• Every machine can start a DHCP server– Reconfigure clients to another subnet– Redirect or intercept traffic– NAT44 makes it much easier to hide it• ARP spoofing– Pretend I am the router by claiming its MAC address9Sunday, April 21, 2013
  • 10. Protection at Protocol Layer• “RA Guard” feature– Filter route announcements on switches– On all ports except for the known router– Present in a lot of equipment already• SEcure Neighbor Discovery (SEND)– Fix the protocol by adding verification– Add cryptographic certificates and signatures– No widespread implementation10Sunday, April 21, 2013
  • 11. What About Layer 2?• Securing access to the physical network:– 802.1x authentication– Disable unused ports on switches– Strengthen wireless passwords– MAC address counters or filters (port security)• Lowers the risk for both protocols– Can protect for other vulnerabilities11Sunday, April 21, 2013
  • 12. Upper LayersWhere are you?Sunday, April 21, 2013
  • 13. Vulnerabilities are Everywhere• Most security incidents caused in the applicationlayers:– Buffer overflows– SQL injection– Man-in-the-middle attacks– Weak authentication13Sunday, April 21, 2013
  • 14. General Prevention Methods• Don’t run any unnecessary services• Keep up to date with software patches• Use encryption where possible• Use two-factor authentication• Keep it simple14Sunday, April 21, 2013
  • 15. Source of Incidents15(PWC: Information Security Survey)Sunday, April 21, 2013
  • 16. The Human Factor• Attacks are triggered by somebody• Known vulnerabilities are ignored• Mistakes can and will happen16Sunday, April 21, 2013
  • 17. Capacity Building• Test your implementations before deploying– Don’t rely on the glossy brochure• Build up knowledge– Learn to identify potential risks– Learn how to deal with them• Make use of available resources– Training courses and tutorials– Share your experiences17Sunday, April 21, 2013
  • 18. Improving Security with IPv6• Multiple subnets makes it easier to separatefunctions or people• Lack of NAT– Makes everything much more visible– Security moves to the end hosts– Forces you to think• Somebody might already use IPv6!– Using tunnels to hide what is going on18Sunday, April 21, 2013
  • 19. Conclusion• IPv6 might add some vulnerabilities• IPv6 is not a threat• You are the biggest risk19Sunday, April 21, 2013
  • 20. Questions?marcoh@ripe.netSunday, April 21, 2013