SlideShare a Scribd company logo

How You Will Get Hacked Ten Years from Now

J
julievreeland

1. The document discusses how the assumption of scarcity is built into many current security models and products but may not apply in an internet with abundant resources; 2. It notes that a post-scarcity internet will require new trust models for both clients and servers as current infrastructure changes; 3. The document outlines several changes required for IPv6 including new protocols, packet formats, and address configuration methods that could introduce new vulnerabilities.

Technology
1 of 92
Download to read offline
The Myth of Twelve More Bytes Security on the Post-Scarcity Internet
Our Conclusions 1. The Internet infrastructure is undergoing fundamental change for the first time in decades 2. The assumption of scarcity is deeply woven into many security assumptions and products 3. The new Internet will face significant problems with trust on both the client and server side 4. New Enterprise Architectures will look very different 5. Everything you have bought will break
IPv6 HTTP DHCP HTTP TLS TCP UDP ICMP ARP Internet Protocol Link Layer Physical Layer
The Myth of 12 More Bytes HTTP DHCP HTTP TLS TCP UDP ICMP ARP Internet Protocol Link Layer Physical Layer
The Myth of 12 More Bytes HTTP DHCP HTTP TLS NDP MLD MRD TCP UDP ICMP ARP Internet Protocol Link Layer Physical Layer
Come Join the Party
Stateless Address Auto-Configuration • Give Yourself a local address in your subnet • Prefix: fe80:0:0:0: : • IPv6 Address: fe80::f03c:91ff:fe96:d927 • Ask what network you’re in • example: 2600:3c03:: • Take your MAC Address, use it in the prefix • MAC: f2:3c:91:96:d9:27 • IPv6 Address: 2600:3c03::f03c:91ff:fe96:d927
Privacy Addresses • Using your MAC in the last 64 bits identifies you, globally, to every website you visit, no matter where you are • Super-Mega Evercookie • RFC 4941 Privacy Addresses • Generate a random /64 address • Prefer it for outgoing communications
DHCPv6 • Conceptually the same as Original DHCP • Clients can get more than IP Address
The Default For Windows • Windows will happily perform SLAAC • Windows Prefers IPv6 over IPv4
The Default For Windows • Windows will happily perform SLAAC • Windows Prefers IPv6 over IPv4 Your computers are just sitting around, waiting for someone to help them talk IPv6 And it doesn’t have to be you.
ICMPv6 Critical Infrastructure
SLAAC NDP MLD MRD Stateless Neighbor Multicast Multicast Address Auto- Discovery Listener Router configuration (ARP) Discovery Discovery ICMPv6 IPv6
ICMPv6 Protocols Router Discovery Who’s a I’m a Router! Router?
New Protocols New Protocol Vulnerabilities (Same Tactics)
NDP Router Discovery Who’s a I’m a Router! Router?
NDP Router Discovery Who’s a I’m a Router! Router?
NDP Neighbor Discovery Who’s got That’s me! 3ffe::1?
NDP NDP Spoofing is the New ARP Spoofing Who’s got That’s me! 3ffe::1?
ICMPv6 Protocols Duplicate Address Detection Does anyone … have 3ffe::45?
ICMPv6 Protocols Duplicate Address Detection Does anyone I do! have 3ffe::45? Does anyone have 3ffe::46? I do!
Extension Headers Pain in the Firewall
IPv6 Packet Format Version Traffic Class Flow Label Payload Length Next Header Hop Limit Source Address Destination Address Data
IPv6 Packet Format Version Traffic Class Flow Label Payload Length Next Header Hop Limit Source Address Destination Address Extension Next Header Options / Padding Length Options / Padding Data
Extension Headers + Fragmentation IPv6 Header Hop By Hop Header Fragment 1 Routing Header Fragmentation Header TCP Header Fragment 2 Data
Stateless Filtering is Impossible IPv6 Header Hop By Hop Header Fragment 1 Routing Header Fragmentation Header TCP Header Fragment 2 Data
Translation & Transition Mechanisms They’re Such Nice Guys.
Translation & Transition Transition Translation IPv6 Island | IPv4 Internet IPv6 < -- > IPv4 | IPv6 Island
Transition 6to4 IPv6 Island to IPv4 Network to IPv6 Island Relies on Nice people to run border routers 6rd or IPv6 Rapid Deployment 6to4 but instead of nice people, it’s an ISP running it, applicable only to their customers ISATAP Host supporting IPv6 sits on an IPv4 Network Can talk to IPv6 Internet, but not the reverse IPv6 Teredo Host supporting IPv6 sits on an IPv4 Network Magic NAT-punching IPv6 –in-IPv4 to a Teredo Service Provider (Can be open, can be paid) Allows an IPv6 Server to sit in an IPv4 Network
Translation NAT-PT Old, Deprecated IPv4 or 6 Clients to IPv6 or 4 Servers Has External IPv4 addresses for Internal IPv6 Servers Breaks a lot of stuff NAT64 IPv6 Clients to IPv4 Servers Fakes a IPv6 Address for the IPv4 Server I talk to the NAT64 device, it forwards to IPv4
And More Time Limits =(
IPv6 Enumeration Mechanisms Internet-Based MAC Address Guessing using OUI 24-26 Bits Sequential Address (DHCPv6 or Sysadmin) 8-16 bits Reverse Mapping ip6.arpa Very Efficient Limited to Local Network Multicast Echo nmap 0 Bits ICMPv6 Parameter Problem nmap 0 Bits Multicast Listener Discovery nmap 0 Bits SLAAC Fake-out nmap 0 Bits
Yet More • Multicast! • Node Querying • Listener Discovery • Listener Enumeration • Router Discovery • UDP/TCP Checksum • Router Enumeration Calculation • Transition Mechanisms • 6to4 • Router, DHCP, and DNS • 6rd Discovery • 4rd • Teredo • ISATAP • Redirection • 6in4 • SeND • 6over4 • New Features in DHCPv6
DNS(SEC)
DNSSEC Chain att.com ?
DNSSEC Chain ICANN att.com ?
DNSSEC Chain ICANN ? .com Verisign att.com ?
DNSSEC Chain ICANN .com Verisign att.com ?
DNSSEC Chain ICANN .com Verisign att.com
Everything Is Signed $ dig +dnssec nic.cz +short 217.31.205.50 A 5 2 1800 20120719160302 20120705160302 40844 nic.cz. IWGHqGORGO0jh4UuZnwx1P2qoCGYDOcHLhJBIQVJm h6+0Fskr6Sh2dgj E6BHQJQJ9HuzSDCHOvJkH98QkK4ZUgMCLSN5DHuVc mJ/J/g5VMjeWS3i NmLQVmcvpizwfYVo7cuCg1OteazB2QH7JRp+/KhR+Q +P8tNpDZKe2kEN VMQ=
Everything Is Signed $ dig +dnssec nic.cz ;; ANSWER SECTION: nic.cz. 1797 IN A 217.31.205.50 nic.cz. 1797 IN RRSIG A 5 2 1800 20120719160302 20120705160302 40844 nic.cz. IWGHqGORGO0jh4UuZnwx1P2qoCGYDOcHLhJBIQVJmh6+0Fskr6Sh2dgj E6BHQJQJ9HuzSDCHOvJkH98QkK4ZUgMCLSN5DHuVcmJ/J/g5VMjeWS3i NmLQVmcvpizwfYVo7cuCg1OteazB2QH7JRp+/KhR+Q+P8tNpDZKe2kEN VMQ= ;; AUTHORITY SECTION: nic.cz. 1797 IN NS a.ns.nic.cz. nic.cz. 1797 IN NS b.ns.nic.cz. nic.cz. 1797 IN NS d.ns.nic.cz. nic.cz. 1797 IN RRSIG NS 5 2 1800 20120719160302 20120705160302 40844 nic.cz. aAWmFODbEaHEt6NxuaIu82wWiL+9jMMH+EvBx4jDS5ViydnSV/lb+hLr dEZlVgBOSG5VdGKZ2y7cx8fGF8w9/9U1FioVowFfP0dOnZ5ZGAS9dNxm CzHV0+1LiiY0KKSUvPHq9y+thOOwfgkwkFEiofvvRtck1rh8fGfZCFL8 4JY= ;; ADDITIONAL SECTION: a.ns.nic.cz. 1797 IN A 194.0.12.1 b.ns.nic.cz. 1797 IN A 194.0.13.1 d.ns.nic.cz. 1797 IN A 193.29.206.1 a.ns.nic.cz. 1797 IN AAAA 2001:678:f::1 b.ns.nic.cz. 1797 IN AAAA 2001:678:10::1 d.ns.nic.cz. 1797 IN AAAA 2001:678:1::1 a.ns.nic.cz. 1797 IN RRSIG A 5 4 1800 20120719160302 20120705160302 40844 nic.cz. Aj/zemlwTy2FM8+XDZPlDSKhcoKtKSSySugtqrQ8YZx/nOe7i3l/4H3D XW7cQO/ND1lpW5VR+1RLbsQuovhAcQRtJj47WTkxYwWa4GdWH327aNn2 aklCdCOz6F8bGqZ2Af9EGqIZY+0Rk22FIqZc2qLpNoukI0Hfc0a6OP82 9/E= b.ns.nic.cz. 1797 IN RRSIG A 5 4 1800 20120719160302 20120705160302 40844 nic.cz. XZVf0rEBg1R1j1KHGXt/2lx76s5EbBqfe9a2tU3eyO0MnudsKiPu1VM4 +cBLIgVDUsZMhOaX7i/qHaLAaTa98CucKIQKiwsVVG9kQEWV+OmMrZE3 01xjVd6KNGq77jDyEVz2l6yiTIt/8U7KHDtM3haUXITeyUGJZcJvZ3Ta IOc= d.ns.nic.cz. 1797 IN RRSIG A 5 4 1800 20120719160302 20120705160302 40844 nic.cz. nFN5NWMibodVQYurwwdOlLIQbEWR0hSH+6OJDGRnsCpGGXiWr9VdeAhM XFWehN/uVa6a+TpwJgnJFYkPzDVrVaFxTGdgNqqTFNcVtwLupbvc6Qq0 Nh6/0yKxbFEkK7n4R0m9Akwnr0BXVkdkpwy3xvZZGlMvfJMq/AKESqlD t3A= a.ns.nic.cz. 1797 IN RRSIG AAAA 5 4 1800 20120719160302 20120705160302 40844 nic.cz. ghUpNuAs+8F08OfPucZg3/P+dOqQRdTYHoZVH8toyEcFqSTU3+yIp7HB +O9hStK2RASMLi8lonzASZ2YbQRPZXmoBN+zEAZi6s3PIf3EFx7V388A UMowRyTyeh1qvf7fHn0llHDc2K1L4TZ5ZFuUg2PVNBaqcSSdI1mLDHsX AUM= b.ns.nic.cz. 1797 IN RRSIG AAAA 5 4 1800 20120719160302 20120705160302 40844 nic.cz. MxlTDSe0Dkfyzbf9qdDj0Cs0oWrMpzkRsN8g4mfi1uWMuYlHTdUuu9d/ ec27we65x5B/SJJ6+Lb40A030BuuzJyvpuPNvpXh1fFCLZuvNuFPbhs9 MbptJmuEKjutraaA8jnxgK1KLT4kB+Nekf2IrwSC3oxAoyn5wXZJF0Fu /6o= d.ns.nic.cz. 1797 IN RRSIG AAAA 5 4 1800 20120719160302 20120705160302 40844 nic.cz. AIRg88oIb4AR1QYeu5J0VBd6pjgeHI8vWAvJzy7m7O6Mmpn+KldrHu4M gz7vOYPWZK8qNSvE/lDm7GZ3vERbVvprCwsvzaZCTb8h2wo1VxPx9tVA GQLo2yPTtX9gUqNBMRr/xS7CwyJLVNy3ZJTrQ3G8HyYOyRUVf/SubxPr srI=
Signatures Are Large • DNS UDP Limit is 512 • EDNS UDP Limit is 4096 • DNS TCP has no limit • 24 Residential and SOHO routers were tested • 18 of 24 Devices tested couldn’t support EDNS • 23 of 24 Devices tested couldn’t support TCP • http://www.icann.org/en/groups/ssac/documents/sac-053-en.pdf
Everything Is Signed - Including No’s Where is doesntexist.att.com? There is no doesntexist.att.com RRSIG(“There is no doesntexist.att.com”, ATT-KeyZSK )
Denial of Service Where is doesntexist1.att.com? There is no doesntexist1.att.com RRSIG(“There is no doesntexist1.att…”, ATT-KeyZSK ) Where is doesntexist2.att.com? There is no doesntexist2.att.com RRSIG(“There is no doesntexist2.att…”, ATT-KeyZSK ) Where is doesntexist3.att.com? There is no doesntexist3.att.com RRSIG(“There is no doesntexist3.att…”, ATT-KeyZSK )
Sign a Single Response? Where is doesntexist.att.com? No Record RRSIG(“No Record”, ATT-KeyZSK )
Man in the Middle att.com att.com RRSIG(“10.6.7.3”) RRSIG(“No Record”)
Sign The Ranges Where is doesntexist.att.com? There is nothing between admin.att.com and keyserver.att.com RRSIG(“There is nothing between…”, ATT-KeyZSK ) Called NSEC
Sign The Ranges Where is doesntexist.att.com? admin.att.com and There is nothing between keyserver.att.com RRSIG(“There is nothing between…”, ATT-KeyZSK )
Hash, then Sign The Ranges Where is doesntexist.att.com? doesntexist.att.com -> hash it -> da739562….. There is nothing between a847629…. and ff572645…. RRSIG(“There is nothing between…”, ATT-KeyZSK ) Called NSEC3!
‘Put It In DNSSEC’
Shoving Stuff in DNSSEC Example.com? 10.0.1.200
Shoving Stuff in DNSSEC Example.com? 10.0.1.200
Shoving Stuff in DNSSEC Example.com? 10.0.1.200 Example.com? What’s your SSL Certificate? 10.0.1.200, …
Shoving Stuff in DNSSEC Example.com? What’s your SSL Certificate? 10.0.1.200, … ClientHello ServerHello, Certificate, ServerHelloDone …
Shoving Stuff in DNSSEC = ✘
Bootstrapping Security
SSL Certs (DANE) Product Update Checks
SSL Certs (DANE) Product Update Checks SSH ssh -o "VerifyHostKeyDNS yes” RFC 4255 OpenPGP gpg --auto-key-locate pka S/MIME draft-hoffman-dane-smime-01.txt
Domain Policy Framework
gTLDs .com .org .net .biz .museum .coop .whatever .you .like
.bugatti
A Little History • Jon Postel basically used to run the Internet by himself • ICANN was charted in 1998 to: • Diversify management of the Internet • Introduce democratic, “multi-stakeholder” model • Preempt UN Action
Where ICANN Ended Up
Where ICANN Ended Up
Batching – What would you do?
When(performing(these(tests,(we(recommend(the(following:( · Set(your(computer(time(to(UTC(to(match(the(time(zone(of(the(batching(server( · When(you(click(on(the(Generate(button(during(the(test,(make(note(of(the(exact(time( you(clicked(the(button.((You(can(compare(that(time(to(the(time(that(appears(on(the( Batching – What ICANN Decided subsequent(confirmation(screen(to(identify(any(time(variances.( (( Click(on(the(Click!Here!to!Run!a!Test(link.(A(screen(will(appear(that(will(ask(you(to(set(your( target(time(using(the(dropdowns(below.((( ( Batching(System(User(Guide( 7(June(2012(( ( ( ( Select(a(target(time(a(minute(or(two(after(the(current(server(time,(then(click(the(Next( button.((( ( Version(1.1(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( ( 9( (
Batching – Our Response
Competition and Public Interest
Competition and Public Interest
IDN http://‫مثال.إختبار‬ http://例子.測試 http://пример.испытание http://‫דוגמה.טעסט‬
A word you will hear often Homograph! http://paypal.com http://pаypal.com xn--fsqu00a.xn—g8w231d xn--fsqu00a.xn--g6w251d
PunyCode http://‫مثال.إختبار‬ xn--mgbh0fb.xn--kgbechtv http://例子.測試 xn--fsqu00a.xn--g6w251d http://пример.испытание xn--e1afmkfd.xn--80akhbyknj4f http://‫דוגמה.טעסט‬ xn--fdbk5d8ap9b8a8d.xn--deba0ad
Top Level Websites • Supposed to be outlawed • How do you represent them • http://ai • http://ai. • http://ai/ • AC has address 193.223.78.210 • AI has address 209.59.119.34 • BT has address 192.168.42.202 • CM has address 195.24.205.60 • DK has address 193.163.102.24 • GG has address 87.117.196.80
The Big Picture • The Death of Reputation • Redesigning Enterprise Networks and Attacks • External Attacks and Enumeration • Product Promises and Failures
The End of Scarcity
The Death of Reputation Scarcity makes certain assumptions reasonably true: • An individual user has a high attachment rate for a small number of IPs • A trademarked domain name has likely been taken by the most recognizable holder • IP spoofing is highly limited in full-connection situations
Uses of IP Reputation • Anti-Fraud and Adaptive Authentication • RSA, SilverTail, EnTrust • DDoS Prevention and Rate Limiting • Arbor Networks, RadWare, every load balancer • IDS, SIEM and Event Correlation • ArcSight, Splunk, Sourcefire A simple example: rate_filter gen_id 135, sig_id 1, track by_src, Per IP count 100, seconds 1, new_action drop, timeout 10
What options to attackers now have? Per-Machine IP spoofing • Use rotating Network prefix spoofing
How can you Adapt? Switch to “Network Reputation” • Intelligent detection of subnetting • Correlation to other data to determine flows • Positive, not negative reputation • Con: One bad actor could DoS a popular network • Con: State table will need to be ginormous Filter out network bogons • Reverse BGP lookups • Central databases of assigned and utilized spaces Implement intelligent egress filtering
Domain Reputation • A lot of security thinking goes into securing this relationship: www.paypal.com <-> 173.0.84.2 • This is also an important mapping: www.paypal.com <-> The Real PayPal with all the Money • With 1400 potential new gTLDs, this mapping becomes more difficult for consumers to keep in their head
Domain Reputation Protection • ICANN Rules • Sunrise Period • Trademark Clearing House • URS
A word you will hear often Homograph! http://paypal.com http://pаypal.com xn--fsqu00a.xn—g8w231d xn--fsqu00a.xn--g6w251d
PunyCode http://‫مثال.إختبار‬ xn--mgbh0fb.xn--kgbechtv http://例子.測試 xn--fsqu00a.xn--g6w251d http://пример.испытание xn--e1afmkfd.xn--80akhbyknj4f http://‫דוגמה.טעסט‬ xn--fdbk5d8ap9b8a8d.xn--deba0ad
Homograph Examples in Browsers
Enterprise Architecture IPv6 is intended to restore the “end-to-end principal” Will it? True IPv6 Enterprises would include: 1. Publicly addressable end-points 2. Firewalls doing actual firewalling 3. NAT64 mechanisms for IPv4 access 4.Portable VPN system, like DirectAccess
Enterprise Architecture Diagram
Will this happen? Probably not… 1. Mix of real IPv6 and NAT 2. Lots of public addressing with private routing 3. Proxies will become even more important for egress control
Pros and Cons for Attackers Pros: • Possibility of routable end-points
Everything is Going To Break • Existing products have years or decades of customer testing. • Almost everything smarter than a router does not really work with IPv6. INSERT EXAMPLE
Thank You Alex Stamos alex@artemis.net Artemis Tom Ritter tritter@isecpartners.com iSEC Partners

Recommended

7.protocols 2
7.protocols 27.protocols 2
7.protocols 2
Marian Marinov
 
Log Visualization - Bellua BCS 2006
Log Visualization - Bellua BCS 2006Log Visualization - Bellua BCS 2006
Log Visualization - Bellua BCS 2006
Raffael Marty
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
Bangladesh Network Operators Group
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norway
IKT-Norge
 
Ipv6
Ipv6Ipv6
Ipv6
Yan Drugalya
 
IPv6 in Cellular Networks
IPv6 in Cellular NetworksIPv6 in Cellular Networks
IPv6 in Cellular Networks
APNIC
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I started
Faelix Ltd
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Bangladesh Network Operators Group
 

Recommended

7.protocols 2
7.protocols 27.protocols 2
7.protocols 2
Marian Marinov
 
Log Visualization - Bellua BCS 2006
Log Visualization - Bellua BCS 2006Log Visualization - Bellua BCS 2006
Log Visualization - Bellua BCS 2006
Raffael Marty
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
Bangladesh Network Operators Group
 
Eric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norwayEric Vyncke - Layer-2 security, ipv6 norway
Eric Vyncke - Layer-2 security, ipv6 norway
IKT-Norge
 
Ipv6
Ipv6Ipv6
Ipv6
Yan Drugalya
 
IPv6 in Cellular Networks
IPv6 in Cellular NetworksIPv6 in Cellular Networks
IPv6 in Cellular Networks
APNIC
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I started
Faelix Ltd
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Bangladesh Network Operators Group
 
6Rd
6Rd6Rd
6Rd
Fred Bovy
 
NGS techniques and data
NGS techniques and data NGS techniques and data
NGS techniques and data
Lex Nederbragt
 
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
APNIC
 
Ipv6
Ipv6Ipv6
Ipv6
maha5960
 
Evolving HTTP and making things QUIC
Evolving HTTP and making things QUICEvolving HTTP and making things QUIC
Evolving HTTP and making things QUIC
Natasha Rooney
 
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner) Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
Puppet
 
Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006
Raffael Marty
 
APRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationAPRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering Automation
Tom Paseka
 
Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006
Raffael Marty
 
Network Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseNetwork Traffic Search using Apache HBase
Network Traffic Search using Apache HBase
Evans Ye
 
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PROIDEA
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
Sneha Inguva
 
OpenStack Havana over IPv6
OpenStack Havana over IPv6OpenStack Havana over IPv6
OpenStack Havana over IPv6
Shixiong Shang
 
I Pv6 Enabling Menog 0.4
I Pv6 Enabling Menog 0.4I Pv6 Enabling Menog 0.4
I Pv6 Enabling Menog 0.4
Hussein Elmenshawy
 
Network interview questions
Network interview questionsNetwork interview questions
Network interview questions
rajasekar1712
 
OpenStack Icehouse Over IPv6
OpenStack Icehouse Over IPv6OpenStack Icehouse Over IPv6
OpenStack Icehouse Over IPv6
Shixiong Shang
 
9 ipv6-routing
9 ipv6-routing9 ipv6-routing
9 ipv6-routing
Olivier Bonaventure
 
225735365 ccna-study-guide-a
225735365 ccna-study-guide-a225735365 ccna-study-guide-a
225735365 ccna-study-guide-a
homeworkping10
 
Ccna 1 5
Ccna 1 5Ccna 1 5
Ccna 1 5
Vahdet Shehu
 
TekTape Manual
TekTape ManualTekTape Manual
TekTape Manual
Yasin KAPLAN
 
Make Testing Groovy
Make Testing GroovyMake Testing Groovy
Make Testing Groovy
Paul King
 
The Next Generation MOP, Jochen Theodorou, GR8Conf 2013
The Next Generation MOP, Jochen Theodorou, GR8Conf 2013 The Next Generation MOP, Jochen Theodorou, GR8Conf 2013
The Next Generation MOP, Jochen Theodorou, GR8Conf 2013
GR8Conf
 

More Related Content

What's hot

6Rd
6Rd6Rd
6Rd
Fred Bovy
 
NGS techniques and data
NGS techniques and data NGS techniques and data
NGS techniques and data
Lex Nederbragt
 
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
APNIC
 
Ipv6
Ipv6Ipv6
Ipv6
maha5960
 
Evolving HTTP and making things QUIC
Evolving HTTP and making things QUICEvolving HTTP and making things QUIC
Evolving HTTP and making things QUIC
Natasha Rooney
 
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner) Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
Puppet
 
Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006
Raffael Marty
 
APRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationAPRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering Automation
Tom Paseka
 
Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006
Raffael Marty
 
Network Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseNetwork Traffic Search using Apache HBase
Network Traffic Search using Apache HBase
Evans Ye
 
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PROIDEA
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
Sneha Inguva
 
OpenStack Havana over IPv6
OpenStack Havana over IPv6OpenStack Havana over IPv6
OpenStack Havana over IPv6
Shixiong Shang
 
I Pv6 Enabling Menog 0.4
I Pv6 Enabling Menog 0.4I Pv6 Enabling Menog 0.4
I Pv6 Enabling Menog 0.4
Hussein Elmenshawy
 
Network interview questions
Network interview questionsNetwork interview questions
Network interview questions
rajasekar1712
 
OpenStack Icehouse Over IPv6
OpenStack Icehouse Over IPv6OpenStack Icehouse Over IPv6
OpenStack Icehouse Over IPv6
Shixiong Shang
 
9 ipv6-routing
9 ipv6-routing9 ipv6-routing
9 ipv6-routing
Olivier Bonaventure
 
225735365 ccna-study-guide-a
225735365 ccna-study-guide-a225735365 ccna-study-guide-a
225735365 ccna-study-guide-a
homeworkping10
 
Ccna 1 5
Ccna 1 5Ccna 1 5
Ccna 1 5
Vahdet Shehu
 
TekTape Manual
TekTape ManualTekTape Manual
TekTape Manual
Yasin KAPLAN
 

What's hot (20)

6Rd
6Rd6Rd
6Rd
 
NGS techniques and data
NGS techniques and data NGS techniques and data
NGS techniques and data
 
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
 
Ipv6
Ipv6Ipv6
Ipv6
 
Evolving HTTP and making things QUIC
Evolving HTTP and making things QUICEvolving HTTP and making things QUIC
Evolving HTTP and making things QUIC
 
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner) Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
Puppet Camp Boston 2014: Network Automation with Puppet and Arista (Beginner)
 
Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006
 
APRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering AutomationAPRICOT 2015 - NetConf for Peering Automation
APRICOT 2015 - NetConf for Peering Automation
 
Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006
 
Network Traffic Search using Apache HBase
Network Traffic Search using Apache HBaseNetwork Traffic Search using Apache HBase
Network Traffic Search using Apache HBase
 
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
 
OpenStack Havana over IPv6
OpenStack Havana over IPv6OpenStack Havana over IPv6
OpenStack Havana over IPv6
 
I Pv6 Enabling Menog 0.4
I Pv6 Enabling Menog 0.4I Pv6 Enabling Menog 0.4
I Pv6 Enabling Menog 0.4
 
Network interview questions
Network interview questionsNetwork interview questions
Network interview questions
 
OpenStack Icehouse Over IPv6
OpenStack Icehouse Over IPv6OpenStack Icehouse Over IPv6
OpenStack Icehouse Over IPv6
 
9 ipv6-routing
9 ipv6-routing9 ipv6-routing
9 ipv6-routing
 
225735365 ccna-study-guide-a
225735365 ccna-study-guide-a225735365 ccna-study-guide-a
225735365 ccna-study-guide-a
 
Ccna 1 5
Ccna 1 5Ccna 1 5
Ccna 1 5
 
TekTape Manual
TekTape ManualTekTape Manual
TekTape Manual
 

Viewers also liked

Make Testing Groovy
Make Testing GroovyMake Testing Groovy
Make Testing Groovy
Paul King
 
The Next Generation MOP, Jochen Theodorou, GR8Conf 2013
The Next Generation MOP, Jochen Theodorou, GR8Conf 2013 The Next Generation MOP, Jochen Theodorou, GR8Conf 2013
The Next Generation MOP, Jochen Theodorou, GR8Conf 2013
GR8Conf
 
GR8Conf 2011: Grails Webflow
GR8Conf 2011: Grails WebflowGR8Conf 2011: Grails Webflow
GR8Conf 2011: Grails Webflow
GR8Conf
 
Spring Web flow. A little flow of happiness
Spring Web flow. A little flow of happinessSpring Web flow. A little flow of happiness
Spring Web flow. A little flow of happiness
Strannik_2013
 
Building a scalable API with Grails
Building a scalable API with GrailsBuilding a scalable API with Grails
Building a scalable API with Grails
Tanausu Cerdeña
 
Creating and testing REST contracts with Accurest Gradle
Creating and testing REST contracts with Accurest Gradle Creating and testing REST contracts with Accurest Gradle
Creating and testing REST contracts with Accurest Gradle
GR8Conf
 

Viewers also liked (6)

Make Testing Groovy
Make Testing GroovyMake Testing Groovy
Make Testing Groovy
 
The Next Generation MOP, Jochen Theodorou, GR8Conf 2013
The Next Generation MOP, Jochen Theodorou, GR8Conf 2013 The Next Generation MOP, Jochen Theodorou, GR8Conf 2013
The Next Generation MOP, Jochen Theodorou, GR8Conf 2013
 
GR8Conf 2011: Grails Webflow
GR8Conf 2011: Grails WebflowGR8Conf 2011: Grails Webflow
GR8Conf 2011: Grails Webflow
 
Spring Web flow. A little flow of happiness
Spring Web flow. A little flow of happinessSpring Web flow. A little flow of happiness
Spring Web flow. A little flow of happiness
 
Building a scalable API with Grails
Building a scalable API with GrailsBuilding a scalable API with Grails
Building a scalable API with Grails
 
Creating and testing REST contracts with Accurest Gradle
Creating and testing REST contracts with Accurest Gradle Creating and testing REST contracts with Accurest Gradle
Creating and testing REST contracts with Accurest Gradle
 

Similar to How You Will Get Hacked Ten Years from Now

IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & Securities
Don Anto
 
Group Apres
Group ApresGroup Apres
Group Apres
ramya5a
 
C Cpres
C CpresC Cpres
C Cpres
ramya5a
 
C Cpres
C CpresC Cpres
C Cpres
ramya5a
 
C Cpres
C CpresC Cpres
C Cpres
ramya5a
 
Tech f42
Tech f42Tech f42
Tech f42
SelectedPresentations
 
[CB19] New threats are already around you, the IPV6 attack must be understood...
[CB19] New threats are already around you, the IPV6 attack must be understood...[CB19] New threats are already around you, the IPV6 attack must be understood...
[CB19] New threats are already around you, the IPV6 attack must be understood...
CODE BLUE
 
APNIC Update
APNIC Update APNIC Update
APNIC Update
APNIC
 
Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73
APNIC
 
BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?
GeoffHuston
 
What's so special about the number 512?
What's so special about the number 512?What's so special about the number 512?
What's so special about the number 512?
APNIC
 
Day 20.i pv6 lab
Day 20.i pv6 labDay 20.i pv6 lab
Day 20.i pv6 lab
CYBERINTELLIGENTS
 
Are we really ready to turn off IPv4?
Are we really ready to turn off IPv4?Are we really ready to turn off IPv4?
Are we really ready to turn off IPv4?
APNIC
 
IPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideIPv6_Quick_Start_Guide
IPv6_Quick_Start_Guide
Parthiban Nallathambi
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live Demo
Digicomp Academy AG
 
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
Digicomp Academy AG
 
IPv6 IAB/IETF Activities Report from ARIN 32
IPv6 IAB/IETF Activities Report from ARIN 32IPv6 IAB/IETF Activities Report from ARIN 32
IPv6 IAB/IETF Activities Report from ARIN 32
ARIN
 
Ventajas de IPv6
Ventajas de IPv6Ventajas de IPv6
Ventajas de IPv6
Eduardo Castro
 
Upcoming internet challenges
Upcoming internet challengesUpcoming internet challenges
Upcoming internet challenges
Ivan Pepelnjak
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF Superpowers
Raphaël PINSON
 

Similar to How You Will Get Hacked Ten Years from Now (20)

IPv6 Fundamentals & Securities
IPv6 Fundamentals & SecuritiesIPv6 Fundamentals & Securities
IPv6 Fundamentals & Securities
 
Group Apres
Group ApresGroup Apres
Group Apres
 
C Cpres
C CpresC Cpres
C Cpres
 
C Cpres
C CpresC Cpres
C Cpres
 
C Cpres
C CpresC Cpres
C Cpres
 
Tech f42
Tech f42Tech f42
Tech f42
 
[CB19] New threats are already around you, the IPV6 attack must be understood...
[CB19] New threats are already around you, the IPV6 attack must be understood...[CB19] New threats are already around you, the IPV6 attack must be understood...
[CB19] New threats are already around you, the IPV6 attack must be understood...
 
APNIC Update
APNIC Update APNIC Update
APNIC Update
 
Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73Measuring IPv6 Performance, RIPE73
Measuring IPv6 Performance, RIPE73
 
BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?BGP: Whats so special about the number 512?
BGP: Whats so special about the number 512?
 
What's so special about the number 512?
What's so special about the number 512?What's so special about the number 512?
What's so special about the number 512?
 
Day 20.i pv6 lab
Day 20.i pv6 labDay 20.i pv6 lab
Day 20.i pv6 lab
 
Are we really ready to turn off IPv4?
Are we really ready to turn off IPv4?Are we really ready to turn off IPv4?
Are we really ready to turn off IPv4?
 
IPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideIPv6_Quick_Start_Guide
IPv6_Quick_Start_Guide
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live Demo
 
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
 
IPv6 IAB/IETF Activities Report from ARIN 32
IPv6 IAB/IETF Activities Report from ARIN 32IPv6 IAB/IETF Activities Report from ARIN 32
IPv6 IAB/IETF Activities Report from ARIN 32
 
Ventajas de IPv6
Ventajas de IPv6Ventajas de IPv6
Ventajas de IPv6
 
Upcoming internet challenges
Upcoming internet challengesUpcoming internet challenges
Upcoming internet challenges
 
Cfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF SuperpowersCfgmgmtcamp 2023 — eBPF Superpowers
Cfgmgmtcamp 2023 — eBPF Superpowers
 

Recently uploaded

Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 

Recently uploaded (20)

Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 

How You Will Get Hacked Ten Years from Now

  • 1. The Myth of Twelve More Bytes Security on the Post-Scarcity Internet
  • 2. Our Conclusions 1. The Internet infrastructure is undergoing fundamental change for the first time in decades 2. The assumption of scarcity is deeply woven into many security assumptions and products 3. The new Internet will face significant problems with trust on both the client and server side 4. New Enterprise Architectures will look very different 5. Everything you have bought will break
  • 3. IPv6 HTTP DHCP HTTP TLS TCP UDP ICMP ARP Internet Protocol Link Layer Physical Layer
  • 4. The Myth of 12 More Bytes HTTP DHCP HTTP TLS TCP UDP ICMP ARP Internet Protocol Link Layer Physical Layer
  • 5. The Myth of 12 More Bytes HTTP DHCP HTTP TLS NDP MLD MRD TCP UDP ICMP ARP Internet Protocol Link Layer Physical Layer
  • 7. Stateless Address Auto-Configuration • Give Yourself a local address in your subnet • Prefix: fe80:0:0:0: : • IPv6 Address: fe80::f03c:91ff:fe96:d927 • Ask what network you’re in • example: 2600:3c03:: • Take your MAC Address, use it in the prefix • MAC: f2:3c:91:96:d9:27 • IPv6 Address: 2600:3c03::f03c:91ff:fe96:d927
  • 8. Privacy Addresses • Using your MAC in the last 64 bits identifies you, globally, to every website you visit, no matter where you are • Super-Mega Evercookie • RFC 4941 Privacy Addresses • Generate a random /64 address • Prefer it for outgoing communications
  • 9. DHCPv6 • Conceptually the same as Original DHCP • Clients can get more than IP Address
  • 10. The Default For Windows • Windows will happily perform SLAAC • Windows Prefers IPv6 over IPv4
  • 11. The Default For Windows • Windows will happily perform SLAAC • Windows Prefers IPv6 over IPv4 Your computers are just sitting around, waiting for someone to help them talk IPv6 And it doesn’t have to be you.
  • 13. SLAAC NDP MLD MRD Stateless Neighbor Multicast Multicast Address Auto- Discovery Listener Router configuration (ARP) Discovery Discovery ICMPv6 IPv6
  • 14. ICMPv6 Protocols Router Discovery Who’s a I’m a Router! Router?
  • 15. New Protocols New Protocol Vulnerabilities (Same Tactics)
  • 16. NDP Router Discovery Who’s a I’m a Router! Router?
  • 17. NDP Router Discovery Who’s a I’m a Router! Router?
  • 18. NDP Neighbor Discovery Who’s got That’s me! 3ffe::1?
  • 19. NDP NDP Spoofing is the New ARP Spoofing Who’s got That’s me! 3ffe::1?
  • 20. ICMPv6 Protocols Duplicate Address Detection Does anyone … have 3ffe::45?
  • 21. ICMPv6 Protocols Duplicate Address Detection Does anyone I do! have 3ffe::45? Does anyone have 3ffe::46? I do!
  • 23. IPv6 Packet Format Version Traffic Class Flow Label Payload Length Next Header Hop Limit Source Address Destination Address Data
  • 24. IPv6 Packet Format Version Traffic Class Flow Label Payload Length Next Header Hop Limit Source Address Destination Address Extension Next Header Options / Padding Length Options / Padding Data
  • 25. Extension Headers + Fragmentation IPv6 Header Hop By Hop Header Fragment 1 Routing Header Fragmentation Header TCP Header Fragment 2 Data
  • 26. Stateless Filtering is Impossible IPv6 Header Hop By Hop Header Fragment 1 Routing Header Fragmentation Header TCP Header Fragment 2 Data
  • 27. Translation & Transition Mechanisms They’re Such Nice Guys.
  • 28. Translation & Transition Transition Translation IPv6 Island | IPv4 Internet IPv6 < -- > IPv4 | IPv6 Island
  • 29. Transition 6to4 IPv6 Island to IPv4 Network to IPv6 Island Relies on Nice people to run border routers 6rd or IPv6 Rapid Deployment 6to4 but instead of nice people, it’s an ISP running it, applicable only to their customers ISATAP Host supporting IPv6 sits on an IPv4 Network Can talk to IPv6 Internet, but not the reverse IPv6 Teredo Host supporting IPv6 sits on an IPv4 Network Magic NAT-punching IPv6 –in-IPv4 to a Teredo Service Provider (Can be open, can be paid) Allows an IPv6 Server to sit in an IPv4 Network
  • 30. Translation NAT-PT Old, Deprecated IPv4 or 6 Clients to IPv6 or 4 Servers Has External IPv4 addresses for Internal IPv6 Servers Breaks a lot of stuff NAT64 IPv6 Clients to IPv4 Servers Fakes a IPv6 Address for the IPv4 Server I talk to the NAT64 device, it forwards to IPv4
  • 32. IPv6 Enumeration Mechanisms Internet-Based MAC Address Guessing using OUI 24-26 Bits Sequential Address (DHCPv6 or Sysadmin) 8-16 bits Reverse Mapping ip6.arpa Very Efficient Limited to Local Network Multicast Echo nmap 0 Bits ICMPv6 Parameter Problem nmap 0 Bits Multicast Listener Discovery nmap 0 Bits SLAAC Fake-out nmap 0 Bits
  • 33. Yet More • Multicast! • Node Querying • Listener Discovery • Listener Enumeration • Router Discovery • UDP/TCP Checksum • Router Enumeration Calculation • Transition Mechanisms • 6to4 • Router, DHCP, and DNS • 6rd Discovery • 4rd • Teredo • ISATAP • Redirection • 6in4 • SeND • 6over4 • New Features in DHCPv6
  • 36. DNSSEC Chain ICANN att.com ?
  • 37. DNSSEC Chain ICANN ? .com Verisign att.com ?
  • 38. DNSSEC Chain ICANN .com Verisign att.com ?
  • 39. DNSSEC Chain ICANN .com Verisign att.com
  • 40. Everything Is Signed $ dig +dnssec nic.cz +short 217.31.205.50 A 5 2 1800 20120719160302 20120705160302 40844 nic.cz. IWGHqGORGO0jh4UuZnwx1P2qoCGYDOcHLhJBIQVJm h6+0Fskr6Sh2dgj E6BHQJQJ9HuzSDCHOvJkH98QkK4ZUgMCLSN5DHuVc mJ/J/g5VMjeWS3i NmLQVmcvpizwfYVo7cuCg1OteazB2QH7JRp+/KhR+Q +P8tNpDZKe2kEN VMQ=
  • 41. Everything Is Signed $ dig +dnssec nic.cz ;; ANSWER SECTION: nic.cz. 1797 IN A 217.31.205.50 nic.cz. 1797 IN RRSIG A 5 2 1800 20120719160302 20120705160302 40844 nic.cz. IWGHqGORGO0jh4UuZnwx1P2qoCGYDOcHLhJBIQVJmh6+0Fskr6Sh2dgj E6BHQJQJ9HuzSDCHOvJkH98QkK4ZUgMCLSN5DHuVcmJ/J/g5VMjeWS3i NmLQVmcvpizwfYVo7cuCg1OteazB2QH7JRp+/KhR+Q+P8tNpDZKe2kEN VMQ= ;; AUTHORITY SECTION: nic.cz. 1797 IN NS a.ns.nic.cz. nic.cz. 1797 IN NS b.ns.nic.cz. nic.cz. 1797 IN NS d.ns.nic.cz. nic.cz. 1797 IN RRSIG NS 5 2 1800 20120719160302 20120705160302 40844 nic.cz. aAWmFODbEaHEt6NxuaIu82wWiL+9jMMH+EvBx4jDS5ViydnSV/lb+hLr dEZlVgBOSG5VdGKZ2y7cx8fGF8w9/9U1FioVowFfP0dOnZ5ZGAS9dNxm CzHV0+1LiiY0KKSUvPHq9y+thOOwfgkwkFEiofvvRtck1rh8fGfZCFL8 4JY= ;; ADDITIONAL SECTION: a.ns.nic.cz. 1797 IN A 194.0.12.1 b.ns.nic.cz. 1797 IN A 194.0.13.1 d.ns.nic.cz. 1797 IN A 193.29.206.1 a.ns.nic.cz. 1797 IN AAAA 2001:678:f::1 b.ns.nic.cz. 1797 IN AAAA 2001:678:10::1 d.ns.nic.cz. 1797 IN AAAA 2001:678:1::1 a.ns.nic.cz. 1797 IN RRSIG A 5 4 1800 20120719160302 20120705160302 40844 nic.cz. Aj/zemlwTy2FM8+XDZPlDSKhcoKtKSSySugtqrQ8YZx/nOe7i3l/4H3D XW7cQO/ND1lpW5VR+1RLbsQuovhAcQRtJj47WTkxYwWa4GdWH327aNn2 aklCdCOz6F8bGqZ2Af9EGqIZY+0Rk22FIqZc2qLpNoukI0Hfc0a6OP82 9/E= b.ns.nic.cz. 1797 IN RRSIG A 5 4 1800 20120719160302 20120705160302 40844 nic.cz. XZVf0rEBg1R1j1KHGXt/2lx76s5EbBqfe9a2tU3eyO0MnudsKiPu1VM4 +cBLIgVDUsZMhOaX7i/qHaLAaTa98CucKIQKiwsVVG9kQEWV+OmMrZE3 01xjVd6KNGq77jDyEVz2l6yiTIt/8U7KHDtM3haUXITeyUGJZcJvZ3Ta IOc= d.ns.nic.cz. 1797 IN RRSIG A 5 4 1800 20120719160302 20120705160302 40844 nic.cz. nFN5NWMibodVQYurwwdOlLIQbEWR0hSH+6OJDGRnsCpGGXiWr9VdeAhM XFWehN/uVa6a+TpwJgnJFYkPzDVrVaFxTGdgNqqTFNcVtwLupbvc6Qq0 Nh6/0yKxbFEkK7n4R0m9Akwnr0BXVkdkpwy3xvZZGlMvfJMq/AKESqlD t3A= a.ns.nic.cz. 1797 IN RRSIG AAAA 5 4 1800 20120719160302 20120705160302 40844 nic.cz. ghUpNuAs+8F08OfPucZg3/P+dOqQRdTYHoZVH8toyEcFqSTU3+yIp7HB +O9hStK2RASMLi8lonzASZ2YbQRPZXmoBN+zEAZi6s3PIf3EFx7V388A UMowRyTyeh1qvf7fHn0llHDc2K1L4TZ5ZFuUg2PVNBaqcSSdI1mLDHsX AUM= b.ns.nic.cz. 1797 IN RRSIG AAAA 5 4 1800 20120719160302 20120705160302 40844 nic.cz. MxlTDSe0Dkfyzbf9qdDj0Cs0oWrMpzkRsN8g4mfi1uWMuYlHTdUuu9d/ ec27we65x5B/SJJ6+Lb40A030BuuzJyvpuPNvpXh1fFCLZuvNuFPbhs9 MbptJmuEKjutraaA8jnxgK1KLT4kB+Nekf2IrwSC3oxAoyn5wXZJF0Fu /6o= d.ns.nic.cz. 1797 IN RRSIG AAAA 5 4 1800 20120719160302 20120705160302 40844 nic.cz. AIRg88oIb4AR1QYeu5J0VBd6pjgeHI8vWAvJzy7m7O6Mmpn+KldrHu4M gz7vOYPWZK8qNSvE/lDm7GZ3vERbVvprCwsvzaZCTb8h2wo1VxPx9tVA GQLo2yPTtX9gUqNBMRr/xS7CwyJLVNy3ZJTrQ3G8HyYOyRUVf/SubxPr srI=
  • 42. Signatures Are Large • DNS UDP Limit is 512 • EDNS UDP Limit is 4096 • DNS TCP has no limit • 24 Residential and SOHO routers were tested • 18 of 24 Devices tested couldn’t support EDNS • 23 of 24 Devices tested couldn’t support TCP • http://www.icann.org/en/groups/ssac/documents/sac-053-en.pdf
  • 43. Everything Is Signed - Including No’s Where is doesntexist.att.com? There is no doesntexist.att.com RRSIG(“There is no doesntexist.att.com”, ATT-KeyZSK )
  • 44. Denial of Service Where is doesntexist1.att.com? There is no doesntexist1.att.com RRSIG(“There is no doesntexist1.att…”, ATT-KeyZSK ) Where is doesntexist2.att.com? There is no doesntexist2.att.com RRSIG(“There is no doesntexist2.att…”, ATT-KeyZSK ) Where is doesntexist3.att.com? There is no doesntexist3.att.com RRSIG(“There is no doesntexist3.att…”, ATT-KeyZSK )
  • 45. Sign a Single Response? Where is doesntexist.att.com? No Record RRSIG(“No Record”, ATT-KeyZSK )
  • 46. Man in the Middle att.com att.com RRSIG(“10.6.7.3”) RRSIG(“No Record”)
  • 47. Sign The Ranges Where is doesntexist.att.com? There is nothing between admin.att.com and keyserver.att.com RRSIG(“There is nothing between…”, ATT-KeyZSK ) Called NSEC
  • 48. Sign The Ranges Where is doesntexist.att.com? admin.att.com and There is nothing between keyserver.att.com RRSIG(“There is nothing between…”, ATT-KeyZSK )
  • 49. Hash, then Sign The Ranges Where is doesntexist.att.com? doesntexist.att.com -> hash it -> da739562….. There is nothing between a847629…. and ff572645…. RRSIG(“There is nothing between…”, ATT-KeyZSK ) Called NSEC3!
  • 50. ‘Put It In DNSSEC’
  • 51. Shoving Stuff in DNSSEC Example.com? 10.0.1.200
  • 52. Shoving Stuff in DNSSEC Example.com? 10.0.1.200
  • 53. Shoving Stuff in DNSSEC Example.com? 10.0.1.200 Example.com? What’s your SSL Certificate? 10.0.1.200, …
  • 54. Shoving Stuff in DNSSEC Example.com? What’s your SSL Certificate? 10.0.1.200, … ClientHello ServerHello, Certificate, ServerHelloDone …
  • 55. Shoving Stuff in DNSSEC = ✘
  • 57. SSL Certs (DANE) Product Update Checks
  • 58. SSL Certs (DANE) Product Update Checks SSH ssh -o "VerifyHostKeyDNS yes” RFC 4255 OpenPGP gpg --auto-key-locate pka S/MIME draft-hoffman-dane-smime-01.txt
  • 60. gTLDs .com .org .net .biz .museum .coop .whatever .you .like
  • 61.
  • 62.
  • 64. A Little History • Jon Postel basically used to run the Internet by himself • ICANN was charted in 1998 to: • Diversify management of the Internet • Introduce democratic, “multi-stakeholder” model • Preempt UN Action
  • 67. Batching – What would you do?
  • 68. When(performing(these(tests,(we(recommend(the(following:( · Set(your(computer(time(to(UTC(to(match(the(time(zone(of(the(batching(server( · When(you(click(on(the(Generate(button(during(the(test,(make(note(of(the(exact(time( you(clicked(the(button.((You(can(compare(that(time(to(the(time(that(appears(on(the( Batching – What ICANN Decided subsequent(confirmation(screen(to(identify(any(time(variances.( (( Click(on(the(Click!Here!to!Run!a!Test(link.(A(screen(will(appear(that(will(ask(you(to(set(your( target(time(using(the(dropdowns(below.((( ( Batching(System(User(Guide( 7(June(2012(( ( ( ( Select(a(target(time(a(minute(or(two(after(the(current(server(time,(then(click(the(Next( button.((( ( Version(1.1(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((( ( 9( (
  • 69. Batching – Our Response
  • 73. A word you will hear often Homograph! http://paypal.com http://pаypal.com xn--fsqu00a.xn—g8w231d xn--fsqu00a.xn--g6w251d
  • 74. PunyCode http://‫مثال.إختبار‬ xn--mgbh0fb.xn--kgbechtv http://例子.測試 xn--fsqu00a.xn--g6w251d http://пример.испытание xn--e1afmkfd.xn--80akhbyknj4f http://‫דוגמה.טעסט‬ xn--fdbk5d8ap9b8a8d.xn--deba0ad
  • 75. Top Level Websites • Supposed to be outlawed • How do you represent them • http://ai • http://ai. • http://ai/ • AC has address 193.223.78.210 • AI has address 209.59.119.34 • BT has address 192.168.42.202 • CM has address 195.24.205.60 • DK has address 193.163.102.24 • GG has address 87.117.196.80
  • 76. The Big Picture • The Death of Reputation • Redesigning Enterprise Networks and Attacks • External Attacks and Enumeration • Product Promises and Failures
  • 77. The End of Scarcity
  • 78. The Death of Reputation Scarcity makes certain assumptions reasonably true: • An individual user has a high attachment rate for a small number of IPs • A trademarked domain name has likely been taken by the most recognizable holder • IP spoofing is highly limited in full-connection situations
  • 79. Uses of IP Reputation • Anti-Fraud and Adaptive Authentication • RSA, SilverTail, EnTrust • DDoS Prevention and Rate Limiting • Arbor Networks, RadWare, every load balancer • IDS, SIEM and Event Correlation • ArcSight, Splunk, Sourcefire A simple example: rate_filter gen_id 135, sig_id 1, track by_src, Per IP count 100, seconds 1, new_action drop, timeout 10
  • 80. What options to attackers now have? Per-Machine IP spoofing • Use rotating Network prefix spoofing
  • 81. How can you Adapt? Switch to “Network Reputation” • Intelligent detection of subnetting • Correlation to other data to determine flows • Positive, not negative reputation • Con: One bad actor could DoS a popular network • Con: State table will need to be ginormous Filter out network bogons • Reverse BGP lookups • Central databases of assigned and utilized spaces Implement intelligent egress filtering
  • 82. Domain Reputation • A lot of security thinking goes into securing this relationship: www.paypal.com <-> 173.0.84.2 • This is also an important mapping: www.paypal.com <-> The Real PayPal with all the Money • With 1400 potential new gTLDs, this mapping becomes more difficult for consumers to keep in their head
  • 83. Domain Reputation Protection • ICANN Rules • Sunrise Period • Trademark Clearing House • URS
  • 84. A word you will hear often Homograph! http://paypal.com http://pаypal.com xn--fsqu00a.xn—g8w231d xn--fsqu00a.xn--g6w251d
  • 85. PunyCode http://‫مثال.إختبار‬ xn--mgbh0fb.xn--kgbechtv http://例子.測試 xn--fsqu00a.xn--g6w251d http://пример.испытание xn--e1afmkfd.xn--80akhbyknj4f http://‫דוגמה.טעסט‬ xn--fdbk5d8ap9b8a8d.xn--deba0ad
  • 87. Enterprise Architecture IPv6 is intended to restore the “end-to-end principal” Will it? True IPv6 Enterprises would include: 1. Publicly addressable end-points 2. Firewalls doing actual firewalling 3. NAT64 mechanisms for IPv4 access 4.Portable VPN system, like DirectAccess
  • 89. Will this happen? Probably not… 1. Mix of real IPv6 and NAT 2. Lots of public addressing with private routing 3. Proxies will become even more important for egress control
  • 90. Pros and Cons for Attackers Pros: • Possibility of routable end-points
  • 91. Everything is Going To Break • Existing products have years or decades of customer testing. • Almost everything smarter than a router does not really work with IPv6. INSERT EXAMPLE
  • 92. Thank You Alex Stamos alex@artemis.net Artemis Tom Ritter tritter@isecpartners.com iSEC Partners