ipv implementation - the naked truth€¦ · ipv implementation - the naked truth by dr. omar amer...
TRANSCRIPT
IPv Implementation -
The Naked Truth By
Dr. Omar Amer Abouabdalla
IPv6 Global Sdn. Bhd.
Things to Connect to Internet
Why IPv6???
No more room in IPv4
Quite empty in IPv6
IPv6 Implementation
Where to start??? to
CORE to EDGE
Core to Edge Edge to Core
• Core devices usually the safest to add IPv6.
• Address more difficult issues such as security and management.
• Gain operational experience before going to the edge.
• Consider the best when using dual stack strategy.
• More difficult. • Relies more on
tunneling. • Faster when need to
connect endpoints to Data Centers and apps that are IPv6-enabled.
• When older devices in core cannot support IPv6.
Talking Behind My Back?
Within the confines of your network, many devices may be communicating over IPv6, even if they are not sending packets to and from the Internet!
Unfamiliarity Causes
Misconfigurations
Many network administrators and IT practitioners are still relatively unfamiliar with all
IPV6’s “ins and outs”
Common issues: • Not realizing IPv6 is already in their network •Ignorance of Tunneling Mechanisms •Lack of ACL policy for IPv6 •Unawareness of potential privacy issues •Just to get it to work
Automatic Addressing May Pose
Privacy Concerns
Stateless Address Autoconfiguration SLAAC
could automatically created a EUI-64 address.
However, this makes your MAC public, which you may consider a privacy
issue.
• Privacy Enhanced Addresses [RFC 3041]
• Cryptographically Generated Addresses (CGA) [RFC 3972]
There are options to rectify this issue:
1. MAC Address: 90-3A-2B-06-2C-D1 2. Split in half: 90-3A-2B 06-2C-D1 3. Insert FFFE: 90:3A:2B:FF:FE:06:2C:D1 4. Change 7th bit to 1: 92:3A:2B:FF:FE:06:2C:D1
IPv6 Security Controls Lagging
Hacking Arsenal/Tools
• Attackeralready have many IPv6 capable tools:
THC-IPv6 Attack Suite
Alive6
Parasite6
Redir6
Fake_Router6
Detect-New-IPv6
DoS-New-IPv6
Smurf6
rSmurf6
TooBig6
Fake_MIPv6
Fake_mld6
Fake_Advertiser6
SendPees6
DNSDict6
Trace6
Flood_Router6
Flood_Advertise6
Fuzz_IP6
etc…
Unfortunately, IPv6 security controls and products seems to be
a bit behind.
THC-IPv6 Attack Suite
Nmap
Wireshark
Multi-Generator (MGEN)
IPv6 Security Scanner (vscan6)
Halfscan6
Strobe
Netcat6
Imps6-tools
Relay6
6tunnel
NT6tunnel
VoodooNet
Scapy6
Metasploit (etc.)
Web Browsers (XSS & SQLi)
TCPDump
COLD
Spak6
Isic6 Hyenae
SendIP
Packit
4to6ddos
6tunneldos
IPv6 Tunnels Concerns
•Tunnels often interconnect networks over areas supporting the “wrong” version of protocol. •Tunnel traffic often not anticipated by the security policies. • It may pass through firewall systems due to their inability to check two protocols in the same time.
Dual-stack (RFC 4213)
•Dual stack nodes interoperate directly with both IPv4 and IPv6 nodes.
•Must provide a DNS resolver library capable of dealing with the IPv4 A records as well as the IPv6 AAAA records.
Dual Stack
IPv6 Dual Stack Implementation
•The primary concerns are in hardware and software. •Hardware must be evaluated in the network infrastructure to see if there is proper memory for route tables and the switch forwarding tables to handle IPv6 routes and packets. •Software on the network infrastructure must support IPv6 configuration and routing protocols, while operating systems on the host side must also be IPv6 capable.
IPv6 Dual-Stack Implementation Requirements
• Maintaining the same service-level and security posture for the dual-stack environment (IPv4 and IPv6) at the same level as for IPv4 alone
• Keeping costs down. • Scheduling equipment and software upgrades.
• Making sure that Internet service providers and software vendors (for monitoring, content distribution, and more) could work with IPv6.
IPv6 Dual-Stack Implementation
The
• Do we have the skill and knowledge? • Do we need to build a non-production
IPv6 network with dual-stack servers?
Risks of Dual-stack Configurations
•Device simultaneously supports IPv4 and IPv6. •Network management tools designed for an IPv4
network may not work the same way in an IPv6 environment.
•Many existing host and network security and administration tools may not provide full-fledged support for IPv6.
• Firewall rule sets and other security controls that stop unwanted IPv4 traffic are unlikely to be effective at stopping any IPv6 traffic. •Need parallel security rules to address IPv6 traffic.
IPv6 ACLs are different
• IPv6 supports only extended ACLs. •No wildcard masking in IPv6 ACLs. • To prevent subnet A from reaching subnet B over IPv4.
deny 192.168.12.0 0.0.0.255 • To prevent subnet A from reaching subnet B over IPv6.
deny ipv6 2001:db8:0:12::/64 any
Other Problems with Dual-stack
•Manage and monitor 2 layer 3 stacks. •Every interface requires both an IPv4 address and
an IPv6 address. • It does not make sense in environments where
IPv6 is being implemented specifically because IPv4 addresses cannot be acquired.
•The router contains two independent routing tables. •One for IPv4 addressing, the other for IPv6
addressing.
IPv6 Dual-Stack Implementation
• Most effective transition mechanism. • Allows for migrating devices on a more
gradual basis, rather than all at once.
The
What is good about Dual-stack? • Implementation of IPv6 using dual stacks is the
simplest approach. • The change is driven by DNS.
•At the upper protocol layers, an application can use either IPv4 or IPv6 to communicate.
•Both IPv4-only and IPv6-only devices can communicate with a dual stacked node.
• Is simplest approach to adding IPv6 support to a group of interconnected routers . • Integrated routing protocol (IS-IS and BGP). •Version-specific routing protocols (OSPF).
What is good about Dual-stack? Cont..
•The approach is transparent to the end users. •Fewer pieces of equipment need to be converted. • In this approach, only the backbone or core routers need to be converted first.
•No tunneling mechanisms in the internal network are required, nor are the headaches that can occur when using them.
The Big IPv6 Security Question
Readiness Assessment
Implementation Strategy & Framework
Implementation Conformance
Audit
IPv6 Deployment
Pre-deployment Deployment Post-deployment
4 Steps for Proper Migration