Successfully reported this slideshow.

IPv6 Security - Where is the Challenge


Published on

Presentation given by Marco Hogewoning at SEE 2, Skopje, Macedonia on 23 April 2013.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

IPv6 Security - Where is the Challenge

  1. 1. IPv6 SecurityWhere is the challenge?Marco HogewoningExternal RelationsRIPE NCCSunday, April 21, 2013
  2. 2. Biggest Hurdle Deploying IPv62(NRO: Global IPv6 Deployment Survey)Sunday, April 21, 2013
  3. 3. Increased Awareness?3(Ernst & Young: Global Information Security Survey)Sunday, April 21, 2013
  4. 4. Where is the Risk?Sunday, April 21, 2013
  5. 5. Threat or Vulnerability?• Threat: the potential to cause harm– DoS, unauthorised access, viruses• Vulnerability: a weakness that can be exploited– Bugs, configuration errors, design flaws• Risk: the possibility that a vulnerability will beexploited by somebody to cause harm5Sunday, April 21, 2013
  6. 6. Human Factor• Vulnerabilities exist because of human errors:– Coding errors– Configuration errors– Design flaws• Doesn’t mean it is your fault– But a lot of times you can limit the risk6Sunday, April 21, 2013
  7. 7. ExamplesIs this IPv6 related?Sunday, April 21, 2013
  8. 8. Rogue Router Advertisement• IPv6 relies on routers to announce themselvesusing ICMPv6 multicasts• Protocol has little to no security• Every machine can claim to be a router– Reconfigure clients to another subnet– Redirect or intercept traffic8Sunday, April 21, 2013
  9. 9. Rogue Router Advertisement (IPv4)• Every machine can start a DHCP server– Reconfigure clients to another subnet– Redirect or intercept traffic– NAT44 makes it much easier to hide it• ARP spoofing– Pretend I am the router by claiming its MAC address9Sunday, April 21, 2013
  10. 10. Protection at Protocol Layer• “RA Guard” feature– Filter route announcements on switches– On all ports except for the known router– Present in a lot of equipment already• SEcure Neighbor Discovery (SEND)– Fix the protocol by adding verification– Add cryptographic certificates and signatures– No widespread implementation10Sunday, April 21, 2013
  11. 11. What About Layer 2?• Securing access to the physical network:– 802.1x authentication– Disable unused ports on switches– Strengthen wireless passwords– MAC address counters or filters (port security)• Lowers the risk for both protocols– Can protect for other vulnerabilities11Sunday, April 21, 2013
  12. 12. Upper LayersWhere are you?Sunday, April 21, 2013
  13. 13. Vulnerabilities are Everywhere• Most security incidents caused in the applicationlayers:– Buffer overflows– SQL injection– Man-in-the-middle attacks– Weak authentication13Sunday, April 21, 2013
  14. 14. General Prevention Methods• Don’t run any unnecessary services• Keep up to date with software patches• Use encryption where possible• Use two-factor authentication• Keep it simple14Sunday, April 21, 2013
  15. 15. Source of Incidents15(PWC: Information Security Survey)Sunday, April 21, 2013
  16. 16. The Human Factor• Attacks are triggered by somebody• Known vulnerabilities are ignored• Mistakes can and will happen16Sunday, April 21, 2013
  17. 17. Capacity Building• Test your implementations before deploying– Don’t rely on the glossy brochure• Build up knowledge– Learn to identify potential risks– Learn how to deal with them• Make use of available resources– Training courses and tutorials– Share your experiences17Sunday, April 21, 2013
  18. 18. Improving Security with IPv6• Multiple subnets makes it easier to separatefunctions or people• Lack of NAT– Makes everything much more visible– Security moves to the end hosts– Forces you to think• Somebody might already use IPv6!– Using tunnels to hide what is going on18Sunday, April 21, 2013
  19. 19. Conclusion• IPv6 might add some vulnerabilities• IPv6 is not a threat• You are the biggest risk19Sunday, April 21, 2013
  20. 20. Questions?marcoh@ripe.netSunday, April 21, 2013