SlideShare a Scribd company logo
1
IPv6 Security Overview
Q S Tahmeed, APNIC RCT, BD
2
IPv4: Current Status
3
3
IPv6: Global End User Readiness
https://stats.labs.apnic.net/ipv6
4
4
IPv6: Globally Top 1000 Websites
https://pulse.internetsociety.org/technologies
5
IPV6: ADDRESS TYPES &
HEADERS
6
6
IPv6: Address Spaces
Prefix Designation IPv4 equivalent
::/128 Unspecified
This address may only be used as a source address by an initializing host before it has learned its
own addresses.
0.0.0.0
::1/128 Loopback
This address is used when a host talks to itself over IPv6. This often happens when one program
sends data to another.
127.0.0.1
fc00::/7
Example: fdf8:f535:82e4::53
Unique Local Addresses (ULAs)
Reserved for local use in home and enterprise environments (not public address space).
Private, or RFC 1918 address space:
•10.0.0.0/8
•172.16.0.0/12
•192.168.0.0/16
fe80::/10
Example: fe80::200:5aee:feaa:20a2
Link-Local Addresses
Used on a single link or a non-routed common access network, such as an Ethernet LAN. They do
not need to be unique outside of that link.
169.254.0.0/16
2001:db8::/32
Example: 2001:db8:8:4::2
Documentation
used in examples and documentation. These should never be source or destination addresses.
•192.0.2.0/24
•198.51.100.0/24
•203.0.113.0/24
2000::/3 Global Unicast
The operators of networks using these addresses can be found using the RIR Whois servers listed
in the IANA registry.
No equivalent single IPv4 block
ff00::/8
Example: ff01:0:0:0:0:0:0:2
Multicast
Used to identify multicast groups. They should only be used as destination addresses, never as
source addresses.
224.0.0.0/4
The above is a partial list. The full list can be found below:
https://www.apnic.net/get-ip/faqs/what-is-an-ip-address/ipv6-address-types/
7
7
IPv6: Protocol Headers
IPv6
IPv4
8
8
IPv6: Protocol Headers
IPv6
IPv4
9
IPV6: KEY SECURITY FEATURES
10
10
IPv6: Security Statements
Statements Reason Reality
IPv6 is more secure and it’s built-in RFC4294 – states that IPsec is a MUST - RFC 8504 – states IPsec SHOULD.
- IPsec is available.
IPv6 has no NAT and we are exposed to
attacks from Internet
E2E paradigm. Global addresses & No
NAT
Global addressing doesn’t imply global
rechability and each organization is
responsible for FILTERING its own traffic.
IPv6 Networks are too big to SCAN Standard LAN/VLAN allocation is /64
network prefix
Brute-force scan is not possible but there
are new scanning techniques available.
IPv6 is too new to be attacked Lack of updated information 20% of overall Malicious Traffic is over
IPv6.
IPv6 is not a security problem in IPv4 only
networks
Networks having IPv4 services only IPv6 is by default enabled in modern OS
and can lead to problems if unchecked.
IPv6 security lacks adequate resources
and policies
Considering that there are no BCPs,
resources or features
BCPs, Resources & Features are there
and regularly updated. ORGs can
implement own security policy in
accordance.
11
IPv6: How to Approach
A change of mindset is necessary
q IPv6 has its own security features and risks & need to be
addressed accordingly
q IPv6 protocol knowledge development is the best security
measures
12
IPv6: What’s actually happening out there
• 2003 : First IPv6 DDoS - approx. 1Gbps
• 2022 October : 10% of all attacks
• 2023 June : 20% of all attacks (doubled in less than a year)
• 2023 May-June : Spiked to 35% of all attacks (co-insides with the ongoing scanning attacks)
• In just 2022 IPv6 overall DDoS traffic volume increased by 600% !!!
References:
– https://www.juniper.net/content/dam/www/assets/analyst-reports/us/en/2023/corero-ddos-threat-intelligence-report.pdf
– https://majorityreport.crowdsec.net
– https://www.radware.com/2023-h1-global-threat-analysis-report/
– June 15, 2023: ipv6-exploitation-in-ad-environment
– February 14, 2023: MITM6
13
IPv6 Threats: Spoofing
• IP Spoofing:
– Using a fake IPv6 source address
• Solution:
– ingress filtering and uRFP (unicast
reverse path forwarding)
• uRPF :
– BCP38 (RFC2827)
• Since 1998!
– Router verifies if the source address
of packets received is in the FIB
table and reachable (routing table)
• Else DROP!
pos0/0
ge0/0
Src = 2406:6400:100::1
Src = 2406:6400:200::1
FIB:
2400:6400:100:/48 ge0/0
2400:6400:200:/48 fa0/0
pos0/0
ge0/0
Src = 2406:6400:100::1
Src = 2406:6400:200::1
Image source: “Cisco ISP Essentials”, Barry Greene & Philip Smith 2002
14
IPv6 Threats: BOGONs
What is BOGON
• Not all IP (v4 and v6) are allocated by
IANA to the RIRs
• Addresses that should not be seen on the
Internet are called “Bogons” (also called
“Martians”)
– RFC1918s + Reserved space
• IANA publishes list of number resources
that have been allocated/assigned to
RIRs/end-users
• IANA - IPv6 Assignment List
• IANA - IPv4 Assignment List
Impact & Mitigation
• Commonly found as source address of DDOS
packets
• Implement ingress BOGON filters
– Should not route them or accept traffic from
them
– Manually implement from IANA BOGON list
– Autoconfig via TeamCymru BOGON route
server project
15
IPv6: Extension Headers
IPv6 allows an optional Extension Header in between the
IPv6 headers and Upper Layer (TCP/UDP) headers
– Allows adding new features to IPv6 protocol without
major re-engineering
RFC8200:
– “Extension headers (except for Hop-by-Hop Options
header) are not processed, inserted, or deleted by any
node along a packet's delivery path, until the packet
reaches the node”
– But destination nodes must accept and process
EH…“any order and occurring any number of times in the
same packet”
Key Features
– Flexible (use is optional)
– Fixed (types and orders)
– Processed only at end-points (except for Hop-by-
Hop & Routing options)
IPv6 Header
Next Header = 6
TCP header + data
IPv6 Header
Next Header = 44
Fragment header
Next header = 6
TCP header + data
Next Header values:
0 Hop-by-hop option
6 TCP
17 UDP
43 Source routing (RFC5095)
44 Fragmentation
50 Encrypted security payload
51 Authentication
58 ICMPv6
59 Null (No next header)
60 Destination option
Extension Header
16
16
IPv6: Extension Headers Challenges
q Flexibility is a synnonym of Complexity
q Security devices/softwares now must process full chain of hearders
q Firewalls must be able to filter based on Extension Headers
17
17
IPv6 Threats: EH
Threat:
• EH as a covert-channel to pass payload (data)
• Use extensive number of EH headers
– EH chain itself is fragmented and the TCP headers can be at the Nth
-fragment … walla! Lets insert a
whole bunch of new fragmented packets and overload the destination.
Impact:
• Bypass IPS/IDP/Firewall
• Overwhelm the destination node (DOS/DDOS)
Mitigation & Challenges:
• Inspect & Filter unwanted EH Packets
IPv6 Header
Next Header = 44
TCP header + data
EH
Hidden Data
EH
Next header
18
IPv6 Threats: EH - Routing Headers
• Include one or more IPs that
should be visited in the path
– Processed by the visited router
• Routing Header (Type 0):
– RH0 can be used for traffic
amplification over a remote path
• RH0 Deprecated [RFC5095]
– Disable IPv6 Source Routing
– Filter RH0 Packets
A B
Attacker
DST
RH0 Fields Addr[S]
S D
E F
Addr[A]
Addr[B]
Addr[A]
Addr[B]
Addr[A]
Addr[B]
Addr[D] DST
Targetted Link – BW usage
19
IPv6: ICMPv6 – integral part of IPv6
• Filtering ICMPv6 is not a straight-forward
task
– Drop ICMPv6 à Completely Break IPv6
• RFC4890: “ICMPv6 Filtering
Recommendations”
– Permit Error messages
• Destination Unreachable (Type 1) - All codes
• Packet Too Big (Type 2)
• Time Exceeded (Type 3) - Code 0 only
• Parameter Problem (Type 4) - Codes 1 and 2
only
– Permit Connectivity check messages
• Echo Request (Type 128)
• Echo Response (Type 129)
https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
20
20
IPv6 Threats: NDP
• Neighbor Discovery (ND):
– NDP Spoofing
– Duplicate Address Detection (DAD) DoS
• Router Advertisement (RA)
– Rouge RA
– RA flooding
• Neighbor Solitation/Advertisement Spoofing
– NS with “source link-layer” option chaged
– NA with “target link-layer” option changed
• Can send unsicited NA or as an answer to NS
21
IPv6 Threats: DAD - DOS
Information:
q No ARP Table in IPv6
q Remember IP Conflict?
IPv6 Approach:
q Stateless Address Auto-Configuration
(SLAAC) is the feature to configure
Unique Link-Local Address
q It uses EUI64 Interface Identifier in conbination
with the Link-Local prefix FE80::/64
Threat:
q Duplicate Address Detection – DoS
attacks
Neighbor Solicitation (NS) : ICMPv6 Type 135
Neighbor Advertisement (NA) : ICMPv6 Type 136
Attacker
Is this address
unique?
Client sends Neighbor Solicitation (NS)
Attacker sends Neighbor Advertisement (NA)
for each NS
This address is
MINE!
1
2
22
IPv6 Threats: ND Spoofing
Attacker
What is Host B’s
MAC address?
Client sends Neighbor Solicitation (NS)
asking for Host B’s link layer address
Attacker Neighbor Advertisement (NA)
Spoofs Host B, sends his own MAC
I am Host B. This is
my MAC.
Neighbor Solicitation (NS) : ICMPv6 Type 135
Neighbor Advertisement (NA) : ICMPv6 Type 136
1
2
23
IPv6 Threats: Rogue RA
Attacker
Client sends Router Solicitation (RS)
Attacker sends Route Advertisement (RA)
Attacker
default router
Hosts autoconfigure IPv6 based on
spoofed RA including default router
(as well as other info - DNS)
Global Internet
• Attacker can now intercept, listen and modify the packets
coming from Host A and B – MITM
• Or redirect to a site they control
Start of data transfer
1
2
24
24
IPv6: Threat Detection tools
• NDPMon
– Can detect anomalies in RAs and NAs
• Compares against expected/valid behavior (config file – MAC/LLA of routers, prefixes, DNS,
flags, parameters)
– Can generate syslog events and/or email alerts, or run custom scripts
– http://ndpmon.sourceforge.net/index.php
25
25
IPv6: Threat Mitigation Tools
• RA Guard (RFC6105/7113)
– messages between IPv6 devices traverse the controlled L2 networking device
– first-hop security
• Allow or drop RA messages based on policies
26
26
IPv6: Threat Mitigation Tools
• SeND (RFC3971)
– Uses crypto to secure NDP messages
• Uses CGA and a set of NDP options
• CGA (crypto–generated address):
– CGA associates a public key with a IPv6 address
• RSA signature option
– Node computes interface-ID
• Using hash-function of the node’s public key
– and appends to the IPv6 prefix - CGA
27
27
IPv6: Threat Mitigation Tools
• SeND (RFC3971)
– The receiver recomputes the hash and compares with the interface-
ID
• Verifies the public key binding
– Messages sent from a CGA address can be protected by attaching
the public key and signing the message with private key.
28
28
IPv6: What Else?
• Viruses/Worms
– IPv6 any secure?
• IMs, emails higher up the stack still same L
• Train your people
• Assess your network - security nodes must understand IPv6
• Do what you did for IPv4 traffic with IPv6
– ACLs/filters
– Harden hosts and applications
– Use crypto protections where necessary/critical
29
29
References:
• https://www.first.org/resources/papers/conf2015/first_2015-herberg-frank_ipv6-
security_20150618.pdf
• https://tools.ietf.org/html/rfc2460
• https://tools.ietf.org/html/rfc7112
• https://tools.ietf.org/html/rfc7113
• https://tools.ietf.org/html/rfc8200
• https://labs.ripe.net/Members/ahmad_alsadeh/isend
• https://blog.compass-security.com/wp-
content/uploads/2015/01/ipv6_secure_neighbor_discovery_1.2.pdf
30

More Related Content

Similar to IPv6 Security Overview by QS Tahmeed, APNIC RCT

IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
Swiss IPv6 Council
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
Zivaro Inc
 
IPv6
IPv6IPv6
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
APNIC
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
APNIC
 
I pv6 for cmu
I pv6 for cmuI pv6 for cmu
I pv6 for cmu
Naranont Atima
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6
mithilak
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
Private
 
IPv6 networking training sduffy v3
IPv6 networking training   sduffy v3IPv6 networking training   sduffy v3
IPv6 networking training sduffy v3
Shane Duffy
 
IPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideIPv6_Quick_Start_Guide
IPv6_Quick_Start_Guide
Parthiban Nallathambi
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Wardner Maia
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planning
Tim Martin
 
IPv6
IPv6IPv6
IPv6
IPv6IPv6
Ipv6 questions
Ipv6 questionsIpv6 questions
Ipv6 questions
Kundan Prasad
 
Ipv6
Ipv6Ipv6
Apnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshopApnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshop
Nguyen Minh Thu
 
IPV6
IPV6 IPV6
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2
ehsan nazer
 
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
Louis Göhl
 

Similar to IPv6 Security Overview by QS Tahmeed, APNIC RCT (20)

IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
 
IPv6
IPv6IPv6
IPv6
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
 
I pv6 for cmu
I pv6 for cmuI pv6 for cmu
I pv6 for cmu
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
IPv6 networking training sduffy v3
IPv6 networking training   sduffy v3IPv6 networking training   sduffy v3
IPv6 networking training sduffy v3
 
IPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideIPv6_Quick_Start_Guide
IPv6_Quick_Start_Guide
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
 
IPv6 address-planning
IPv6 address-planningIPv6 address-planning
IPv6 address-planning
 
IPv6
IPv6IPv6
IPv6
 
IPv6
IPv6IPv6
IPv6
 
Ipv6 questions
Ipv6 questionsIpv6 questions
Ipv6 questions
 
Ipv6
Ipv6Ipv6
Ipv6
 
Apnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshopApnic-Training-IPv6_workshop
Apnic-Training-IPv6_workshop
 
IPV6
IPV6 IPV6
IPV6
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2
 
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
 

More from Bangladesh Network Operators Group

ipv6deploymentandsecurity_1718111242.pdf
ipv6deploymentandsecurity_1718111242.pdfipv6deploymentandsecurity_1718111242.pdf
ipv6deploymentandsecurity_1718111242.pdf
Bangladesh Network Operators Group
 
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Bangladesh Network Operators Group
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Bangladesh Network Operators Group
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
Bangladesh Network Operators Group
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
Bangladesh Network Operators Group
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
Bangladesh Network Operators Group
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
Bangladesh Network Operators Group
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia  2022IPv6 Deployment in South Asia  2022
IPv6 Deployment in South Asia 2022
Bangladesh Network Operators Group
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
Bangladesh Network Operators Group
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
Bangladesh Network Operators Group
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
Bangladesh Network Operators Group
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
Bangladesh Network Operators Group
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
Bangladesh Network Operators Group
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
Bangladesh Network Operators Group
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
Bangladesh Network Operators Group
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
Bangladesh Network Operators Group
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
Bangladesh Network Operators Group
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
Bangladesh Network Operators Group
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
Bangladesh Network Operators Group
 

More from Bangladesh Network Operators Group (20)

ipv6deploymentandsecurity_1718111242.pdf
ipv6deploymentandsecurity_1718111242.pdfipv6deploymentandsecurity_1718111242.pdf
ipv6deploymentandsecurity_1718111242.pdf
 
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia  2022IPv6 Deployment in South Asia  2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 

Recently uploaded

Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai AvailableChennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
shamrisumri
 
AWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaipromAWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaiprom
ธนาพัฒน์ ลิ้มสายพรหม
 
Dewanstudio Project Portfolio 2023 show case
Dewanstudio Project Portfolio 2023 show caseDewanstudio Project Portfolio 2023 show case
Dewanstudio Project Portfolio 2023 show case
DEWANSTUDIO.COM
 
Web development Platform Constraints.pptx
Web development Platform Constraints.pptxWeb development Platform Constraints.pptx
Web development Platform Constraints.pptx
ssuser2f6682
 
Book dating , international dating phgra
Book dating , international dating phgraBook dating , international dating phgra
Book dating , international dating phgra
thomaskurtha9
 
Effective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptxEffective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptx
AirtoryInc
 
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
elbertablack
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
adelewhite125
 
Build a Professional Resume using Canva , Tanapat Limsaiprom
Build a Professional Resume using Canva , Tanapat LimsaipromBuild a Professional Resume using Canva , Tanapat Limsaiprom
Build a Professional Resume using Canva , Tanapat Limsaiprom
TanapatLimsaiprom1
 
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
ffg01100
 
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
mahigarg2024#G05
 
Cyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdfCyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdf
RohitRoshanBengROHIT
 
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5  hot nhấtBai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5  hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Thiên Đường Tình Yêu
 
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
ffg01100
 
UMN degree offer diploma Transcript
UMN degree offer diploma TranscriptUMN degree offer diploma Transcript
UMN degree offer diploma Transcript
cenocb
 
6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App
VPN Server
 
workbook and project U5 1ºsecundaria.pdf
workbook and project U5 1ºsecundaria.pdfworkbook and project U5 1ºsecundaria.pdf
workbook and project U5 1ºsecundaria.pdf
anya2024forgya
 
Information Systems Auditing, Controls and Assurance , tanapat limsaiprom
Information Systems Auditing, Controls and Assurance , tanapat limsaipromInformation Systems Auditing, Controls and Assurance , tanapat limsaiprom
Information Systems Auditing, Controls and Assurance , tanapat limsaiprom
TanapatLimsaiprom1
 
2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage
Zsolt Nemeth
 
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirtsJarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
exgf28
 

Recently uploaded (20)

Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai AvailableChennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
 
AWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaipromAWS Networking Basic , tanapat limsaiprom
AWS Networking Basic , tanapat limsaiprom
 
Dewanstudio Project Portfolio 2023 show case
Dewanstudio Project Portfolio 2023 show caseDewanstudio Project Portfolio 2023 show case
Dewanstudio Project Portfolio 2023 show case
 
Web development Platform Constraints.pptx
Web development Platform Constraints.pptxWeb development Platform Constraints.pptx
Web development Platform Constraints.pptx
 
Book dating , international dating phgra
Book dating , international dating phgraBook dating , international dating phgra
Book dating , international dating phgra
 
Effective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptxEffective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptx
 
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
 
Build a Professional Resume using Canva , Tanapat Limsaiprom
Build a Professional Resume using Canva , Tanapat LimsaipromBuild a Professional Resume using Canva , Tanapat Limsaiprom
Build a Professional Resume using Canva , Tanapat Limsaiprom
 
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
 
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
Girls Call Mahipalpur 000XX00000 Provide Best And Top Girl Service And No1 in...
 
Cyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdfCyber Security Course & Guide. X.GI. pdf
Cyber Security Course & Guide. X.GI. pdf
 
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5  hot nhấtBai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5  hot nhất
Bai-Tập-Tiếng-Anh-On-Tập-He lớp 1- lớp 5 hot nhất
 
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
 
UMN degree offer diploma Transcript
UMN degree offer diploma TranscriptUMN degree offer diploma Transcript
UMN degree offer diploma Transcript
 
6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App6 Reasons to Use a VPN | 3S VPN Server App
6 Reasons to Use a VPN | 3S VPN Server App
 
workbook and project U5 1ºsecundaria.pdf
workbook and project U5 1ºsecundaria.pdfworkbook and project U5 1ºsecundaria.pdf
workbook and project U5 1ºsecundaria.pdf
 
Information Systems Auditing, Controls and Assurance , tanapat limsaiprom
Information Systems Auditing, Controls and Assurance , tanapat limsaipromInformation Systems Auditing, Controls and Assurance , tanapat limsaiprom
Information Systems Auditing, Controls and Assurance , tanapat limsaiprom
 
2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage
 
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirtsJarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirts
 

IPv6 Security Overview by QS Tahmeed, APNIC RCT

  • 1. 1 IPv6 Security Overview Q S Tahmeed, APNIC RCT, BD
  • 3. 3 3 IPv6: Global End User Readiness https://stats.labs.apnic.net/ipv6
  • 4. 4 4 IPv6: Globally Top 1000 Websites https://pulse.internetsociety.org/technologies
  • 6. 6 6 IPv6: Address Spaces Prefix Designation IPv4 equivalent ::/128 Unspecified This address may only be used as a source address by an initializing host before it has learned its own addresses. 0.0.0.0 ::1/128 Loopback This address is used when a host talks to itself over IPv6. This often happens when one program sends data to another. 127.0.0.1 fc00::/7 Example: fdf8:f535:82e4::53 Unique Local Addresses (ULAs) Reserved for local use in home and enterprise environments (not public address space). Private, or RFC 1918 address space: •10.0.0.0/8 •172.16.0.0/12 •192.168.0.0/16 fe80::/10 Example: fe80::200:5aee:feaa:20a2 Link-Local Addresses Used on a single link or a non-routed common access network, such as an Ethernet LAN. They do not need to be unique outside of that link. 169.254.0.0/16 2001:db8::/32 Example: 2001:db8:8:4::2 Documentation used in examples and documentation. These should never be source or destination addresses. •192.0.2.0/24 •198.51.100.0/24 •203.0.113.0/24 2000::/3 Global Unicast The operators of networks using these addresses can be found using the RIR Whois servers listed in the IANA registry. No equivalent single IPv4 block ff00::/8 Example: ff01:0:0:0:0:0:0:2 Multicast Used to identify multicast groups. They should only be used as destination addresses, never as source addresses. 224.0.0.0/4 The above is a partial list. The full list can be found below: https://www.apnic.net/get-ip/faqs/what-is-an-ip-address/ipv6-address-types/
  • 10. 10 10 IPv6: Security Statements Statements Reason Reality IPv6 is more secure and it’s built-in RFC4294 – states that IPsec is a MUST - RFC 8504 – states IPsec SHOULD. - IPsec is available. IPv6 has no NAT and we are exposed to attacks from Internet E2E paradigm. Global addresses & No NAT Global addressing doesn’t imply global rechability and each organization is responsible for FILTERING its own traffic. IPv6 Networks are too big to SCAN Standard LAN/VLAN allocation is /64 network prefix Brute-force scan is not possible but there are new scanning techniques available. IPv6 is too new to be attacked Lack of updated information 20% of overall Malicious Traffic is over IPv6. IPv6 is not a security problem in IPv4 only networks Networks having IPv4 services only IPv6 is by default enabled in modern OS and can lead to problems if unchecked. IPv6 security lacks adequate resources and policies Considering that there are no BCPs, resources or features BCPs, Resources & Features are there and regularly updated. ORGs can implement own security policy in accordance.
  • 11. 11 IPv6: How to Approach A change of mindset is necessary q IPv6 has its own security features and risks & need to be addressed accordingly q IPv6 protocol knowledge development is the best security measures
  • 12. 12 IPv6: What’s actually happening out there • 2003 : First IPv6 DDoS - approx. 1Gbps • 2022 October : 10% of all attacks • 2023 June : 20% of all attacks (doubled in less than a year) • 2023 May-June : Spiked to 35% of all attacks (co-insides with the ongoing scanning attacks) • In just 2022 IPv6 overall DDoS traffic volume increased by 600% !!! References: – https://www.juniper.net/content/dam/www/assets/analyst-reports/us/en/2023/corero-ddos-threat-intelligence-report.pdf – https://majorityreport.crowdsec.net – https://www.radware.com/2023-h1-global-threat-analysis-report/ – June 15, 2023: ipv6-exploitation-in-ad-environment – February 14, 2023: MITM6
  • 13. 13 IPv6 Threats: Spoofing • IP Spoofing: – Using a fake IPv6 source address • Solution: – ingress filtering and uRFP (unicast reverse path forwarding) • uRPF : – BCP38 (RFC2827) • Since 1998! – Router verifies if the source address of packets received is in the FIB table and reachable (routing table) • Else DROP! pos0/0 ge0/0 Src = 2406:6400:100::1 Src = 2406:6400:200::1 FIB: 2400:6400:100:/48 ge0/0 2400:6400:200:/48 fa0/0 pos0/0 ge0/0 Src = 2406:6400:100::1 Src = 2406:6400:200::1 Image source: “Cisco ISP Essentials”, Barry Greene & Philip Smith 2002
  • 14. 14 IPv6 Threats: BOGONs What is BOGON • Not all IP (v4 and v6) are allocated by IANA to the RIRs • Addresses that should not be seen on the Internet are called “Bogons” (also called “Martians”) – RFC1918s + Reserved space • IANA publishes list of number resources that have been allocated/assigned to RIRs/end-users • IANA - IPv6 Assignment List • IANA - IPv4 Assignment List Impact & Mitigation • Commonly found as source address of DDOS packets • Implement ingress BOGON filters – Should not route them or accept traffic from them – Manually implement from IANA BOGON list – Autoconfig via TeamCymru BOGON route server project
  • 15. 15 IPv6: Extension Headers IPv6 allows an optional Extension Header in between the IPv6 headers and Upper Layer (TCP/UDP) headers – Allows adding new features to IPv6 protocol without major re-engineering RFC8200: – “Extension headers (except for Hop-by-Hop Options header) are not processed, inserted, or deleted by any node along a packet's delivery path, until the packet reaches the node” – But destination nodes must accept and process EH…“any order and occurring any number of times in the same packet” Key Features – Flexible (use is optional) – Fixed (types and orders) – Processed only at end-points (except for Hop-by- Hop & Routing options) IPv6 Header Next Header = 6 TCP header + data IPv6 Header Next Header = 44 Fragment header Next header = 6 TCP header + data Next Header values: 0 Hop-by-hop option 6 TCP 17 UDP 43 Source routing (RFC5095) 44 Fragmentation 50 Encrypted security payload 51 Authentication 58 ICMPv6 59 Null (No next header) 60 Destination option Extension Header
  • 16. 16 16 IPv6: Extension Headers Challenges q Flexibility is a synnonym of Complexity q Security devices/softwares now must process full chain of hearders q Firewalls must be able to filter based on Extension Headers
  • 17. 17 17 IPv6 Threats: EH Threat: • EH as a covert-channel to pass payload (data) • Use extensive number of EH headers – EH chain itself is fragmented and the TCP headers can be at the Nth -fragment … walla! Lets insert a whole bunch of new fragmented packets and overload the destination. Impact: • Bypass IPS/IDP/Firewall • Overwhelm the destination node (DOS/DDOS) Mitigation & Challenges: • Inspect & Filter unwanted EH Packets IPv6 Header Next Header = 44 TCP header + data EH Hidden Data EH Next header
  • 18. 18 IPv6 Threats: EH - Routing Headers • Include one or more IPs that should be visited in the path – Processed by the visited router • Routing Header (Type 0): – RH0 can be used for traffic amplification over a remote path • RH0 Deprecated [RFC5095] – Disable IPv6 Source Routing – Filter RH0 Packets A B Attacker DST RH0 Fields Addr[S] S D E F Addr[A] Addr[B] Addr[A] Addr[B] Addr[A] Addr[B] Addr[D] DST Targetted Link – BW usage
  • 19. 19 IPv6: ICMPv6 – integral part of IPv6 • Filtering ICMPv6 is not a straight-forward task – Drop ICMPv6 à Completely Break IPv6 • RFC4890: “ICMPv6 Filtering Recommendations” – Permit Error messages • Destination Unreachable (Type 1) - All codes • Packet Too Big (Type 2) • Time Exceeded (Type 3) - Code 0 only • Parameter Problem (Type 4) - Codes 1 and 2 only – Permit Connectivity check messages • Echo Request (Type 128) • Echo Response (Type 129) https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
  • 20. 20 20 IPv6 Threats: NDP • Neighbor Discovery (ND): – NDP Spoofing – Duplicate Address Detection (DAD) DoS • Router Advertisement (RA) – Rouge RA – RA flooding • Neighbor Solitation/Advertisement Spoofing – NS with “source link-layer” option chaged – NA with “target link-layer” option changed • Can send unsicited NA or as an answer to NS
  • 21. 21 IPv6 Threats: DAD - DOS Information: q No ARP Table in IPv6 q Remember IP Conflict? IPv6 Approach: q Stateless Address Auto-Configuration (SLAAC) is the feature to configure Unique Link-Local Address q It uses EUI64 Interface Identifier in conbination with the Link-Local prefix FE80::/64 Threat: q Duplicate Address Detection – DoS attacks Neighbor Solicitation (NS) : ICMPv6 Type 135 Neighbor Advertisement (NA) : ICMPv6 Type 136 Attacker Is this address unique? Client sends Neighbor Solicitation (NS) Attacker sends Neighbor Advertisement (NA) for each NS This address is MINE! 1 2
  • 22. 22 IPv6 Threats: ND Spoofing Attacker What is Host B’s MAC address? Client sends Neighbor Solicitation (NS) asking for Host B’s link layer address Attacker Neighbor Advertisement (NA) Spoofs Host B, sends his own MAC I am Host B. This is my MAC. Neighbor Solicitation (NS) : ICMPv6 Type 135 Neighbor Advertisement (NA) : ICMPv6 Type 136 1 2
  • 23. 23 IPv6 Threats: Rogue RA Attacker Client sends Router Solicitation (RS) Attacker sends Route Advertisement (RA) Attacker default router Hosts autoconfigure IPv6 based on spoofed RA including default router (as well as other info - DNS) Global Internet • Attacker can now intercept, listen and modify the packets coming from Host A and B – MITM • Or redirect to a site they control Start of data transfer 1 2
  • 24. 24 24 IPv6: Threat Detection tools • NDPMon – Can detect anomalies in RAs and NAs • Compares against expected/valid behavior (config file – MAC/LLA of routers, prefixes, DNS, flags, parameters) – Can generate syslog events and/or email alerts, or run custom scripts – http://ndpmon.sourceforge.net/index.php
  • 25. 25 25 IPv6: Threat Mitigation Tools • RA Guard (RFC6105/7113) – messages between IPv6 devices traverse the controlled L2 networking device – first-hop security • Allow or drop RA messages based on policies
  • 26. 26 26 IPv6: Threat Mitigation Tools • SeND (RFC3971) – Uses crypto to secure NDP messages • Uses CGA and a set of NDP options • CGA (crypto–generated address): – CGA associates a public key with a IPv6 address • RSA signature option – Node computes interface-ID • Using hash-function of the node’s public key – and appends to the IPv6 prefix - CGA
  • 27. 27 27 IPv6: Threat Mitigation Tools • SeND (RFC3971) – The receiver recomputes the hash and compares with the interface- ID • Verifies the public key binding – Messages sent from a CGA address can be protected by attaching the public key and signing the message with private key.
  • 28. 28 28 IPv6: What Else? • Viruses/Worms – IPv6 any secure? • IMs, emails higher up the stack still same L • Train your people • Assess your network - security nodes must understand IPv6 • Do what you did for IPv4 traffic with IPv6 – ACLs/filters – Harden hosts and applications – Use crypto protections where necessary/critical
  • 29. 29 29 References: • https://www.first.org/resources/papers/conf2015/first_2015-herberg-frank_ipv6- security_20150618.pdf • https://tools.ietf.org/html/rfc2460 • https://tools.ietf.org/html/rfc7112 • https://tools.ietf.org/html/rfc7113 • https://tools.ietf.org/html/rfc8200 • https://labs.ripe.net/Members/ahmad_alsadeh/isend • https://blog.compass-security.com/wp- content/uploads/2015/01/ipv6_secure_neighbor_discovery_1.2.pdf
  • 30. 30