Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security myth of i pv6 and dns64

Global Internet is not ready for IPv6 only
Cisco support NAT64 above ASR Series
User bandwidth management is way to complex
464 XLAT does not support general WiFi routers
Existing server system support
Operation & Security Policy


We have almost 50k active Customer and planning for 500k
Overhead cost of deployment (NAT64 & DNS64)

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

  • Be the first to like this

Security myth of i pv6 and dns64

  1. 1. Security Myth of IPv6 and DNS64 A. S. M. Shamim Reza Deputy Manager Network Operation Center Link3 Technologies Ltd
  2. 2. [~]# whoami Linux Geek Open Source Software Enthusiast EC-Council Certified Security Analyst ASMShamimReza ShamimRezaSohag sohag.shamim@gmail.com
  3. 3. The Journey Importance of Having IPv6 Challenges Myths and Reality Associated IPv6 Protocol Security Do’s and Don’t
  4. 4. Importance of having IPv6  Running out of IPv4 address  IPv6 has done the math
  5. 5. Challenges
  6. 6. Things we had to Calculate  Global Internet is not ready for IPv6 only  Cisco support NAT64 above ASR Series  User bandwidth management is way to complex  464 XLAT does not support general WiFi routers  Existing server system support  Operation & Security Policy  We have almost 50k active Customer and planning for 500k  Overhead cost of deployment (NAT64 & DNS64)
  7. 7. Things that we come-up with  Existing Bandwidth Manager & Spam firewall Support Dual-Stack  Linux and Windows based system support IPv6 by-default  Host based IDS and Firewall supports IPv6  As an ISP we need to go with NAT64 & DNS64  Dual-Stack for Infrastructure & IPv6 Only for end user  DNS64 will managed by BIND & CentOS 6
  8. 8. Difference between IPv4 & IPv6 IPv4 IPv6 Web, DNS, DHCH Web, DNS64, DHCPv6 TCP, UDP TCP, UDP ICMP ICMPv6
  9. 9. Myths and Reality What have we been told and What have we found
  10. 10. The Myths IPv6 is too new to be attacked My network is IPv4 only
  11. 11. Myths - My network is IPv4 only Reality – All the OS have IPV6 activated by default
  12. 12. Myths - IPv6 is too new to be attacked Reality – Same things with Different Name and tactics. Attacks Tools Reconnaissance Alive6, Nmap Amplification Smurf6, Rsmurf6 DHCPv6 Spoofing flood_dhcpc6, fake_dhcps6 DAD Spoofing, Redirect Spoofing Dos-new-ipv6, redir6
  13. 13. Outcome of Myths  IPv6 is not more or less secure than IPv4  Knowledge of associated protocols is the best security measures  Mindset change is required
  14. 14. Associated IPv6 Protocol Security
  15. 15. Protocol to be considered before deployment ICMPv6 NDP DNS64DHCPv6
  16. 16. DNS Server – What we had Authoritative Recursive DNS Software resources Hardware resources CentOS 5 32 bit Core – 2 RAM – 4 GB HDD – Sata 7.2k RPM bind-utils-9.3.4-10.P1.el5 ypbind-1.19-11.el5 bind-libs-9.3.4-10.P1.el5
  17. 17. DNS Server - What we have Faced  OS version is about to obsolete  Resource utilization was about to fill up  Log search was not administration friendly
  18. 18. DNS Server - What we have done  Upgraded the OS to CentOS 6 64bit  Divided the Authoritative & Recursive in to TWO server  Deployed the DNS system with CHROOT  Calculate the session of Recursive DNS system  Deployed the Recursive server with IP Anycast  Configured the Recursive log based on search criteria
  19. 19. DNS Server - What we have done Software Resources Hardware Resources CentOS 6.9 64 bit CPU Core – 4 with 2 Socket RAM – 8 GB DDR4 HDD – Sata SAS 15k RPM bind-libs-9.8.2-0.62.rc1.el6_9.5.x86_64 bind-sdb-9.8.2-0.62.rc1.el6_9.5.x86_64 rpcbind-0.2.0-13.el6_9.1.x86_64 bind-dyndb-ldap-2.3-8.el6.x86_64 bind-9.8.2-0.62.rc1.el6_9.5.x86_64 bind-devel-9.8.2-0.62.rc1.el6_9.5.x86_64 bind-chroot-9.8.2-0.62.rc1.el6_9.5.x86_64 bind-utils-9.8.2-0.62.rc1.el6_9.5.x86_64 iptables-1.4.7-16.el6.x86_64 iptables-ipv6-1.4.7-16.el6.x86_64
  20. 20. How DNS64 Works
  21. 21. DNS64 Server With the New System - what we have  We have configure the DNS64 at the Recursive system  Forget to tune the Kernel and Iptables  Forget to Calculate the Log volume
  22. 22. DNS64 Server What we have faced  Session per second was 4k/second  Increased to 5k/second  Query response was slower/ Some of the users are not getting response  Hard disk about to filled up with the log stored  For every query there are 2 separate line for IPv4 & Ipv6
  23. 23. Log Format of DNS64
  24. 24. DNS64 Server Action that we have taken  We are having almost 4GB of log file in one hour  Configured the log rotation based on file size  Then we have decided to move all the log to the central server after every one hour
  25. 25. DNS64 Server Performance tuning Checked the System – # /sbin/sysctl net.netfilter.nf_conntrack_count net.netfilter.nf_conntrack_count = 262144 Changed it – # sysctl -w net.netfilter.nf_conntrack_max=524288
  26. 26. DNS64 Server Security tuning  Configuration is for sysctl.conf file 1. To stop IPv6 routing advertisement – net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 2. TO Stop ICMPv6 redirect – net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0
  27. 27. DNS64 server 1. To stop DAD related attack– net.ipv6.conf.all.accept_dad = 0 net.ipv6.conf.default.accept_dad = 0 net.ipv6.conf.enp0s8.accept_dad = 0 net.ipv6.conf.all.dad_transmits = 0 net.ipv6.conf.default.dad_transmits = 0 net.ipv6.conf.enp0s8.dad_transmits = 0
  28. 28. DNS64 server Security tuning  Configuration is for IP6TABLES #!/bin/bash ip6tables -P INPUT DROP ip6tables -P FORWARD DROP ip6tables -P OUTPUT ACCEPT ip6tables -I INPUT 1 -d ff02::1 -j DROP ip6tables -I INPUT 2 -i eth1 -m ipv6header --header dst --soft -j DROP ip6tables -I INPUT 3 -i eth1 -m ipv6header --header hop --soft -j DROP ip6tables -I INPUT 4 -i eth1 -m ipv6header --header route --soft -j DROP ip6tables -I INPUT 5 -i eth1 -m ipv6header --header frag --soft -j DROP ip6tables -I INPUT 6 -i eth1 -m ipv6header --header auth --soft -j DROP ip6tables -I INPUT 7 -i eth1 -m ipv6header --header esp --soft -j DROP ip6tables -I INPUT 8 -i eth1 -m ipv6header --header none --soft -j DROP
  29. 29. DO’s and Don’t  IPv6 is moving faster, you can’t walk slow  Keep updated with knowledge  NO IPv6 Only thoughts for Infrastructure  Make a inventory of existing system  List of Necessaries that you Need NOT that you Want
  30. 30. Top 10 countries for IPv6 support (Feb 2018)
  31. 31. Top 10 countries of IPv6 Default for Dual-Stack User

    Be the first to comment

    Login to see the comments

Global Internet is not ready for IPv6 only Cisco support NAT64 above ASR Series User bandwidth management is way to complex 464 XLAT does not support general WiFi routers Existing server system support Operation & Security Policy We have almost 50k active Customer and planning for 500k Overhead cost of deployment (NAT64 & DNS64)

Views

Total views

104

On Slideshare

0

From embeds

0

Number of embeds

8

Actions

Downloads

4

Shares

0

Comments

0

Likes

0

×