-
8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4
1/19
THE FOLLOWING PRESENTATION HAS BEEN APPROVED FOR
TOURO COLLEGEBY THE I.T. ASSOCIATION OF AMERICA
THIS POWERPOINT HAS NOT YET BEEN RATED
-
8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4
2/19
June 1, 2011
William C. Lee
-
8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4
3/19
For more than three decades, this end-to-end model has sufficiently met the needs
of its users.
Since the 80s IPv4 has supportedinternet growth by accommodating over 4
million unique internet addresses givenby Internet Service Providers.
-
8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4
4/19
However the landscape is changing.
Despite its dominance in the industry, it isanticipated that in the near future the usage ofIPv4 will yield to the more current IPv6.
Satisfying the requirements of earliergenerations, IPv4 is no longer considered
sufficient for the needs of the users of today
due to its limited capacity for addressing aswell as its inclination to security threats. IPv6presents certain advantages to those users and
companies who know how to utilize thisprotocol.
-
8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4
5/19
IPv4 : History & FeaturesIPv4 was the first major version of a standardized InternetProtocol.
Initiative begun by ARAPA in 1973 to advance functionality of existingprotocols
By 1981 a final version was published in RFC as a standardized Internet
Protocol
32 bit addressing- designers of IPv4 created a two-level structure foraddressing that would utilize network number and host number eacha 32 bit field. This would allow for the possibility of generating over 4million unique addresses. Initially many considered that this level ofopportunity for volume would suit the needs of internet users however,
it has proven to be a crippling limitation. Today the internet and itsusers have grown so large it has now run out of IP addresses. NetworkAdministrators were able to take precautions to combat this difficultyby implementing NAT or Network Address Translation.
Limited Security features
-
8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4
6/19
Today, the internet hasgrown to be a million-
network network,
which is something withstartling consequences.
Security and addressingbecome more prevalent
issues
-
8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4
7/19
IPv6 : History & FeaturesIPv6 was developed in response to the evolving needsof users and businesses in a more currentenvironment The Internet Engineering Task Force began work on the
ENTIRELY NEW IPv6 in 1991
In 1998 to get the basic standards were agreed upon andimplemented.
128 bit hierarchical addressing- IPv6, with its 128-bit
addresses, provides globally unique and hierarchicaladdressing based on prefixes rather than address classes,which keeps routing tables small and backbone routingefficient.
Built-in security features
-
8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4
8/19
The importance of Security
Today, it has become a very hostile environment. Althoughcertain techniques have been introduced to overcome some ofthe Internets best known security deficiencies (SSL, IPSec,
etc.), they seem to be insufficient
At the time of its design, and keeping up with the original end-to-end model, the Internet was thought as a friendlyenvironment. Therefore, no security was embedded in theoriginal architecture
-
8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4
9/19
IPv4 : Potential Threats Denial of service attacks (DOS) When there is an attempt to make a computer source unavailable to users. A commonmethod is flooding the target hosts with requests, thus preventing valid network traffic to reach the host. Malicious code distribution- These can propagate themselves from one infected host to another.
Man-in-the-middle attacks -An attack is able to read, insert and modify at will messages between two hosts without eitherhosts knowing that their communication has been compromised.
Fragmentation attacks - Different Operating systems have their own method to handle large IPv4 packets and this attackexploits that method. For example the ping of death attacks. This attack uses many small fragmented ICMP packets whichwhen reassembled at the destination exceed the maximum allowable size for an IP datagram which can cause the victim host tocrash, hang or even reboot.
Port scanning and other reconnaissance attacks - this is used to scan for multiple listening ports on a single, multiple or anentire network hosts. Open ports can be used to exploit the specific hosts further. Because of the small address space, portscanning is easy in IPv4 architecture
ARP poisoning and ICMP redirect -ARP poison attack is to send fake, or spoofed, ARP messages to a network. The aim is toassociate the attackers MAC address with the IP address of another node. Any traffic meant for that IP address would bemistakenly sent to the attacker instead.
-
8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4
10/19
IPv6:Security Improvements
Large address space
Built-in IPSec
Authentication Header Encapsulating Security Payload
Transport and Tunnel Modes
Protocol Negotiation and Key ExchangeManagement
Neighbor Discovery and AddressAutoconfiguration
-
8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4
11/19
IPv6: Security ImprovementsLarge address space
Port scanning is used today to listen to specific
services that could be linked to known weaknesses.
To scan ports on IPv4 is very simple because most
addresses only 8 bits are allocated for host
addressing. Scanning a larger address such as the
IPv6, 128 bit encryption becomes more difficult.
-
8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4
12/19
IPv6: Security ImprovementsBuilt-in IPSec
IPSec was an optional feature in IPv4. IPSec is
required in IPv6 protocol, mandated by RFC4301.
IPsec consist of cryptographic protocols that
provide a safe communication and key exchange
-
8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4
13/19
IPv6: Security ImprovementsAuthentication Header
Authentication header (AH) provides the
authentication confidentiality and data integrity.
Authentication header protocol prevents packets
from being changed or modified with.
-
8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4
14/19
IPv6: Security ImprovementsEncapsulating Security Payload
Encapsulation Security Payload does the same as
Authentication header, however also provides
confidentiality. In this header there is a field that
identifies what group of security parameters the
sender is using to secure communications, this is
called security parameter index SPI.
-
8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4
15/19
IPv6: Security ImprovementsTransport and Tunnel Modes IPSec provides two modes of securing traffic :
Transport and Tunnel Mode. Transport mode isintended to provide secure communication
between endpoints by securing only the packets
payload. Tunnel mode is intended to protect the
entire IPv4 packet. However, in IPv6 networks,
there is no need for a tunnel mode
-
8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4
16/19
IPv6: Security ImprovementsProtocol Negotiation and Key Exchange
Management
Key exchange management provides much
functionality to communicate between parties. It
negotiates with other peoples protocols,
encryption algorithms and keys. It can simply
exchange keys as well as changing them.
Additionally, keeps track of all agreements.
-
8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4
17/19
IPv6: Security ImprovementsNeighbor Discovery and Address
Autoconfiguration
IPv6 Neighboring Discovery is a way to give nodes
the ability to discover other nodes link-layer
address on the local link. It can also find routers
on the local link ; this assists in detecting when a
local node becomes unreachable, resolving
duplicate IP address, and for routers to alert other
nodes when another router is needed
-
8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4
18/19
IPv6Though IPv6 addresses many of the deficiencies presentin IPv4 it is by no means a perfected system.
Source trouble through processing all stacks byextension header
Potential for security breeches during transitioningbetween IPv4 and IPv6
-
8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4
19/19