Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

IPv6 Can No Longer Be Ignored

on

  • 2,937 views

While IPv6 has been a defined standard since 1998, the end-user adoption of this standard is minimal. Less than 1% of Internet peers utilize IPv6 in the course of normal operation. However, IPv6 ...

While IPv6 has been a defined standard since 1998, the end-user adoption of this standard is minimal. Less than 1% of Internet peers utilize IPv6 in the course of normal operation. However, IPv6 support within operating systems and network routers is becoming commonplace. While IT personnel continue to be focused on IPv4, IPv6 capabilities may already be active by default on many Internet connected systems within an IT professional's environment. These IPv6 interfaces generate traffic which can bypass traditional controls based on IPv4 technology. Although IPv6 is likely to eclipse IPv4 as the dominant Internet protocol, the path to this state is disorganized and unclear. This state indicates that as IPv6 gains inertia as a legitimate Internet protocol, IT administrators need to be aware of and manage IPv6 traffic on their network with as much vigilance as they would apply to the more commonplace IPv4.

Kevin D. Wilkins, CISSP, Senior Network Engineer, iSecure LLC

After coursework at the Rochester Institute of Technology, Kevin’s professional experience includes ISP and VOIP operations. Kevin has 10 years of industry experience in system and network engineering and platform management. In the last few years, a focus on information security has brought his experiences together into a consolidated viewpoint of enterprise-wide security policy and implementation.

Peter Rounds, Senior Network Engineer, Syracuse University

Peter has been a Sr. Network Engineer at Syracuse University for 11 years. He is responsible for maintaining core network infrastructure consisting of Internet edge traffic identification/management, Internet BGP routing and security profile management, campus OSPF and security profile management, and data center network and security profile management. He is responsible for numerous security technologies for the University.

Statistics

Views

Total Views
2,937
Slideshare-icon Views on SlideShare
2,507
Embed Views
430

Actions

Likes
0
Downloads
111
Comments
0

4 Embeds 430

http://ipv6.net 377
http://www.perteghella.org 48
http://www.isecurellc.net 4
http://isecurellc.net 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    IPv6 Can No Longer Be Ignored IPv6 Can No Longer Be Ignored Presentation Transcript

    • IPv6 Can No Longer Be Ignored
      1
      Copyright 2010 - ISecure LLC
      Prepared for Attendees
      of the
      2010 ISSA Rochester Security Summit
    • Presenters
      Kevin Wilkins, CISSP – Sr. Network Engineer, iSecure LLC
      My professional experience includes 12 years of ISP and VOIP operations. In the last few years, a focus on information security at iSecure has brought my experiences together into a consolidated viewpoint of enterprise-wide security policy and implementation.
    • Presenters
      Peter Rounds – Sr. Network Engineer, Syracuse University
      Senior network engineer at Syracuse University for 11 years. Responsible for maintaining core network infrastructure, including Internet traffic management implementation and security profiles.
    • Synopsis
      Hidden risks to enterprise network resources may exist through unmonitored use of IPv6 and IPv4-to-IPv6 transition mechanisms like encapsulated IPv6 protocols 6to4, Intrasite Automatic Tunnel Addressing Protocol (ISATAP or IP Protocol 41) , and Teredo. This discussion includes an introduction to IPv6, the identification of encapsulated IPv6 protocols, their potential threats to enterprise resources, and mitigation strategies designed to protect enterprise resources from these potential threats.
    • What is IPv6?
      IPv6 is a revised IP protocol intended to supplement and replace IPv4.
      IPv6 was ratified in 1998 as RFC 2460.
      IPv6 addresses use a 128 bit value, vs. IPv4's 32 bits. This provides an address space on the order of 3.4x10^38 addresses. (Nearly a "duodecillion"!!)
    • What is IPv6 for?
      IPv6 has this large address space as a necessary enhancement to IPv4's much more limited 4.29X10^9 possible addresses. (4.29 billion)
      The Internet Engineering Task Force (IETF) has foreseen an eventual depletion of available IPv4 addresses, thus IPv6 was designed.
    • Projected IPv4 Exhaustion
      Projected IANA Unallocated Address Pool Exhaustion:
      05-Jun-2011
      INTEC Systems Institute "IPv4 Exhaustion Counter“
      http://inetcore.com/project/ipv4ec/index_en.html
    • IPv4 Example…
      IPv4 address range:
      0.0.0.0 -> 255.255.255.255 = 4,294,967,296 possible addresses
      An IPv4 address: "173.194.35.104”
    • IPv6 Example…
      IPv6 address range: 0000:0000:0000:0000:0000:0000:0000:0000 -> ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff = 340,282,366,920,938,463,463,374,607,431,768,211,456 possible addresses!
      An IPv6 address:
      0023:a46e:0000:0000:0000:87ba:00ac:58ce
      23:a46e:0:0:0:87ba:ac:58ce
      23:a46e::87ba:ac:58ce
    • Where is IPv6?
      As a commonly accepted protocol, IPv6 has seen difficulty gaining momentum. Almost the entire IT industry is perfectly happy with IPv4, and converting an established network to use IPv6 addresses is a monumental task.
      Most use of IPv6 today is found in research, dedicated networks, and by an inquisitive few.
    • Where is IPv6... Really?
      Since 2008, the US Government has mandated that new purchases of computer and network equipment must support certain minimum standards for IPv6. See NIST Special Publication 500-267.
      IPv6 is becoming generally supported in network devices, operating systems, remote management protocols, and other networked applications.
      Microsoft Windows XP/Server 2003 offered optional support for IPv6. Microsoft Windows Vista/Server 2008 and beyond have nearly complete IPv6 support, and the protocol is enabled by default. Linux and Cisco also support IPv6.
      Recent versions of Microsoft Windows also include utilities which will encapsulate IPv6 traffic within an IPv4 tunnel.
    • So I might be running IPv6 now?
      Yes! And this new IPv6 capability in contemporary systems represents an unknown security risk.
      The IT industries' propensity to ignore IPv6 in favor of IPv4 means that local administrators might be unaware of the potential IPv6 traffic traversing their network and interacting with their information systems.
      Furthermore, support for IPv6 on contemporary network security devices seems to be lagging behind IPv6 support in operating systems and routers. Network based Content Inspection, Intrusion Prevention, and Antivirus may be ineffective at scanning native or encapsulated IPv6 traffic.
    • IPv6 Interfaces in Windows Vista
    • IPv6 Routes in Windows Vista
    • Windows Vista is Listening on IPv6
    • DNS: “A” record and “AAAA” Record
    • Wait, what was this about encapsulated IPv6?
      Encapsulation technologies such as Teredo, 6to4 and IP Protocol 41 (ISATAP) were developed to aid in the transition to IPv6.
      These transition aids are necessary, as both IPv4 and IPv6 will coexist for quite some time.
      RFC 5211 “An Internet Transition Plan” describes the use of these IPv6 encapsulation mechanisms as the IPv4 address space becomes depleted and organizations are forced to migrate to IPv6.
      Network security devices might not be able to "peel the onion" to discover what applications and threats might be utilizing IPv6 resources within the IPv4 encapsulation.
    • Teredo and Windows
      Windows Vista and Windows 7 have an IPv6 encapsulation service called Teredo, which is enabled by default.
      Teredo will automatically seek out a Teredo gateway
      ( teredo.ipv6.microsoft.com ), assign an IPv6 address to the Teredo interface, and attempt to route IPv6 traffic.
      Teredo is intended for tunneling IPv6 traffic via an IPv4 NAT router.
    • Pinging Via Teredo
    • Example: IPv6/Teredo in Wireshark
    • 6to4 and Windows
      6to4 is intended for tunneling IPv6 traffic via non-NAT IPv4 transport.
      A host or router intending to use 6to4 must have inherent IPv6 support and a routable (non-NAT) IPv4 address.
      IPv6 traffic is encapsulated and tunneled via an IPv4 network from one IPv6 network to another IPv6 network on the remote end.
    • ISATAP and Windows
      ISATAP traffic is another transition mechanism where IPv6 traffic is tunneled via IPv4
      ISATAP packets use IPv4 with the IP Protocol field set to 41
      ISATAP is typically seen on an Intranet for host to host communications, but host to router communication is also possible.
    • How do I control this IPv6 traffic?
      First - awareness is the key. Check your networked systems to see which components offer IPv6 support, and if IPv6 support is enabled. Run packet captures and analyze your systems to see if native or encapsulated IPv6 traffic traverses your network.
      In a server farm or corporate environment where there is no need for IPv6 at this time, consider establishing a policy to disable the IPv6 interfaces on computer systems and block or null-route IPv6 traffic in the network.
    • How do I control this IPv6 traffic?
      In ISP, government, higher education, or research environments, the use of IPv6 might be legitimate. In this case, monitoring and granular control is warranted.
      Check your network security equipment to see how it handles IPv6. The integrated Proxies and Application Layer Gateways might not yet handle IPv6 traffic.
      Network security devices might not be able to "peel the onion" to discover what applications and threats might be utilizing IPv6 resources within the IPv4 encapsulation.
    • This Removes the Native IPv6 Interface
    • Also shut off the tunnel interfaces…
    • Control IPv6 at Internet Edge
      IPv6 related Protocol types and Descriptions
      41 ISATAP
      43 IPv6-Route Routing Header for IPv6
      44 IPv6-Frag Fragment Header for IPv6
      58 IPv6-ICMP ICMP for IPv6
      59 IPv6-NoNxt No Next Header for IPv6
      60 IPv6-Opts Destination Options for IPv6
      Inbound ACL:
      deny 41 any any
      deny 43 any any
      deny 44 any any
      deny 58 any any
      deny 59 any any
      deny 60 any any
      Outbound ACL:
      deny udp any any eq 3544 - used by Teredo to reach Internet locations
      deny ip any host 192.88.99.1 - is the 6 to 4 relay anycast address
    • Story Time with Peter Rounds
      In the spring, an SU Sys-admin came to Peter Rounds with a concern – he was able to bypass the datacenter firewall and open an RDP connection to datacenter servers via IPv6.
      Teredo was tunneling through their datacenter firewall and presenting itself to the public Internet via IPv6.
      In the interim, SU has implemented firewall policies to block ISATAP, IPv6, and Teredo negotiation protocols in their router ACLs.
    • Story Time with Peter Rounds
      Disabling IPv6 and tunneling mechanisms represents a stopgap measure which break the transition technologies designed to aid in the general deployment of IPv6.
      Transition is coming very soon! Verizon Business Solutions has said that the “last drop of oil” will be tapped in a matter of months. Verizon will be unable to provide IPv4 blocks and will instead be assigning IPv6 address space.
    • Conclusions
      • IPv6 isn’t "bad", and may represent the future for a lot of networks. Some say that IPv4 will never go away, but in the meantime, IPv6 is here.
      • IT Administrators need to be aware of IPv6 as a protocol which is gaining legitimacy and is actually supported on a wide number of systems.
      • IPv4 to IPv6 encapsulation mechanisms exist as a tool to aid in the migration from a predominantly IPv4 environment to an IPv6 environment.
      • With this awareness comes the requirement to control IPv6 with the same attention to detail that they would apply to controlling the more commonplace IPv4 traffic.
    • References – Transitional Security Issues
      Security Concerns With IP Tunneling
      http://tools.ietf.org/html/draft-ietf-v6ops-tunnel-security-concerns-02
      Support for IPv6 in Windows Server 2008 R2 and Windows 7
      http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx
      IPv6 Security Considerations and Recommendations
      http://technet.microsoft.com/en-us/library/bb726956.aspx
    • References – Threat Mitigation
      • How to prevent ipv6 tunneling across firewalls and routers
      http://www.howfunky.com/2010/02/how-to-prevent-ipv6-tunneling-across.html
      • Disable all IPv6 in Windows
      http://tutorials-tips-tricks.info/disable-and-turn-off-ipv6-in-windows
      • Wiki - IPv6 Firewalls
      http://www.getipv6.info/index.php/IPv6_Firewalls
      • IPv6 firewalling knows no middle ground
      http://arstechnica.com/hardware/news/2007/05/ipv6-firewall-mixed-blessing.ars
    • References – Guidelines for IPv6 Adoption
      An Internet Transition Plan
      http://tools.ietf.org/html/rfc5211
      Hurricane Electric IPv6 Certification Project
      http://ipv6.he.net/certification/
      NIST Special Publication 800-119 - Guidelines for the Secure Deployment of IPv6 (Draft)
      http://csrc.nist.gov/publications/drafts/800-119/draft-sp800-119_feb2010.pdf
      Microsoft Windows Server 2008 Whitepaper - IPv6 Transition Technologies
      http://download.microsoft.com/download/1/2/4/124331bf-7970-4315-ad18-0c3948bdd2c4/IPv6Trans.doc
    • References – Guidelines for IPv6 Adoption
      Tier 1 for IPv4! = Tier 1 for IPv6
      http://www.networkworld.com/community/blog/tier-1-ipv4-tier-1-ipv6
      BT Diamond IP IPv6 Address Management Guide
      http://btdiamondip.com/software/offers/confirm_ipv6.aspx
      Google, Microsoft, Netflix in talks to create shared list of IPv6 users
      http://www.networkworld.com/news/2010/032610-dns-ipv6-whitelist.html