SlideShare a Scribd company logo

Security in an IPv6 World - Myth & Reality

Chris Grundemann
Chris Grundemann

Now that IPv6 is being actively deployed around the world, security is more and more a growing concern. Unfortunately, there are still a large number of myths that plague the IPv6 security world. Things that people state as facts which simply are not true. This fun, fast-paced talk debunks the most common of those IPv6 security myths and provides a quick introduction to IPv6 security along the way.

Technology
1 of 41
SECURITY IN AN IPv6 WORLD MYTH & REALITY SANOG XXIII – Thimphu, Bhutan – 14 January 2014 Chris Grundemann
WHO AM I? • “DO” Director @ Internet Society • CO ISOC Founding Chair • NANOG PC • RMv6TF Board • NANOG-BCOP Founder & Chair • IPv6 Author (Juniper Day One Books) • IETF Contributor (Homenet) • Past: ARIN, UPnP, DLNA, CEA… CHRIS GRUNDEMANN 1/13/2014 2
THIS TALK… • Aims to debunk the most common IPv6 security myths • Is NOT a comprehensive look at IPv6 security practices CHRIS GRUNDEMANN 1/13/2014 3
Let’s get to busting SOME MYTHS… CHRIS GRUNDEMANN 1/13/2014 4
MYTH: I’M NOT RUNNING IPV6, I DON’T HAVE TO WORRY CHRIS GRUNDEMANN 1/13/2014 5
MYTH: I’M NOT RUNNING IPV6, I DON’T HAVE TO WORRY REALITY: YOUR APPLICATIONS ARE USING IPV6 ALREADY • Linux, Mac OS X, BSD, and Microsoft Vista/Windows 7 systems all come with IPv6 capability, some even have IPv6 enabled by default (IPv6 preferred) • They may try to use IPv6 first and then fall-back to IPv4 • If you are not protecting your IPv6 nodes then you have just allowed a huge back-door to exist! CHRIS GRUNDEMANN 1/13/2014 6
MYTH: I’M NOT RUNNING IPV6, I DON’T HAVE TO WORRY REALITY: YOUR USERS ARE USING IPV6 ALREADY 6to4 / Toredo CHRIS GRUNDEMANN 1/13/2014 7
MYTH: IPV6 HAS SECURITY DESIGNED IN CHRIS GRUNDEMANN 1/13/2014 8
MYTH: IPV6 HAS SECURITY DESIGNED IN REALITY: IPSEC IS NOT NEW • IPsec exists for IPv4 • IPsec mandates in IPv6 are no guarantee of security CHRIS GRUNDEMANN 1/13/2014 9
MYTH: IPV6 HAS SECURITY DESIGNED IN REALITY: IPV6 WAS DESIGNED 15-20 YEARS AGO CHRIS GRUNDEMANN 1/13/2014 10
REALITY: EXTENSION HEADERS CHRIS GRUNDEMANN 1/13/2014 http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html 11
MYTH: IPV6 HAS SECURITY DESIGNED IN REALITY: • Routing Header Type 0 (RH0) – Source Routing • Deprecated in RFC 5095: The functionality provided by IPv6's Type 0 Routing Header can be exploited in order to achieve traffic amplification over a remote path for the purposes of generating denial-of-service traffic. CHRIS GRUNDEMANN 1/13/2014 12
MYTH: IPV6 HAS SECURITY DESIGNED IN REALITY: • Hop-by-Hop Options Header • Vulnerable to low bandwidth DOS attacks • Threat detailed in draft-krishnan-ipv6-hopbyhop CHRIS GRUNDEMANN 1/13/2014 13
MYTH: IPV6 HAS SECURITY DESIGNED IN REALITY: • Extension Headers are vulnerable in general • Large extension headers • Lots of extension headers • Invalid extension headers CHRIS GRUNDEMANN 1/13/2014 14
MYTH: IPV6 HAS SECURITY DESIGNED IN REALITY: • Rogue Router Advertisements (RAs) • Can renumber hosts • Can launch a Man In The Middle attack • Problem documented in RFC 6104 In this document, we summarise the scenarios in which rogue RAs may be observed and present a list of possible solutions to the problem. CHRIS GRUNDEMANN 1/13/2014 15
MYTH: IPV6 HAS SECURITY DESIGNED IN REALITY: • Forged Neighbor Discovery messages • ICMP Redirects – just like IPv4 redirects CHRIS GRUNDEMANN 1/13/2014 16
MYTH: IPV6 HAS SECURITY DESIGNED IN REALITY: MANY ATTACKS ARE ABOVE OR BELOW IP • Buffer overflows • SQL Injection • Cross-site scripting • E-mail/SPAM (open relays) CHRIS GRUNDEMANN 1/13/2014 17
MYTH: NO IPV6 NAT MEANS LESS SECURITY CHRIS GRUNDEMANN 1/13/2014 18
MYTH: NO IPV6 NAT MEANS LESS SECURITY REALITY: STATEFUL FIREWALLS PROVIDE SECURITY • NAT can actually reduce security CHRIS GRUNDEMANN 1/13/2014 19
MYTH: IPV6 NETWORKS ARE TOO BIG TO SCAN CHRIS GRUNDEMANN 1/13/2014 20
MYTH: IPV6 NETWORKS ARE TOO BIG TO SCAN REALITY: • SLAAC - EUI-64 addresses (well known OUIs) • Tracking! • DHCPv6 sequential addressing (scan low numbers) • 6to4, ISATAP, Teredo (well known addresses) • Manual configured addresses (scan low numbers, vanity addresses) • Exploiting a local node • ff02::1 - all nodes on the local network segment • IPv6 Node Information Queries (RFC 4620) • Neighbor discovery • Leveraging IPv4 (Metasploit Framework “ipv6_neighbor”) • IPv6 addresses leaked out by application-layer protocols (email) CHRIS GRUNDEMANN 1/13/2014 21
MYTH: IPV6 NETWORKS ARE TOO BIG TO SCAN REALITY: PRIVACY ADDRESSES (RFC 4941) • Privacy addresses use MD5 hash on EUI-64 and random number • Often temporary – rotate addresses • Frequency varies • Often paired with dynamic DNS (firewall state updates?) • Makes filtering, troubleshooting, and forensics difficult • Alternative: Randomized DHCPv6 • Host: Randomized IIDs • Server: Short leases, randomized assignments CHRIS GRUNDEMANN 1/13/2014 22
MYTH: IPV6 IS TOO NEW TO BE ATTACKED CHRIS GRUNDEMANN 1/13/2014 23
MYTH: IPV6 IS TOO NEW TO BE ATTACKED REALITY: TOOLS ARE ALREADY AVAILABLE • THC IPv6 Attack Toolkit • IPv6 port scan tools • IPv6 packet forgery tools • IPv6 DoS tools CHRIS GRUNDEMANN 1/13/2014 24
MYTH: IPV6 IS TOO NEW TO BE ATTACKED REALITY: BUGS AND VULNERABILITIES PUBLISHED • Vendors • Open source software CHRIS GRUNDEMANN 1/13/2014 25
MYTH: IPV6 IS TOO NEW TO BE ATTACKED REALITY: SEARCH FOR “ SECURITYFOCUS.COM INURL:BID IPV6” CHRIS GRUNDEMANN 1/13/2014 26
MYTH: 96 MORE BITS, NO MAGIC (IT’S JUST LIKE IPV4) CHRIS GRUNDEMANN 1/13/2014 27
MYTH: 96 MORE BITS, NO MAGIC (IT’S JUST LIKE IPV4) REALITY: IPV6 ADDRESS FORMAT IS DRASTICALLY NEW • 128 bits vs. 32 bits • Hex vs. Decimal • Colon vs. Period • Multiple possible formats (zero suppression, zero compression) • Logging, grep, filters, etc. CHRIS GRUNDEMANN 1/13/2014 28
MYTH: 96 MORE BITS, NO MAGIC (IT’S JUST LIKE IPV4) REALITY: MULTIPLE ADDRESSES ON EACH HOST • Same host appears in logs with different addresses CHRIS GRUNDEMANN 1/13/2014 29
MYTH: 96 MORE BITS, NO MAGIC (IT’S JUST LIKE IPV4) REALITY: SYNTAX CHANGES • Training! CHRIS GRUNDEMANN 1/13/2014 30
MYTH: CONFIGURE IPV6 FILTERS SAME AS IPV4 CHRIS GRUNDEMANN 1/13/2014 31
MYTH: CONFIGURE IPV6 FILTERS SAME AS IPV4 REALITY: DHCPV6 && ND INTRODUCE NUANCE • Neighbor Discovery uses ICMP • DHCPv6 message exchange: • Solicit: [your link local]:546 -> [ff02::1:2]:547 • Advertise: [upstream link local]:547 -> [your link local]:546 • and two more packets, both between your link locals. CHRIS GRUNDEMANN 1/13/2014 32
REALITY: EXAMPLE FIREWALL FILTER (MIKROTIK) Flags: X - disabled, I - invalid, D - dynamic 0 ;;; Not just ping - ND runs over icmp6. chain=input action=accept protocol=icmpv6 in-interface=ether1-gateway 1 chain=input action=accept connection-state=established in-interface=ether1-gateway 2 ;;; related means stuff like FTP-DATA chain=input action=accept connection-state=related in-interface=ether1-gateway 3 ;;; for DHCP6 advertisement (second packet, first server response) chain=input action=accept protocol=udp src-address=fe80::/16 dst-address=fe80::/16 in-interface=ether1-gateway dst-port=546 4 ;;; ssh to this box for management (note non standard port) chain=input action=accept protocol=tcp dst-address=[myaddr]/128 dst-port=2222 5 chain=input action=drop in-interface=ether1-gateway CHRIS GRUNDEMANN 1/13/2014 33
MYTH: IT SUPPORTS IPV6 CHRIS GRUNDEMANN 1/13/2014 34
MYTH: IT SUPPORTS IPV6 REALITY: IT PROBABLY DOESN’T • Detailed requirements (RFP) • RIPE-554 • Lab testing • Independent/outside verification CHRIS GRUNDEMANN 1/13/2014 35
MYTH: THERE ARE NO IPV6 SECURITY BCPS YET CHRIS GRUNDEMANN 1/13/2014 36
MYTH: THERE ARE NO IPV6 SECURITY BCPS YET REALITY: THERE ARE! • Perform IPv6 filtering at the perimeter • Use RFC2827 filtering and Unicast RPF checks throughout the network • Use manual tunnels (with IPsec whenever possible) instead of dynamic tunnels and deny packets for transition techniques not used • Use common access-network security measures (NAC/802.1X, disable unused switch ports, Ethernet port security, MACSec/TrustSec) because SEND won’t be available any time soon • Strive to achieve equal protections for IPv6 as with IPv4 • Continue to let vendors know what you expect in terms of IPv6 security features CHRIS GRUNDEMANN 1/13/2014 37
MYTH: THERE ARE NO IPV6 SECURITY RESOURCES CHRIS GRUNDEMANN 1/13/2014 38
MYTH: THERE ARE NO IPV6 SECURITY RESOURCES REALITY: THERE ARE! • IPv6 Security, By Scott Hogg and Eric Vyncke, Cisco Press, 2009 • Guidelines for the Secure Deployment of IPv6 Recommendations of the National Institute of Standards and Technology • Search engines are your friend! CHRIS GRUNDEMANN 1/13/2014 39
THE REALITY OF DUAL-STACK • Two sets of filters • Two sets of bugs IPv4 CHRIS GRUNDEMANN IPv6 1/13/2014 40
THANK YOU! Gratitude and Credit: • • • • Scott Hogg – My IPv6 Security Guru Rob Seastrom – For the Mikrotik example The Internet – Lots of searching You – Thanks for listening! CHRIS GRUNDEMANN @ChrisGrundemann http://chrisgrundemann.com http://www.internetsociety.org/deploy360/ 1/13/2014 41

Recommended

The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
Acquia
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
MyNOG
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security Analysis
Bangladesh Network Operators Group
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long Period
APNIC
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
APNIC
 
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSRicardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Michiel Cazemier
 
Spoofing and Denial of Service: A risk to the decentralized Internet
Spoofing and Denial of Service: A risk to the decentralized InternetSpoofing and Denial of Service: A risk to the decentralized Internet
Spoofing and Denial of Service: A risk to the decentralized Internet
APNIC
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigation
Pavel Odintsov
 

Recommended

The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS Attacks
Acquia
 
DDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacksDDoS Threats Landscape : Countering Large-scale DDoS attacks
DDoS Threats Landscape : Countering Large-scale DDoS attacks
MyNOG
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security Analysis
Bangladesh Network Operators Group
 
Actual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long PeriodActual Condition Survey of Malware Download Sites for A Long Period
Actual Condition Survey of Malware Download Sites for A Long Period
APNIC
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
APNIC
 
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSRicardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Michiel Cazemier
 
Spoofing and Denial of Service: A risk to the decentralized Internet
Spoofing and Denial of Service: A risk to the decentralized InternetSpoofing and Denial of Service: A risk to the decentralized Internet
Spoofing and Denial of Service: A risk to the decentralized Internet
APNIC
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigation
Pavel Odintsov
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
APNIC
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
Sukbum Hong
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
Babak Farrokhi
 
DDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet FilteringDDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet Filtering
Qrator Labs
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
Bangladesh Network Operators Group
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
Pavel Odintsov
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Pavel Odintsov
 
Distributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationDistributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And Mitigation
Pavel Odintsov
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPS
Pavel Odintsov
 
Gabriel Paues - IPv6 address planning + making the case for WHY
Gabriel Paues - IPv6 address planning + making the case for WHYGabriel Paues - IPv6 address planning + making the case for WHY
Gabriel Paues - IPv6 address planning + making the case for WHY
IKT-Norge
 
FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみた
Yutaka Ishizaki
 
BGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoring
Bangladesh Network Operators Group
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
APNIC
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_voss
Pavel Odintsov
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap Webinar
Men and Mice
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoSjgrahamc
 
Death of Web App Firewall
Death of Web App FirewallDeath of Web App Firewall
Death of Web App Firewall
Brian A. McHenry
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15
Brian A. McHenry
 
9534715
95347159534715
9534715
Pavel Odintsov
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and Mitigation
Cloudflare
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
Martin Schütte
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 

More Related Content

What's hot

Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
APNIC
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
Sukbum Hong
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
Babak Farrokhi
 
DDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet FilteringDDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet Filtering
Qrator Labs
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
Bangladesh Network Operators Group
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
Pavel Odintsov
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Pavel Odintsov
 
Distributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationDistributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And Mitigation
Pavel Odintsov
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPS
Pavel Odintsov
 
Gabriel Paues - IPv6 address planning + making the case for WHY
Gabriel Paues - IPv6 address planning + making the case for WHYGabriel Paues - IPv6 address planning + making the case for WHY
Gabriel Paues - IPv6 address planning + making the case for WHY
IKT-Norge
 
FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみた
Yutaka Ishizaki
 
BGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoring
Bangladesh Network Operators Group
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
APNIC
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_voss
Pavel Odintsov
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap Webinar
Men and Mice
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoSjgrahamc
 
Death of Web App Firewall
Death of Web App FirewallDeath of Web App Firewall
Death of Web App Firewall
Brian A. McHenry
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15
Brian A. McHenry
 
9534715
95347159534715
9534715
Pavel Odintsov
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and Mitigation
Cloudflare
 

What's hot (20)

Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
 
DDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet FilteringDDoS Attacks in 2017: Beyond Packet Filtering
DDoS Attacks in 2017: Beyond Packet Filtering
 
Route Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS ApproachRoute Origin Validation - A MANRS Approach
Route Origin Validation - A MANRS Approach
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
 
Distributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationDistributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And Mitigation
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPS
 
Gabriel Paues - IPv6 address planning + making the case for WHY
Gabriel Paues - IPv6 address planning + making the case for WHYGabriel Paues - IPv6 address planning + making the case for WHY
Gabriel Paues - IPv6 address planning + making the case for WHY
 
FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみた
 
BGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoringBGPalerter: BGP prefix monitoring
BGPalerter: BGP prefix monitoring
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_voss
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap Webinar
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
 
Death of Web App Firewall
Death of Web App FirewallDeath of Web App Firewall
Death of Web App Firewall
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15
 
9534715
95347159534715
9534715
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and Mitigation
 

Similar to Security in an IPv6 World - Myth & Reality

The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
Martin Schütte
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentationjohnmcclure00
 
How we lose etu hadoop competition
How we lose etu hadoop competitionHow we lose etu hadoop competition
How we lose etu hadoop competition
Evans Ye
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
APNIC
 
Hunting Botnets with Zmap
Hunting Botnets with ZmapHunting Botnets with Zmap
Hunting Botnets with Zmap
HeadlessZeke
 
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityFernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
EdgeUno
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
IKT-Norge
 
Swiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router FlagsSwiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router Flags
Digicomp Academy AG
 
Big Data for Security
Big Data for SecurityBig Data for Security
Big Data for Security
Marco Casassa Mont
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
Splend
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
Marian Marinov
 
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
Yankmo
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
APNIC
 
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionDNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS Protection
Imperva Incapsula
 
October 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat DetectionOctober 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat Detection
Sqrrl
 
IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?
RIPE NCC
 
How to Prevent DHCP Spoofing
How to Prevent DHCP SpoofingHow to Prevent DHCP Spoofing
How to Prevent DHCP Spoofing
KHNOG
 
IPv6 Security und Hacking
IPv6 Security und HackingIPv6 Security und Hacking
IPv6 Security und Hacking
Swiss IPv6 Council
 

Similar to Security in an IPv6 World - Myth & Reality (20)

The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
 
How we lose etu hadoop competition
How we lose etu hadoop competitionHow we lose etu hadoop competition
How we lose etu hadoop competition
 
Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?Is IPv6 Security Still an Afterthought?
Is IPv6 Security Still an Afterthought?
 
Hunting Botnets with Zmap
Hunting Botnets with ZmapHunting Botnets with Zmap
Hunting Botnets with Zmap
 
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityFernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 
Swiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router FlagsSwiss IPv6 Council: Konfusion um die Router Flags
Swiss IPv6 Council: Konfusion um die Router Flags
 
Big Data for Security
Big Data for SecurityBig Data for Security
Big Data for Security
 
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderHSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
HSB - Secure DNS en BGP ontwikkelingen - Benno Overeinder
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
 
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionDNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS Protection
 
October 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat DetectionOctober 2014 Webinar: Cybersecurity Threat Detection
October 2014 Webinar: Cybersecurity Threat Detection
 
Tech f42
Tech f42Tech f42
Tech f42
 
IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?
 
Linx851
Linx851Linx851
Linx851
 
How to Prevent DHCP Spoofing
How to Prevent DHCP SpoofingHow to Prevent DHCP Spoofing
How to Prevent DHCP Spoofing
 
IPv6 Security und Hacking
IPv6 Security und HackingIPv6 Security und Hacking
IPv6 Security und Hacking
 

Recently uploaded

Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 

Recently uploaded (20)

Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 

Security in an IPv6 World - Myth & Reality

  • 1. SECURITY IN AN IPv6 WORLD MYTH & REALITY SANOG XXIII – Thimphu, Bhutan – 14 January 2014 Chris Grundemann
  • 2. WHO AM I? • “DO” Director @ Internet Society • CO ISOC Founding Chair • NANOG PC • RMv6TF Board • NANOG-BCOP Founder & Chair • IPv6 Author (Juniper Day One Books) • IETF Contributor (Homenet) • Past: ARIN, UPnP, DLNA, CEA… CHRIS GRUNDEMANN 1/13/2014 2
  • 3. THIS TALK… • Aims to debunk the most common IPv6 security myths • Is NOT a comprehensive look at IPv6 security practices CHRIS GRUNDEMANN 1/13/2014 3
  • 4. Let’s get to busting SOME MYTHS… CHRIS GRUNDEMANN 1/13/2014 4
  • 5. MYTH: I’M NOT RUNNING IPV6, I DON’T HAVE TO WORRY CHRIS GRUNDEMANN 1/13/2014 5
  • 6. MYTH: I’M NOT RUNNING IPV6, I DON’T HAVE TO WORRY REALITY: YOUR APPLICATIONS ARE USING IPV6 ALREADY • Linux, Mac OS X, BSD, and Microsoft Vista/Windows 7 systems all come with IPv6 capability, some even have IPv6 enabled by default (IPv6 preferred) • They may try to use IPv6 first and then fall-back to IPv4 • If you are not protecting your IPv6 nodes then you have just allowed a huge back-door to exist! CHRIS GRUNDEMANN 1/13/2014 6
  • 7. MYTH: I’M NOT RUNNING IPV6, I DON’T HAVE TO WORRY REALITY: YOUR USERS ARE USING IPV6 ALREADY 6to4 / Toredo CHRIS GRUNDEMANN 1/13/2014 7
  • 8. MYTH: IPV6 HAS SECURITY DESIGNED IN CHRIS GRUNDEMANN 1/13/2014 8
  • 9. MYTH: IPV6 HAS SECURITY DESIGNED IN REALITY: IPSEC IS NOT NEW • IPsec exists for IPv4 • IPsec mandates in IPv6 are no guarantee of security CHRIS GRUNDEMANN 1/13/2014 9
  • 10. MYTH: IPV6 HAS SECURITY DESIGNED IN REALITY: IPV6 WAS DESIGNED 15-20 YEARS AGO CHRIS GRUNDEMANN 1/13/2014 10
  • 12. MYTH: IPV6 HAS SECURITY DESIGNED IN REALITY: • Routing Header Type 0 (RH0) – Source Routing • Deprecated in RFC 5095: The functionality provided by IPv6's Type 0 Routing Header can be exploited in order to achieve traffic amplification over a remote path for the purposes of generating denial-of-service traffic. CHRIS GRUNDEMANN 1/13/2014 12
  • 13. MYTH: IPV6 HAS SECURITY DESIGNED IN REALITY: • Hop-by-Hop Options Header • Vulnerable to low bandwidth DOS attacks • Threat detailed in draft-krishnan-ipv6-hopbyhop CHRIS GRUNDEMANN 1/13/2014 13
  • 14. MYTH: IPV6 HAS SECURITY DESIGNED IN REALITY: • Extension Headers are vulnerable in general • Large extension headers • Lots of extension headers • Invalid extension headers CHRIS GRUNDEMANN 1/13/2014 14
  • 15. MYTH: IPV6 HAS SECURITY DESIGNED IN REALITY: • Rogue Router Advertisements (RAs) • Can renumber hosts • Can launch a Man In The Middle attack • Problem documented in RFC 6104 In this document, we summarise the scenarios in which rogue RAs may be observed and present a list of possible solutions to the problem. CHRIS GRUNDEMANN 1/13/2014 15
  • 16. MYTH: IPV6 HAS SECURITY DESIGNED IN REALITY: • Forged Neighbor Discovery messages • ICMP Redirects – just like IPv4 redirects CHRIS GRUNDEMANN 1/13/2014 16
  • 17. MYTH: IPV6 HAS SECURITY DESIGNED IN REALITY: MANY ATTACKS ARE ABOVE OR BELOW IP • Buffer overflows • SQL Injection • Cross-site scripting • E-mail/SPAM (open relays) CHRIS GRUNDEMANN 1/13/2014 17
  • 18. MYTH: NO IPV6 NAT MEANS LESS SECURITY CHRIS GRUNDEMANN 1/13/2014 18
  • 19. MYTH: NO IPV6 NAT MEANS LESS SECURITY REALITY: STATEFUL FIREWALLS PROVIDE SECURITY • NAT can actually reduce security CHRIS GRUNDEMANN 1/13/2014 19
  • 20. MYTH: IPV6 NETWORKS ARE TOO BIG TO SCAN CHRIS GRUNDEMANN 1/13/2014 20
  • 21. MYTH: IPV6 NETWORKS ARE TOO BIG TO SCAN REALITY: • SLAAC - EUI-64 addresses (well known OUIs) • Tracking! • DHCPv6 sequential addressing (scan low numbers) • 6to4, ISATAP, Teredo (well known addresses) • Manual configured addresses (scan low numbers, vanity addresses) • Exploiting a local node • ff02::1 - all nodes on the local network segment • IPv6 Node Information Queries (RFC 4620) • Neighbor discovery • Leveraging IPv4 (Metasploit Framework “ipv6_neighbor”) • IPv6 addresses leaked out by application-layer protocols (email) CHRIS GRUNDEMANN 1/13/2014 21
  • 22. MYTH: IPV6 NETWORKS ARE TOO BIG TO SCAN REALITY: PRIVACY ADDRESSES (RFC 4941) • Privacy addresses use MD5 hash on EUI-64 and random number • Often temporary – rotate addresses • Frequency varies • Often paired with dynamic DNS (firewall state updates?) • Makes filtering, troubleshooting, and forensics difficult • Alternative: Randomized DHCPv6 • Host: Randomized IIDs • Server: Short leases, randomized assignments CHRIS GRUNDEMANN 1/13/2014 22
  • 23. MYTH: IPV6 IS TOO NEW TO BE ATTACKED CHRIS GRUNDEMANN 1/13/2014 23
  • 24. MYTH: IPV6 IS TOO NEW TO BE ATTACKED REALITY: TOOLS ARE ALREADY AVAILABLE • THC IPv6 Attack Toolkit • IPv6 port scan tools • IPv6 packet forgery tools • IPv6 DoS tools CHRIS GRUNDEMANN 1/13/2014 24
  • 25. MYTH: IPV6 IS TOO NEW TO BE ATTACKED REALITY: BUGS AND VULNERABILITIES PUBLISHED • Vendors • Open source software CHRIS GRUNDEMANN 1/13/2014 25
  • 26. MYTH: IPV6 IS TOO NEW TO BE ATTACKED REALITY: SEARCH FOR “ SECURITYFOCUS.COM INURL:BID IPV6” CHRIS GRUNDEMANN 1/13/2014 26
  • 27. MYTH: 96 MORE BITS, NO MAGIC (IT’S JUST LIKE IPV4) CHRIS GRUNDEMANN 1/13/2014 27
  • 28. MYTH: 96 MORE BITS, NO MAGIC (IT’S JUST LIKE IPV4) REALITY: IPV6 ADDRESS FORMAT IS DRASTICALLY NEW • 128 bits vs. 32 bits • Hex vs. Decimal • Colon vs. Period • Multiple possible formats (zero suppression, zero compression) • Logging, grep, filters, etc. CHRIS GRUNDEMANN 1/13/2014 28
  • 29. MYTH: 96 MORE BITS, NO MAGIC (IT’S JUST LIKE IPV4) REALITY: MULTIPLE ADDRESSES ON EACH HOST • Same host appears in logs with different addresses CHRIS GRUNDEMANN 1/13/2014 29
  • 30. MYTH: 96 MORE BITS, NO MAGIC (IT’S JUST LIKE IPV4) REALITY: SYNTAX CHANGES • Training! CHRIS GRUNDEMANN 1/13/2014 30
  • 31. MYTH: CONFIGURE IPV6 FILTERS SAME AS IPV4 CHRIS GRUNDEMANN 1/13/2014 31
  • 32. MYTH: CONFIGURE IPV6 FILTERS SAME AS IPV4 REALITY: DHCPV6 && ND INTRODUCE NUANCE • Neighbor Discovery uses ICMP • DHCPv6 message exchange: • Solicit: [your link local]:546 -> [ff02::1:2]:547 • Advertise: [upstream link local]:547 -> [your link local]:546 • and two more packets, both between your link locals. CHRIS GRUNDEMANN 1/13/2014 32
  • 33. REALITY: EXAMPLE FIREWALL FILTER (MIKROTIK) Flags: X - disabled, I - invalid, D - dynamic 0 ;;; Not just ping - ND runs over icmp6. chain=input action=accept protocol=icmpv6 in-interface=ether1-gateway 1 chain=input action=accept connection-state=established in-interface=ether1-gateway 2 ;;; related means stuff like FTP-DATA chain=input action=accept connection-state=related in-interface=ether1-gateway 3 ;;; for DHCP6 advertisement (second packet, first server response) chain=input action=accept protocol=udp src-address=fe80::/16 dst-address=fe80::/16 in-interface=ether1-gateway dst-port=546 4 ;;; ssh to this box for management (note non standard port) chain=input action=accept protocol=tcp dst-address=[myaddr]/128 dst-port=2222 5 chain=input action=drop in-interface=ether1-gateway CHRIS GRUNDEMANN 1/13/2014 33
  • 34. MYTH: IT SUPPORTS IPV6 CHRIS GRUNDEMANN 1/13/2014 34
  • 35. MYTH: IT SUPPORTS IPV6 REALITY: IT PROBABLY DOESN’T • Detailed requirements (RFP) • RIPE-554 • Lab testing • Independent/outside verification CHRIS GRUNDEMANN 1/13/2014 35
  • 36. MYTH: THERE ARE NO IPV6 SECURITY BCPS YET CHRIS GRUNDEMANN 1/13/2014 36
  • 37. MYTH: THERE ARE NO IPV6 SECURITY BCPS YET REALITY: THERE ARE! • Perform IPv6 filtering at the perimeter • Use RFC2827 filtering and Unicast RPF checks throughout the network • Use manual tunnels (with IPsec whenever possible) instead of dynamic tunnels and deny packets for transition techniques not used • Use common access-network security measures (NAC/802.1X, disable unused switch ports, Ethernet port security, MACSec/TrustSec) because SEND won’t be available any time soon • Strive to achieve equal protections for IPv6 as with IPv4 • Continue to let vendors know what you expect in terms of IPv6 security features CHRIS GRUNDEMANN 1/13/2014 37
  • 38. MYTH: THERE ARE NO IPV6 SECURITY RESOURCES CHRIS GRUNDEMANN 1/13/2014 38
  • 39. MYTH: THERE ARE NO IPV6 SECURITY RESOURCES REALITY: THERE ARE! • IPv6 Security, By Scott Hogg and Eric Vyncke, Cisco Press, 2009 • Guidelines for the Secure Deployment of IPv6 Recommendations of the National Institute of Standards and Technology • Search engines are your friend! CHRIS GRUNDEMANN 1/13/2014 39
  • 40. THE REALITY OF DUAL-STACK • Two sets of filters • Two sets of bugs IPv4 CHRIS GRUNDEMANN IPv6 1/13/2014 40
  • 41. THANK YOU! Gratitude and Credit: • • • • Scott Hogg – My IPv6 Security Guru Rob Seastrom – For the Mikrotik example The Internet – Lots of searching You – Thanks for listening! CHRIS GRUNDEMANN @ChrisGrundemann http://chrisgrundemann.com http://www.internetsociety.org/deploy360/ 1/13/2014 41

Editor's Notes

  1. Manual TunnelsPreferred over dynamic tunnelsFilter tunnel source/destination and use IPsecIf spoofing, return traffic is not sent to attackerDynamic Tunnels6to4 Relay routers are “open relays”Attackers can guess 6to4 addresses easilyISATAP can have potential MITM attacksAttackers can spoof source/dest IPv4/v6 addressesDon’t blindly allow IPsec or IPv4 Protocol 41 (6in4 tunneled traffic) through the firewall unless you know the tunnel endpointsMany IPSs don’t inspect packets that are encapsulated (6in4, 6to4, 6in6, ISATAP, Teredo, 6rd, DS-Lite)
  2. In some other ways IPv6 in fact does support better security:that IPsec can be guaranteed to be supported fosters its use and propagation.The header design in IPv6 is better, leading to a cleaner division between encryption metadata and the encrypted payload, which some analysts consider has improved the IPsec implementation.
  3. “The denial of service attack can be carried out by forming an IP datagram with a large number of TLV encoded options with random option type identifiers in the hop-by-hop options header.”All the ipv6 nodes on the path need to process the options in this headerThe option TLVs in the hop-by-hop options header need to be processed in orderA sub range of option types in this header will not cause any errors even if the node does not recognize them.There is no restriction as to how many occurences of an option type can be present in the hop-by-hop header.
  4. Prevent unauthorized LAN accessDisable unused switch portsNetwork Access Control (NAC), Network Admission Control (NAC)IEEE 802.1AE (MACsec), Cisco TrustSecIEEE 802.1XRA Guard (RFC 6105)NDPMonRamondKame rafixdPort SecurityCisco Port-based ACL (PACL)
  5. Both require LAN access – like rogue RAs
  6. Both require LAN access – like rogue RAs
  7. Translation techniques are susceptible to DoS attacksNAT prevents IPsec, DNSSEC, Geolocation and other applications from workingConsuming connection state (CPU resource consumption attack on ALG)Consuming public IPv4 pool and port numbers (pool depletion attack)
  8. Don’t block FF00::/8 and FE80::/10 – these will block NDP
  9. Rules 1 and 2 are stateful.  0 is absolutely necessary for ND to work.It might be a little liberal for some folks though - could be bolteddown tighter.Rule 3 is the one I put in so as to actually hear my reply.
  10. Firewalls have improved their IPv6 capabilities, IPv6 addresses in the GUI, some logs, ability to filter on Extension Headers, Fragmentation, PMTUD, and granular filtering of ICMPv6 and multicastIPv6 firewalls may not have all the same full features as IPv4 firewallsUTM/DPI/IPS/WAF/content filtering features may only work for IPv4Many IPSs don’t inspect packets that are encapsulated (6in4, 6to4, 6in6, ISATAP, Teredo, 6rd, DS-Lite)IPv6 support varies greatly in modern IPS systemsFew signatures exist for IPv6 packets or you have to build your own using cryptic regular expressions or byte-offset valuesFew Host-based IPS systems support IPv6Desktop AntiVirus software has gotten better at allowing ICMPv6 (RA/RS/NA/NS) packets throughHowever, there are still a handful of popular AV suites that don’t support IPv6There are many IPv6-capable host-based firewalls available depending on the OS you preferLinux: ip6tables (NetFilter), ipfWindows Firewall with Advanced SecurityBSD: pf, ipfw, ipfMac: ipfw, ipfSolaris, HP-UX : ipf
  11. Many security standards don’t discuss IPv6. However, any guideline related to IP may apply to both versions – many policies are higher levelhttp://www.antd.nist.gov/usgv6/NIST SP 500-273: USGv6 Test Methods: General Description and ValidationGuidance for Labs, November 2009http://www.antd.nist.gov/usgv6/docs/NIST-SP-500-273.v2.0.pdfNIST SP 500-281: USGv6 Testing Program User’s GuideGuidance for vendors and purchasers, August 2010http://www.antd.nist.gov/usgv6/docs/NIST-SP-500-281-v1.3.pdf