This document discusses IPv6 security. It begins with an overview of IPv6 address types and headers. It then notes that some initial assumptions about IPv6 security being more robust have been disproven in reality. Specifically, IPv6 is now the target of around 20% of malicious attacks. The document outlines several IPv6 security threats such as address spoofing, extension header attacks, neighbor discovery spoofing, and rogue router advertisements. It recommends approaches like ingress filtering, RA guard, and SEND to help detect and mitigate these threats. Tools like NDPMon can monitor for anomalies in neighbor discovery behavior. Overall, network operators must apply similar security practices to IPv6 as with IPv4, including access controls, host hardening, and
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
APNIC Network Analyst / Technical Trainer Awal Haolader gives the technical keynote presentation on IPv6 deployment and security considerations at the IDNIC OPM 2023, held from 5 to 7 December 2023 in Bandung, Indonesia.
You may have hoped to retire before IPv6 became a reality, but unfortunately the IPv4 address exhaustion came too fast. For the rest of us, we’re going to bite off a small piece of the 15-year old IPv6 pie and talk about how to get started!
• Address format refresher
• IPv4 and IPv6 protocol comparison
• IPv6 neighbor discovery and auto-configuration
• Current migration and coexistence strategies
• ICMPv6, DHCPv6, and DNSv6
• How to get started at home
Internet Protocol version 6 (IPv6) is what you are going to discover onwards. Here, you will get format, features and related required information of IPv6 addresses and its related protocols.
10 IP VERSION SIX (6) WEEK TEN notes.pptxJoshuaAnnan5
IPV6 addressing solution was announced in the mid 1990s (RFC 2460) and was task in solving IPv4’s shortcomings
NB: Version 5 was already assigned to another developing protocol, this is the reason for the jump from version 4 to 6.
Although both versions function similarly, version 4 and version 6 use different types of packet header formatting and addressing lengths. Meanwhile IPV6 header are more efficient and greatly simplified compared to IPV4 header information . This helps to reduce processing overhead during transmission.
Larger address space:
The main limitations with IPv4 are the imposed address space limitations and eventual complete loss of addressing capability. IPv6 was designed to overcome IPv4’s 32-bit limitations by introducing much larger 128-bit addresses and providing an address pool that is virtually inexhaustible.
Stateless autoconfiguration:
A feature used to issue and generate an IP address without the need for a Dynamic Host Configuration Protocol
(DHCP) server:
• Routers send router advertisements (RAs) to network hosts containing the first half, or first 64 bits, of the 128-bit network address.
• The second half of the address is generated exclusively by the host and is known as the interface identifier. The interface identifier uses its own MAC address, or it may use a randomly generated number.
This allows the host to keep hardware addresses hidden for security reasons and helps an administrator mitigate security risks.
More efficient packet headers: IPv6 uses a simpler header design than IPv4. The enhanced design allows routers to analyze and forward packets faster. Fewer header fields must be read, and header checksums are completely discarded in IPv6. More efficient packet headers improve network performance and save valuable router resources
Changes in multicast operation: Support for multicasting in IPv6 is now mandatory instead of optional, as with IPv4. The multicasting capabilities in IPv6 completely replace the broadcasting functionality found in IPv4. IPv6 replaces broadcasting with an “all-host” multicasting group.
Increased security: Another optional feature found in IPv4, IP Security (IPsec) measures are now considered mandatory and implemented natively in IPv6.
What all this numbers translate into is, flexibility of assigning different functions on the network, without facing address exhaustion. It also allows for an improved network design and troubleshooting efficiency.
The hexadecimal address look like
Components of Computer Networks
In this tutorial, we will cover the components of Computer Networks.
A Computer Network basically comprises multiple computers that are interconnected to each other in order to share information and other resources. Multiple computers are connected either with the help of cables or wireless media.
So basically with the help of a computer network two or more devices are connected in order to share a nearly limitless range of information and services whic
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
APNIC Network Analyst / Technical Trainer Awal Haolader gives the technical keynote presentation on IPv6 deployment and security considerations at the IDNIC OPM 2023, held from 5 to 7 December 2023 in Bandung, Indonesia.
You may have hoped to retire before IPv6 became a reality, but unfortunately the IPv4 address exhaustion came too fast. For the rest of us, we’re going to bite off a small piece of the 15-year old IPv6 pie and talk about how to get started!
• Address format refresher
• IPv4 and IPv6 protocol comparison
• IPv6 neighbor discovery and auto-configuration
• Current migration and coexistence strategies
• ICMPv6, DHCPv6, and DNSv6
• How to get started at home
Internet Protocol version 6 (IPv6) is what you are going to discover onwards. Here, you will get format, features and related required information of IPv6 addresses and its related protocols.
10 IP VERSION SIX (6) WEEK TEN notes.pptxJoshuaAnnan5
IPV6 addressing solution was announced in the mid 1990s (RFC 2460) and was task in solving IPv4’s shortcomings
NB: Version 5 was already assigned to another developing protocol, this is the reason for the jump from version 4 to 6.
Although both versions function similarly, version 4 and version 6 use different types of packet header formatting and addressing lengths. Meanwhile IPV6 header are more efficient and greatly simplified compared to IPV4 header information . This helps to reduce processing overhead during transmission.
Larger address space:
The main limitations with IPv4 are the imposed address space limitations and eventual complete loss of addressing capability. IPv6 was designed to overcome IPv4’s 32-bit limitations by introducing much larger 128-bit addresses and providing an address pool that is virtually inexhaustible.
Stateless autoconfiguration:
A feature used to issue and generate an IP address without the need for a Dynamic Host Configuration Protocol
(DHCP) server:
• Routers send router advertisements (RAs) to network hosts containing the first half, or first 64 bits, of the 128-bit network address.
• The second half of the address is generated exclusively by the host and is known as the interface identifier. The interface identifier uses its own MAC address, or it may use a randomly generated number.
This allows the host to keep hardware addresses hidden for security reasons and helps an administrator mitigate security risks.
More efficient packet headers: IPv6 uses a simpler header design than IPv4. The enhanced design allows routers to analyze and forward packets faster. Fewer header fields must be read, and header checksums are completely discarded in IPv6. More efficient packet headers improve network performance and save valuable router resources
Changes in multicast operation: Support for multicasting in IPv6 is now mandatory instead of optional, as with IPv4. The multicasting capabilities in IPv6 completely replace the broadcasting functionality found in IPv4. IPv6 replaces broadcasting with an “all-host” multicasting group.
Increased security: Another optional feature found in IPv4, IP Security (IPsec) measures are now considered mandatory and implemented natively in IPv6.
What all this numbers translate into is, flexibility of assigning different functions on the network, without facing address exhaustion. It also allows for an improved network design and troubleshooting efficiency.
The hexadecimal address look like
Components of Computer Networks
In this tutorial, we will cover the components of Computer Networks.
A Computer Network basically comprises multiple computers that are interconnected to each other in order to share information and other resources. Multiple computers are connected either with the help of cables or wireless media.
So basically with the help of a computer network two or more devices are connected in order to share a nearly limitless range of information and services whic
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
6. 6
6
IPv6: Address Spaces
Prefix Designation IPv4 equivalent
::/128 Unspecified
This address may only be used as a source address by an initializing host before it has learned its
own addresses.
0.0.0.0
::1/128 Loopback
This address is used when a host talks to itself over IPv6. This often happens when one program
sends data to another.
127.0.0.1
fc00::/7
Example: fdf8:f535:82e4::53
Unique Local Addresses (ULAs)
Reserved for local use in home and enterprise environments (not public address space).
Private, or RFC 1918 address space:
•10.0.0.0/8
•172.16.0.0/12
•192.168.0.0/16
fe80::/10
Example: fe80::200:5aee:feaa:20a2
Link-Local Addresses
Used on a single link or a non-routed common access network, such as an Ethernet LAN. They do
not need to be unique outside of that link.
169.254.0.0/16
2001:db8::/32
Example: 2001:db8:8:4::2
Documentation
used in examples and documentation. These should never be source or destination addresses.
•192.0.2.0/24
•198.51.100.0/24
•203.0.113.0/24
2000::/3 Global Unicast
The operators of networks using these addresses can be found using the RIR Whois servers listed
in the IANA registry.
No equivalent single IPv4 block
ff00::/8
Example: ff01:0:0:0:0:0:0:2
Multicast
Used to identify multicast groups. They should only be used as destination addresses, never as
source addresses.
224.0.0.0/4
The above is a partial list. The full list can be found below:
https://www.apnic.net/get-ip/faqs/what-is-an-ip-address/ipv6-address-types/
10. 10
10
IPv6: Security Statements
Statements Reason Reality
IPv6 is more secure and it’s built-in RFC4294 – states that IPsec is a MUST - RFC 8504 – states IPsec SHOULD.
- IPsec is available.
IPv6 has no NAT and we are exposed to
attacks from Internet
E2E paradigm. Global addresses & No
NAT
Global addressing doesn’t imply global
rechability and each organization is
responsible for FILTERING its own traffic.
IPv6 Networks are too big to SCAN Standard LAN/VLAN allocation is /64
network prefix
Brute-force scan is not possible but there
are new scanning techniques available.
IPv6 is too new to be attacked Lack of updated information 20% of overall Malicious Traffic is over
IPv6.
IPv6 is not a security problem in IPv4 only
networks
Networks having IPv4 services only IPv6 is by default enabled in modern OS
and can lead to problems if unchecked.
IPv6 security lacks adequate resources
and policies
Considering that there are no BCPs,
resources or features
BCPs, Resources & Features are there
and regularly updated. ORGs can
implement own security policy in
accordance.
11. 11
IPv6: How to Approach
A change of mindset is necessary
q IPv6 has its own security features and risks & need to be
addressed accordingly
q IPv6 protocol knowledge development is the best security
measures
12. 12
IPv6: What’s actually happening out there
• 2003 : First IPv6 DDoS - approx. 1Gbps
• 2022 October : 10% of all attacks
• 2023 June : 20% of all attacks (doubled in less than a year)
• 2023 May-June : Spiked to 35% of all attacks (co-insides with the ongoing scanning attacks)
• In just 2022 IPv6 overall DDoS traffic volume increased by 600% !!!
References:
– https://www.juniper.net/content/dam/www/assets/analyst-reports/us/en/2023/corero-ddos-threat-intelligence-report.pdf
– https://majorityreport.crowdsec.net
– https://www.radware.com/2023-h1-global-threat-analysis-report/
– June 15, 2023: ipv6-exploitation-in-ad-environment
– February 14, 2023: MITM6
13. 13
IPv6 Threats: Spoofing
• IP Spoofing:
– Using a fake IPv6 source address
• Solution:
– ingress filtering and uRFP (unicast
reverse path forwarding)
• uRPF :
– BCP38 (RFC2827)
• Since 1998!
– Router verifies if the source address
of packets received is in the FIB
table and reachable (routing table)
• Else DROP!
pos0/0
ge0/0
Src = 2406:6400:100::1
Src = 2406:6400:200::1
FIB:
2400:6400:100:/48 ge0/0
2400:6400:200:/48 fa0/0
pos0/0
ge0/0
Src = 2406:6400:100::1
Src = 2406:6400:200::1
Image source: “Cisco ISP Essentials”, Barry Greene & Philip Smith 2002
14. 14
IPv6 Threats: BOGONs
What is BOGON
• Not all IP (v4 and v6) are allocated by
IANA to the RIRs
• Addresses that should not be seen on the
Internet are called “Bogons” (also called
“Martians”)
– RFC1918s + Reserved space
• IANA publishes list of number resources
that have been allocated/assigned to
RIRs/end-users
• IANA - IPv6 Assignment List
• IANA - IPv4 Assignment List
Impact & Mitigation
• Commonly found as source address of DDOS
packets
• Implement ingress BOGON filters
– Should not route them or accept traffic from
them
– Manually implement from IANA BOGON list
– Autoconfig via TeamCymru BOGON route
server project
15. 15
IPv6: Extension Headers
IPv6 allows an optional Extension Header in between the
IPv6 headers and Upper Layer (TCP/UDP) headers
– Allows adding new features to IPv6 protocol without
major re-engineering
RFC8200:
– “Extension headers (except for Hop-by-Hop Options
header) are not processed, inserted, or deleted by any
node along a packet's delivery path, until the packet
reaches the node”
– But destination nodes must accept and process
EH…“any order and occurring any number of times in the
same packet”
Key Features
– Flexible (use is optional)
– Fixed (types and orders)
– Processed only at end-points (except for Hop-by-
Hop & Routing options)
IPv6 Header
Next Header = 6
TCP header + data
IPv6 Header
Next Header = 44
Fragment header
Next header = 6
TCP header + data
Next Header values:
0 Hop-by-hop option
6 TCP
17 UDP
43 Source routing (RFC5095)
44 Fragmentation
50 Encrypted security payload
51 Authentication
58 ICMPv6
59 Null (No next header)
60 Destination option
Extension Header
16. 16
16
IPv6: Extension Headers Challenges
q Flexibility is a synnonym of Complexity
q Security devices/softwares now must process full chain of hearders
q Firewalls must be able to filter based on Extension Headers
17. 17
17
IPv6 Threats: EH
Threat:
• EH as a covert-channel to pass payload (data)
• Use extensive number of EH headers
– EH chain itself is fragmented and the TCP headers can be at the Nth
-fragment … walla! Lets insert a
whole bunch of new fragmented packets and overload the destination.
Impact:
• Bypass IPS/IDP/Firewall
• Overwhelm the destination node (DOS/DDOS)
Mitigation & Challenges:
• Inspect & Filter unwanted EH Packets
IPv6 Header
Next Header = 44
TCP header + data
EH
Hidden Data
EH
Next header
18. 18
IPv6 Threats: EH - Routing Headers
• Include one or more IPs that
should be visited in the path
– Processed by the visited router
• Routing Header (Type 0):
– RH0 can be used for traffic
amplification over a remote path
• RH0 Deprecated [RFC5095]
– Disable IPv6 Source Routing
– Filter RH0 Packets
A B
Attacker
DST
RH0 Fields Addr[S]
S D
E F
Addr[A]
Addr[B]
Addr[A]
Addr[B]
Addr[A]
Addr[B]
Addr[D] DST
Targetted Link – BW usage
19. 19
IPv6: ICMPv6 – integral part of IPv6
• Filtering ICMPv6 is not a straight-forward
task
– Drop ICMPv6 à Completely Break IPv6
• RFC4890: “ICMPv6 Filtering
Recommendations”
– Permit Error messages
• Destination Unreachable (Type 1) - All codes
• Packet Too Big (Type 2)
• Time Exceeded (Type 3) - Code 0 only
• Parameter Problem (Type 4) - Codes 1 and 2
only
– Permit Connectivity check messages
• Echo Request (Type 128)
• Echo Response (Type 129)
https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml
20. 20
20
IPv6 Threats: NDP
• Neighbor Discovery (ND):
– NDP Spoofing
– Duplicate Address Detection (DAD) DoS
• Router Advertisement (RA)
– Rouge RA
– RA flooding
• Neighbor Solitation/Advertisement Spoofing
– NS with “source link-layer” option chaged
– NA with “target link-layer” option changed
• Can send unsicited NA or as an answer to NS
21. 21
IPv6 Threats: DAD - DOS
Information:
q No ARP Table in IPv6
q Remember IP Conflict?
IPv6 Approach:
q Stateless Address Auto-Configuration
(SLAAC) is the feature to configure
Unique Link-Local Address
q It uses EUI64 Interface Identifier in conbination
with the Link-Local prefix FE80::/64
Threat:
q Duplicate Address Detection – DoS
attacks
Neighbor Solicitation (NS) : ICMPv6 Type 135
Neighbor Advertisement (NA) : ICMPv6 Type 136
Attacker
Is this address
unique?
Client sends Neighbor Solicitation (NS)
Attacker sends Neighbor Advertisement (NA)
for each NS
This address is
MINE!
1
2
22. 22
IPv6 Threats: ND Spoofing
Attacker
What is Host B’s
MAC address?
Client sends Neighbor Solicitation (NS)
asking for Host B’s link layer address
Attacker Neighbor Advertisement (NA)
Spoofs Host B, sends his own MAC
I am Host B. This is
my MAC.
Neighbor Solicitation (NS) : ICMPv6 Type 135
Neighbor Advertisement (NA) : ICMPv6 Type 136
1
2
23. 23
IPv6 Threats: Rogue RA
Attacker
Client sends Router Solicitation (RS)
Attacker sends Route Advertisement (RA)
Attacker
default router
Hosts autoconfigure IPv6 based on
spoofed RA including default router
(as well as other info - DNS)
Global Internet
• Attacker can now intercept, listen and modify the packets
coming from Host A and B – MITM
• Or redirect to a site they control
Start of data transfer
1
2
24. 24
24
IPv6: Threat Detection tools
• NDPMon
– Can detect anomalies in RAs and NAs
• Compares against expected/valid behavior (config file – MAC/LLA of routers, prefixes, DNS,
flags, parameters)
– Can generate syslog events and/or email alerts, or run custom scripts
– http://ndpmon.sourceforge.net/index.php
25. 25
25
IPv6: Threat Mitigation Tools
• RA Guard (RFC6105/7113)
– messages between IPv6 devices traverse the controlled L2 networking device
– first-hop security
• Allow or drop RA messages based on policies
26. 26
26
IPv6: Threat Mitigation Tools
• SeND (RFC3971)
– Uses crypto to secure NDP messages
• Uses CGA and a set of NDP options
• CGA (crypto–generated address):
– CGA associates a public key with a IPv6 address
• RSA signature option
– Node computes interface-ID
• Using hash-function of the node’s public key
– and appends to the IPv6 prefix - CGA
27. 27
27
IPv6: Threat Mitigation Tools
• SeND (RFC3971)
– The receiver recomputes the hash and compares with the interface-
ID
• Verifies the public key binding
– Messages sent from a CGA address can be protected by attaching
the public key and signing the message with private key.
28. 28
28
IPv6: What Else?
• Viruses/Worms
– IPv6 any secure?
• IMs, emails higher up the stack still same L
• Train your people
• Assess your network - security nodes must understand IPv6
• Do what you did for IPv4 traffic with IPv6
– ACLs/filters
– Harden hosts and applications
– Use crypto protections where necessary/critical