Network Security IPv4 plus IPv6

1. Presenting speaker
Benjamin T.P. Tan
Network Security
IPv4 + IPv6
Benjamin T.P. Tan
Managing Director
SuperInternet
by

2. Presenting speaker
Benjamin T.P. Tan
Overview
• Confidentiality? Integrity? Availability!
• IPv6 Issues (Compared with IPv4)
• Physical Security of the Network
Assumptions:
• Generally familiar with
– Network Security
– Telecommunications Infrastructure
• Technical Management
• We only have 45 mins

3. Presenting speaker
Benjamin T.P. Tan
Neglected Areas
• Not the usual Topics: IPSec, VPNs, SSL VPNs, PKI,
Firewalls, IDS/IPS
– Confidentiality on the Network
• Many available solutions
• Data Integrity on the Network
– Several issues solved by end-to-end crypto
(Application) IF implemented. Else Network
HELPS!
– Somewhat known solutions: DHCP Snooping, ARP
inspection, L3 Micro segmentation
– Routing Subversion
• Network Availability
– DoS at all levels
– Physical Infrastructure Weaknesses
• New-Old Issues: IPv6 vs IPv4 and back again.

4. Presenting speaker
Benjamin T.P. Tan
IPv6 – Dual Stack
• 2 protocols on the same wire
• VLANs still segregate
• BUT IPv4 Subnets DO NOT
New-Old Problems:
• IPv6 Global Unicast Addresses
– PUBLIC IP on the machine!
– IF configured route-able then node is fully
exposed to the Internet

5. Presenting speaker
Benjamin T.P. Tan
IPv4 DHCP Issues
• Flashback before IPv6
• IP Address Conflicts?!
• Rogue DHCP Servers
– APs on your LAN?!
• Users Setting Static IPs
– Desktop Lockdown?
• DHCP Snooping and IP Source Guard
ip source binding mac-address Vlan vlan-id ip-address
interface interface-name
(Conf-if) ip verify source vlan dhcp-snooping port-
security

6. Presenting speaker
Benjamin T.P. Tan
IPv6 – Dual Stack (Cont’d)
• Autoconfiguration
– As If a DHCP server were running (but
Stateless)
– Only Router needs to be configured
• Public Address on Router? (ref. prev. slide!)
Do you have a shadow network running?

7. Presenting speaker
Benjamin T.P. Tan
• Flashback: IPv4 - Router Unresponsive due to
Attack
• Data Plane can handle load, but Control Plane
cannot
• Sluggish response
• Policy-Map on Control-Plane
Control Plane Policing

8. Presenting speaker
Benjamin T.P. Tan
Dual Stack Resource Contention
• Performace:
– IPv6 in H/W or S/W?
– Tunnels in H/W or S/W?
– What about v4?
• Flooding v6 results in v4 outage as well
• Control Plane Resource Issues
• QoS? Will IPv6 bypass QoS rules?

9. Presenting speaker
Benjamin T.P. Tan
Flat Networks
• Network may already been segregated by VLANs,
Subnets and Firewall rules between segments.
Good for IPv4 – BUT… (see next slide)
• Non Dual Stack on same interface/wire.
– BUT implemented as 1 Large VLAN ?!
• IPv6 address space allows for large flat networks
• Risks of large flat networks
– Same as IPv4: Layer 2 Attacks!
(Ref earlier notes about shadow networks even if
separate VLAN)
Aside: MPLS L2 VPNs

10. Presenting speaker
Benjamin T.P. Tan
ISATAP
• Intra-Site Automatic Tunnel Addressing Protocol
• Summary:
– lookup IPv4 DNS for isatap.domain.name
– Establish Tunnel to ISATAP server
– Get IPv6 address
• All Peers on Same Tunnel are Peers!
• What if Enterprise security model is based on
VLAN-Subnet segregation?!
• New-Old Problem: Tunnels inside and outside the
organization.
– Tunnelled Packets bypass all FW/IPS rules.

11. Presenting speaker
Benjamin T.P. Tan
IPv6 Firewalls / IDS,IPS
• Does your Firewall support IPv6?
• For ALL features that you need?
• IDS/IPS ? Or will you do without?
• Is IPv6 implemented as a tunnel over IPv4 which
goes Through the Firewalls?!
Note from previous slides: IPv6 address is usually a
Globally Routable IP! (“Public Address”)

12. Presenting speaker
Benjamin T.P. Tan
Routing Protocol Security
• Dynamic Routing Issues
• BGP MD5
• OSPF Area Authentication
• Default Interface passive
• Bad Routes by real neighbours
• Does your Infrastructure support OSPFv3? MP-
BGP? Else Static Routes? Redistributed?
Is the Dynamic Routing Protocol used in your
network secured?

13. Presenting speaker
Benjamin T.P. Tan
Miscellaneous IPv6 Issues
• EUI-64:
– GUID leakage
– Vendor leakage
– Organization Size?
• ICMPv6
– Firewall “defaults” changed
• L2: Neighbour Discovery / SEcure ND
– Router/Neighbour Solicitation (“ARP”)
– SEND only in Win2008 and Win7 (not in Vista)
– Overheads!

14. Presenting speaker
Benjamin T.P. Tan
IPv6 IPSec
• IPSec is ALWAYS in the IPv6 Stack
• Should you turn it on?
• What are we trading for what?
– No more MITM, Replay, sniffing, etc
– Firewall? IDS / IPS?
– QoS?
• Vendor Play?!?

15. Presenting speaker
Benjamin T.P. Tan
Section Summary
• Watch out for weaknesses opened by transitional
mechanisms.
– E.g. Dual Stacks, ISATAP, Tunnels.
• Ensure that your existing policy can be mapped to
IPv6 and that feature parity is available.
– E.g. Firewall, IPS/IDS
• Several Issues are not new. Already in IPv4. IPv6
does not solve these issues.
– E.g. Dynamic Routing Protocol security
… on to more things not solved by IPv6…

16. Presenting speaker
Benjamin T.P. Tan
Data Centers
• E.g. Singapore: 1Net, Equinix, GlobalSwitch
• Co-Lo
• [Easy] Access
• TATP?!
• “Everyone” is there
• Peering

17. Presenting speaker
Benjamin T.P. Tan
Cable Landing Stations
• E.g. Singapore: Tuas, Changi, Bedok

18. Presenting speaker
Benjamin T.P. Tan
MDF Rooms and Risers
• Cables within Buildings
• Who has Access to the MDF Room?
• Access to Risers?
• ALL Communications go through the MDF Room

19. Presenting speaker
Benjamin T.P. Tan
Lead-In pipes
• Telecommunications Links
• Buildings to Telecom Exchanges
• Plans generally available!

20. Presenting speaker
Benjamin T.P. Tan
Low Tech Attacks
• Electrical Overload to Ethernet switch
– Capacitive discharge from Ethernet ports
– (MDF/Riser to Router)
• Is fiber more resilient?
– Fiber fuse
• Critical Infrastructure in Car Parks...
– [salt] Water?
– Carbon Particles?
– SMOKE!
• Ref back -> DataCenters, MDF

21. Presenting speaker
Benjamin T.P. Tan

22. Presenting speaker
Benjamin T.P. Tan
CLAYTON JONES