Now that IPv6 is being actively deployed around the world, security is more and more a growing concern. Unfortunately, there are still a large number of myths that plague the IPv6 security world. Things that people state as facts which simply are not true. This fun, fast-paced talk debunks the most common of those IPv6 security myths and provides a quick introduction to IPv6 security along the way.
<p>DDoS attacks make headlines everyday, but how do they work and how can you defend against them? DDoS attacks can be high volume UDP traffic floods, SYN floods, DNS amplification, or Layer 7 HTTP attacks. Understanding how to protect yourself from DDoS is critical to doing business on the internet today.</p>
<p>Suzanne Aldrich, a lead Solutions Engineer at Cloudflare, will cover how these attacks work, what is being targeted by the attackers, and how you can protect against the different attack types. She will cap the session with the rise in IoT attacks, and expectations for the future of web security.</p>
<p><strong>Speaker Bio</strong>:</p>
<p>Suzanne is a solutions engineer team lead at Cloudflare, where she specializes in security, performance, and usability. Her interest in all things web started in high school when she created the school’s first website. While at Stanford, Suzanne was the webmaster for a matchbox sized server running the Wearable Computing Lab’s site.</p>
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
Actual Condition Survey of Malware Download Sites for A Long Period, by Yasuyuki Tanaka.
A presentation given at APRICOT 2016’s Network Security session on 24 February 2016.
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
APNIC Chief Scientist Geoff Huston presents on why using larger keys for RSA in the context of DNSSEC impairs the robustness of DNSSEC validation for the signed name at DNS-OARC 36, held online from 29 to 30 November 2021.
<p>DDoS attacks make headlines everyday, but how do they work and how can you defend against them? DDoS attacks can be high volume UDP traffic floods, SYN floods, DNS amplification, or Layer 7 HTTP attacks. Understanding how to protect yourself from DDoS is critical to doing business on the internet today.</p>
<p>Suzanne Aldrich, a lead Solutions Engineer at Cloudflare, will cover how these attacks work, what is being targeted by the attackers, and how you can protect against the different attack types. She will cap the session with the rise in IoT attacks, and expectations for the future of web security.</p>
<p><strong>Speaker Bio</strong>:</p>
<p>Suzanne is a solutions engineer team lead at Cloudflare, where she specializes in security, performance, and usability. Her interest in all things web started in high school when she created the school’s first website. While at Stanford, Suzanne was the webmaster for a matchbox sized server running the Wearable Computing Lab’s site.</p>
Actual Condition Survey of Malware Download Sites for A Long PeriodAPNIC
Actual Condition Survey of Malware Download Sites for A Long Period, by Yasuyuki Tanaka.
A presentation given at APRICOT 2016’s Network Security session on 24 February 2016.
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
APNIC Chief Scientist Geoff Huston presents on why using larger keys for RSA in the context of DNSSEC impairs the robustness of DNSSEC validation for the signed name at DNS-OARC 36, held online from 29 to 30 November 2021.
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesAPNIC
APNIC Senior R&D Scientist George Michaelson and Yoshinobu Matzusaki present on the operational trends accompanying worldwide deployment of public DNS service 1.1.1.1 at Internet Week 2018 in Tokyo, Japan from 27 to 30 November 2018.
JANOG39 トラフィック可視化 BoF 発表資料
Japanese - https://www.janog.gr.jp/meeting/janog39/program/traffic
English - https://www.janog.gr.jp/meeting/janog39/en/programs/y-bof-traffic
Discussion of limitations of traditional WAF approaches in modern application development infrastructures, including those driven by a DevOps philosophy. Exploration of content injection and modification as more powerful and valuable security extensions. Modern WAF approaches to leverage these techniques to enable robust interrogation of the browser for bot detection, fingerprinting, and other assessment and mitigation postures.
Cloudflare protects and accelerates any web property online. We stop hackers from reaching your web property and knocking it offline. In addition, we help your site visitors access your content as fast as possible no matter their location. Join us as we discuss evolving DDoS attack types and trends to be aware about in 2018.
There are still very few tools to defend against IPv6 related attacks. To improve this situation I wrote a plugin for Snort, the popular open source intrusion detection system. This plugin adds detection rules and a preprocessor for the Neighbor Discovery Protocol.
It is aimed at the detection of suspicious activity in local IPv6 networks and can detect misconfigured network elements, as well as malicious activities from attackers on the network.
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesAPNIC
APNIC Senior R&D Scientist George Michaelson and Yoshinobu Matzusaki present on the operational trends accompanying worldwide deployment of public DNS service 1.1.1.1 at Internet Week 2018 in Tokyo, Japan from 27 to 30 November 2018.
JANOG39 トラフィック可視化 BoF 発表資料
Japanese - https://www.janog.gr.jp/meeting/janog39/program/traffic
English - https://www.janog.gr.jp/meeting/janog39/en/programs/y-bof-traffic
Discussion of limitations of traditional WAF approaches in modern application development infrastructures, including those driven by a DevOps philosophy. Exploration of content injection and modification as more powerful and valuable security extensions. Modern WAF approaches to leverage these techniques to enable robust interrogation of the browser for bot detection, fingerprinting, and other assessment and mitigation postures.
Cloudflare protects and accelerates any web property online. We stop hackers from reaching your web property and knocking it offline. In addition, we help your site visitors access your content as fast as possible no matter their location. Join us as we discuss evolving DDoS attack types and trends to be aware about in 2018.
There are still very few tools to defend against IPv6 related attacks. To improve this situation I wrote a plugin for Snort, the popular open source intrusion detection system. This plugin adds detection rules and a preprocessor for the Neighbor Discovery Protocol.
It is aimed at the detection of suspicious activity in local IPv6 networks and can detect misconfigured network elements, as well as malicious activities from attackers on the network.
No one can deny that malware is a serious and growing problem. However, up to this point it has been very difficult to efficiently and accurately quantify exactly how bad it is. In this presentation, Ricky will demonstrate how new scanning technologies like zmap can be used to get complete and up-to-date snapshots of current malware infections, map where the infections are worst, and even track down Command and Control servers.
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityEdgeUno
The IPv6 protocol suite was designed to accommodate the present and future growth of the Internet, by providing a much larger address space than that of its IPv4 counterpart, and is expected to be the successor of the original IPv4 protocol suite. It has already been deployed by most major content providers (including Google and Facebook) and many Internet Service Providers (ISPs). While the ultimate goal of IPv6 is virtually the same as that of IPv4 (moving packets across the Internet), the underlying mechanisms and technical details are significantly different, typically resulting in unexpected security and privacy implications. In this presentation, Fernando will cover the state of the art in everything ranging from IPv6 pentesting, to security controls and operational mitigations for IPv6 attacks, thus providing valuable information to red, blue, and purple teams.
Die monatlichen Anlässe in Zusammenarbeit mit dem Swiss IPv6 Council behandeln verschiedene technische Themenbereiche von IPv6.
Das Referat vom 29. April 2015 widmete sich dem wiedersprüchlichen Verhalten von Betriebssystemen im SLAAC/DHCPv6-Umfeld. In einer IPv6-Umgebung können Knoten ihre IP-Konfiguration entweder stateless (SLAAC) oder stateful (DHPCv6) erhalten. Dafür gibt es in Router Advertisements (RA) drei Flags: das A-, M- und O-Flag. Die Spezifikation definiert jedoch kein klares Verhalten bei widersprüchlicher Konfiguration. Ein kürzliches IETF-Draft zeigt, dass verschiedene Betriebssysteme unterschiedlich auf diese Flags reagieren. Referent Enno Rey zeigte Resultate eines weiterführenden Tests dazu.
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderSplend
Betrouwbaar DNS en BGP4 spelen een belangrijke rol bij het veilig afhandelen van Internet verkeer. Bij diverse gerenommeerde instanties (Netherlabs, SIDN Labs en NLnet Labs) zijn veilige versies hiervan ontwikkeld, welke nog dagelijks worden verbeterd. In deze presentatie worden de belangrijkste ontwikkelingen tegen het licht gehouden.
DNS Protection safeguards Incapsula clients’ DNS servers, while also accelerating DNS responses.
Infrastructure Protection, enabled by the addition of a GRE tunneling onboarding option, widen Incapsula's security perimeter - allowing it to protect entire subnets, secure all network elements and inspect all TCP/UDP communication.
October 2014 Webinar: Cybersecurity Threat DetectionSqrrl
Using Sqrrl Enterprise and the GraphX library included in Apache Spark, we will construct a dynamic graph of entities and relationships that will allow us to build baseline patterns of normalcy, flag anomalies on the fly, analyze the context of an event, and ultimately identify and protect against emergent cyber threats.
Aspekte von IPv6-Security
• Hackertools & ein paar Angriffsszenarien
• 3 Empfehlungen
q a) Ist IPv6 sicherer als IPv4?
q b) Ist IPv6 unsicherer als IPv4?
q c) Wer ist an allem Schuld?
q d) Wie wirkt sich die Integration von IPv6 in
meine Organisation auf deren IT-Sicherheit aus?
Similar to Security in an IPv6 World - Myth & Reality (20)
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Security in an IPv6 World - Myth & Reality
1. SECURITY IN AN IPv6 WORLD
MYTH & REALITY
SANOG XXIII – Thimphu, Bhutan – 14 January 2014
Chris Grundemann
2. WHO AM I?
•
“DO” Director @ Internet Society
•
CO ISOC Founding Chair
•
NANOG PC
•
RMv6TF Board
•
NANOG-BCOP Founder & Chair
•
IPv6 Author (Juniper Day One Books)
•
IETF Contributor (Homenet)
•
Past: ARIN, UPnP, DLNA, CEA…
CHRIS GRUNDEMANN
1/13/2014
2
3. THIS TALK…
• Aims to debunk the most common IPv6 security myths
• Is NOT a comprehensive look at IPv6 security practices
CHRIS GRUNDEMANN
1/13/2014
3
4. Let’s get to busting
SOME MYTHS…
CHRIS GRUNDEMANN
1/13/2014
4
6. MYTH:
I’M NOT RUNNING IPV6, I DON’T HAVE TO WORRY
REALITY:
YOUR APPLICATIONS ARE USING IPV6 ALREADY
• Linux, Mac OS X, BSD, and Microsoft Vista/Windows 7
systems all come with IPv6 capability, some even have IPv6
enabled by default (IPv6 preferred)
• They may try to use IPv6 first and then fall-back to IPv4
• If you are not protecting your IPv6 nodes then you have just allowed a
huge back-door to exist!
CHRIS GRUNDEMANN
1/13/2014
6
7. MYTH:
I’M NOT RUNNING IPV6, I DON’T HAVE TO WORRY
REALITY:
YOUR USERS ARE USING IPV6 ALREADY
6to4 / Toredo
CHRIS GRUNDEMANN
1/13/2014
7
9. MYTH:
IPV6 HAS SECURITY DESIGNED IN
REALITY:
IPSEC IS NOT NEW
• IPsec exists for IPv4
• IPsec mandates in IPv6 are no guarantee of security
CHRIS GRUNDEMANN
1/13/2014
9
10. MYTH:
IPV6 HAS SECURITY DESIGNED IN
REALITY:
IPV6 WAS DESIGNED 15-20 YEARS AGO
CHRIS GRUNDEMANN
1/13/2014
10
12. MYTH:
IPV6 HAS SECURITY DESIGNED IN
REALITY:
• Routing Header Type 0 (RH0) – Source Routing
• Deprecated in RFC 5095:
The functionality provided by IPv6's Type 0 Routing Header can be
exploited in order to achieve traffic amplification over a remote path for the
purposes of generating denial-of-service traffic.
CHRIS GRUNDEMANN
1/13/2014
12
13. MYTH:
IPV6 HAS SECURITY DESIGNED IN
REALITY:
• Hop-by-Hop Options Header
• Vulnerable to low bandwidth DOS attacks
• Threat detailed in draft-krishnan-ipv6-hopbyhop
CHRIS GRUNDEMANN
1/13/2014
13
14. MYTH:
IPV6 HAS SECURITY DESIGNED IN
REALITY:
• Extension Headers are vulnerable in general
• Large extension headers
• Lots of extension headers
• Invalid extension headers
CHRIS GRUNDEMANN
1/13/2014
14
15. MYTH:
IPV6 HAS SECURITY DESIGNED IN
REALITY:
• Rogue Router Advertisements (RAs)
• Can renumber hosts
• Can launch a Man In The Middle attack
• Problem documented in RFC 6104
In this document, we summarise the scenarios in which rogue RAs may be
observed and present a list of possible solutions to the problem.
CHRIS GRUNDEMANN
1/13/2014
15
16. MYTH:
IPV6 HAS SECURITY DESIGNED IN
REALITY:
• Forged Neighbor Discovery messages
• ICMP Redirects – just like IPv4 redirects
CHRIS GRUNDEMANN
1/13/2014
16
17. MYTH:
IPV6 HAS SECURITY DESIGNED IN
REALITY:
MANY ATTACKS ARE ABOVE OR BELOW IP
• Buffer overflows
• SQL Injection
• Cross-site scripting
• E-mail/SPAM (open relays)
CHRIS GRUNDEMANN
1/13/2014
17
19. MYTH:
NO IPV6 NAT MEANS LESS SECURITY
REALITY:
STATEFUL FIREWALLS PROVIDE SECURITY
• NAT can actually reduce security
CHRIS GRUNDEMANN
1/13/2014
19
21. MYTH:
IPV6 NETWORKS ARE TOO BIG TO SCAN
REALITY:
•
SLAAC - EUI-64 addresses (well known OUIs)
• Tracking!
•
DHCPv6 sequential addressing (scan low numbers)
•
6to4, ISATAP, Teredo (well known addresses)
•
Manual configured addresses (scan low numbers, vanity addresses)
•
Exploiting a local node
• ff02::1 - all nodes on the local network segment
• IPv6 Node Information Queries (RFC 4620)
• Neighbor discovery
• Leveraging IPv4 (Metasploit Framework “ipv6_neighbor”)
•
IPv6 addresses leaked out by application-layer protocols (email)
CHRIS GRUNDEMANN
1/13/2014
21
22. MYTH:
IPV6 NETWORKS ARE TOO BIG TO SCAN
REALITY:
PRIVACY ADDRESSES (RFC 4941)
• Privacy addresses use MD5 hash on EUI-64 and random number
• Often temporary – rotate addresses
• Frequency varies
• Often paired with dynamic DNS (firewall state updates?)
• Makes filtering, troubleshooting, and forensics difficult
• Alternative: Randomized DHCPv6
• Host: Randomized IIDs
• Server: Short leases, randomized assignments
CHRIS GRUNDEMANN
1/13/2014
22
24. MYTH:
IPV6 IS TOO NEW TO BE ATTACKED
REALITY:
TOOLS ARE ALREADY AVAILABLE
• THC IPv6 Attack Toolkit
• IPv6 port scan tools
• IPv6 packet forgery tools
• IPv6 DoS tools
CHRIS GRUNDEMANN
1/13/2014
24
25. MYTH:
IPV6 IS TOO NEW TO BE ATTACKED
REALITY:
BUGS AND VULNERABILITIES PUBLISHED
• Vendors
• Open source software
CHRIS GRUNDEMANN
1/13/2014
25
26. MYTH:
IPV6 IS TOO NEW TO BE ATTACKED
REALITY:
SEARCH FOR “ SECURITYFOCUS.COM INURL:BID IPV6”
CHRIS GRUNDEMANN
1/13/2014
26
27. MYTH:
96 MORE BITS, NO MAGIC (IT’S JUST LIKE IPV4)
CHRIS GRUNDEMANN
1/13/2014
27
28. MYTH:
96 MORE BITS, NO MAGIC (IT’S JUST LIKE IPV4)
REALITY:
IPV6 ADDRESS FORMAT IS DRASTICALLY NEW
• 128 bits vs. 32 bits
• Hex vs. Decimal
• Colon vs. Period
• Multiple possible formats (zero suppression, zero compression)
• Logging, grep, filters, etc.
CHRIS GRUNDEMANN
1/13/2014
28
29. MYTH:
96 MORE BITS, NO MAGIC (IT’S JUST LIKE IPV4)
REALITY:
MULTIPLE ADDRESSES ON EACH HOST
• Same host appears in logs with different addresses
CHRIS GRUNDEMANN
1/13/2014
29
30. MYTH:
96 MORE BITS, NO MAGIC (IT’S JUST LIKE IPV4)
REALITY:
SYNTAX CHANGES
• Training!
CHRIS GRUNDEMANN
1/13/2014
30
32. MYTH:
CONFIGURE IPV6 FILTERS SAME AS IPV4
REALITY:
DHCPV6 && ND INTRODUCE NUANCE
• Neighbor Discovery uses ICMP
• DHCPv6 message exchange:
• Solicit: [your link local]:546 -> [ff02::1:2]:547
• Advertise: [upstream link local]:547 -> [your link local]:546
• and two more packets, both between your link locals.
CHRIS GRUNDEMANN
1/13/2014
32
33. REALITY: EXAMPLE FIREWALL FILTER (MIKROTIK)
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Not just ping - ND runs over icmp6.
chain=input action=accept protocol=icmpv6 in-interface=ether1-gateway
1 chain=input action=accept connection-state=established in-interface=ether1-gateway
2 ;;; related means stuff like FTP-DATA
chain=input action=accept connection-state=related in-interface=ether1-gateway
3 ;;; for DHCP6 advertisement (second packet, first server response)
chain=input action=accept protocol=udp src-address=fe80::/16 dst-address=fe80::/16
in-interface=ether1-gateway dst-port=546
4 ;;; ssh to this box for management (note non standard port)
chain=input action=accept protocol=tcp dst-address=[myaddr]/128 dst-port=2222
5 chain=input action=drop in-interface=ether1-gateway
CHRIS GRUNDEMANN
1/13/2014
33
37. MYTH:
THERE ARE NO IPV6 SECURITY BCPS YET
REALITY:
THERE ARE!
• Perform IPv6 filtering at the perimeter
• Use RFC2827 filtering and Unicast RPF checks throughout the network
• Use manual tunnels (with IPsec whenever possible) instead of dynamic tunnels
and deny packets for transition techniques not used
• Use common access-network security measures (NAC/802.1X, disable unused
switch ports, Ethernet port security, MACSec/TrustSec) because SEND won’t be
available any time soon
• Strive to achieve equal protections for IPv6 as with IPv4
• Continue to let vendors know what you expect in terms of IPv6 security features
CHRIS GRUNDEMANN
1/13/2014
37
38. MYTH:
THERE ARE NO IPV6 SECURITY RESOURCES
CHRIS GRUNDEMANN
1/13/2014
38
39. MYTH:
THERE ARE NO IPV6 SECURITY RESOURCES
REALITY:
THERE ARE!
• IPv6 Security, By Scott Hogg and Eric Vyncke, Cisco Press,
2009
• Guidelines for the Secure Deployment of IPv6
Recommendations of the National Institute of Standards and
Technology
• Search engines are your friend!
CHRIS GRUNDEMANN
1/13/2014
39
40. THE REALITY OF DUAL-STACK
• Two sets of filters
• Two sets of bugs
IPv4
CHRIS GRUNDEMANN
IPv6
1/13/2014
40
41. THANK YOU!
Gratitude and Credit:
•
•
•
•
Scott Hogg – My IPv6 Security Guru
Rob Seastrom – For the Mikrotik example
The Internet – Lots of searching
You – Thanks for listening!
CHRIS GRUNDEMANN
@ChrisGrundemann
http://chrisgrundemann.com
http://www.internetsociety.org/deploy360/
1/13/2014
41
Editor's Notes
Manual TunnelsPreferred over dynamic tunnelsFilter tunnel source/destination and use IPsecIf spoofing, return traffic is not sent to attackerDynamic Tunnels6to4 Relay routers are “open relays”Attackers can guess 6to4 addresses easilyISATAP can have potential MITM attacksAttackers can spoof source/dest IPv4/v6 addressesDon’t blindly allow IPsec or IPv4 Protocol 41 (6in4 tunneled traffic) through the firewall unless you know the tunnel endpointsMany IPSs don’t inspect packets that are encapsulated (6in4, 6to4, 6in6, ISATAP, Teredo, 6rd, DS-Lite)
In some other ways IPv6 in fact does support better security:that IPsec can be guaranteed to be supported fosters its use and propagation.The header design in IPv6 is better, leading to a cleaner division between encryption metadata and the encrypted payload, which some analysts consider has improved the IPsec implementation.
“The denial of service attack can be carried out by forming an IP datagram with a large number of TLV encoded options with random option type identifiers in the hop-by-hop options header.”All the ipv6 nodes on the path need to process the options in this headerThe option TLVs in the hop-by-hop options header need to be processed in orderA sub range of option types in this header will not cause any errors even if the node does not recognize them.There is no restriction as to how many occurences of an option type can be present in the hop-by-hop header.
Prevent unauthorized LAN accessDisable unused switch portsNetwork Access Control (NAC), Network Admission Control (NAC)IEEE 802.1AE (MACsec), Cisco TrustSecIEEE 802.1XRA Guard (RFC 6105)NDPMonRamondKame rafixdPort SecurityCisco Port-based ACL (PACL)
Both require LAN access – like rogue RAs
Both require LAN access – like rogue RAs
Translation techniques are susceptible to DoS attacksNAT prevents IPsec, DNSSEC, Geolocation and other applications from workingConsuming connection state (CPU resource consumption attack on ALG)Consuming public IPv4 pool and port numbers (pool depletion attack)
Don’t block FF00::/8 and FE80::/10 – these will block NDP
Rules 1 and 2 are stateful. 0 is absolutely necessary for ND to work.It might be a little liberal for some folks though - could be bolteddown tighter.Rule 3 is the one I put in so as to actually hear my reply.
Firewalls have improved their IPv6 capabilities, IPv6 addresses in the GUI, some logs, ability to filter on Extension Headers, Fragmentation, PMTUD, and granular filtering of ICMPv6 and multicastIPv6 firewalls may not have all the same full features as IPv4 firewallsUTM/DPI/IPS/WAF/content filtering features may only work for IPv4Many IPSs don’t inspect packets that are encapsulated (6in4, 6to4, 6in6, ISATAP, Teredo, 6rd, DS-Lite)IPv6 support varies greatly in modern IPS systemsFew signatures exist for IPv6 packets or you have to build your own using cryptic regular expressions or byte-offset valuesFew Host-based IPS systems support IPv6Desktop AntiVirus software has gotten better at allowing ICMPv6 (RA/RS/NA/NS) packets throughHowever, there are still a handful of popular AV suites that don’t support IPv6There are many IPv6-capable host-based firewalls available depending on the OS you preferLinux: ip6tables (NetFilter), ipfWindows Firewall with Advanced SecurityBSD: pf, ipfw, ipfMac: ipfw, ipfSolaris, HP-UX : ipf
Many security standards don’t discuss IPv6. However, any guideline related to IP may apply to both versions – many policies are higher levelhttp://www.antd.nist.gov/usgv6/NIST SP 500-273: USGv6 Test Methods: General Description and ValidationGuidance for Labs, November 2009http://www.antd.nist.gov/usgv6/docs/NIST-SP-500-273.v2.0.pdfNIST SP 500-281: USGv6 Testing Program User’s GuideGuidance for vendors and purchasers, August 2010http://www.antd.nist.gov/usgv6/docs/NIST-SP-500-281-v1.3.pdf