ipv6 security topics
DESCRIPTION
IPv6 Security Topics. TAU Security Forum February 2005. Yoni Appel IPv6 Project Manager [email protected]. Agenda. Novelties in IPv6 A short overview IPv6 deployment today Asia Cellular industry U.S Department of Defense Academia Security topics with IPv6 - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/1.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
IPv6 Security Topics
TAU Security ForumFebruary 2005
Yoni Appel
IPv6 Project Manager
![Page 2: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/2.jpg)
2©2005 Check Point Software Technologies Ltd.
Agenda
Novelties in IPv6– A short overview
IPv6 deployment today– Asia– Cellular industry– U.S Department of Defense– Academia
Security topics with IPv6– New network stacks and logic– Application security– End to end encryption– Transition and tunneling
![Page 3: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/3.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Novelties in IPv6
![Page 4: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/4.jpg)
4©2005 Check Point Software Technologies Ltd.
Novelties in IPv6
Address size is 128 bits– 340,282,366,920,938,463,463,374,607,431,768,211,456 possible
IP addresses– Efficient addressing
Simpler header format, reduced number of fields
Offload computation effort from the router to the end points– Fragmentation handled by the end points– Extension headers
Built in authentication and encryption Address auto configuration
![Page 5: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/5.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
IPv6 deployment today
![Page 6: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/6.jpg)
6©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Asia Major investment in IPv6 infrastructure is
made by governments and technology vendors
This effort is driven mainly by the shortage of IPv4 addresses
![Page 7: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/7.jpg)
7©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Asia – JapanIn Japan there is a strong collaborative effort to
push IPv6 by government, vendors and service providers
Such collaboration is the key for solving the “Chicken and Egg” problem, which is a main theme for IPv6 – A native IPv6 link is already available for homes in
Japan– NTT/Verio has built a worldwide IPv6 backbone
![Page 8: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/8.jpg)
8©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Asia – Japan cont.
![Page 9: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/9.jpg)
9©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Asia – Japan cont.– Webcam, VoIP and other end point
equipment vendors are adding IPv6 support– 18 M$ allocated by the Japanese
government for IPv6 R&D – IPv6 networks role out during 2005
![Page 10: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/10.jpg)
10©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Asia - China– CNGI – China Next Generation Internet roles
out during 2005– The project will be the core of China’s
infrastructure for 3G and other telecommunication services for the next decades
– 169 M$ will be invested in IPv6 infrastructure by 2010
![Page 11: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/11.jpg)
11©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Asia – additional countries Substantial government investment will
also be done in the next few years in additional Asian countries– 72 M$ in South Korea– 78 M$ in Taiwan
![Page 12: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/12.jpg)
12©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Cellular industry The mobile phone – a killer application for IPv6 Handsets supporting IPv6 are ready 3GPP release 5 introduces IMS –
IP Multimedia Subsystem IMS is based on SIP and will enable advanced
mobile services– Video Streaming – Gaming– Chat
IMS requires usage of IPv6
![Page 13: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/13.jpg)
13©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
U.S Department of Defense The DoD plans transition to IPv6 by 2008 The DoD’s efforts are driven by the
needs of the future battle field Intensive industry wide IPv6 testing is
conducted in the Moonv6 interoperability events
The transition will effect DoD partners and major contractors
![Page 14: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/14.jpg)
14©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Academia Universities worldwide are experimenting
with IPv6 Fully active deployments in many
universities
![Page 15: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/15.jpg)
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Security topics with IPv6
![Page 16: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/16.jpg)
16©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
New IP stacks More devices are connected to the web and are
more widely accessible as there is no NAT Low end devices are less flexible and with little
security awareness New IP logic and new IP stack implementation
will result in new vulnerabilities, and tweaks in the old ones
![Page 17: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/17.jpg)
17©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
New IP stacks - examples The Rose Attack - incomplete fragments
causing resource exhaustion at the attacked node
Denial of Service attacks – we have witnessed several attacks during the last year where a series of crafted packets caused a crash at the attacked node – both routers and hosts
Many IPv6 stacks may be vulnerable to these kind of attacks
![Page 18: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/18.jpg)
18©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Sweep Scan A worm scans a network to see which nodes
are candidates for it to spread itself to e.g. which nodes are listening to a specific port
The Welchia worm used a ping based sweep scan for its propagation
With IPv6, Sweep scans are less practical as there will be numerous IP addresses on the local network
Sweep scan can be detected before locating a critical mass of possible propagation candidates
![Page 19: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/19.jpg)
19©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Application security Applications that deal extensively with IP
addresses may be vulnerable due to– fast application conversions of legacy code– incorrect buffer handling– incorrect address calculations– different applicative logic related to IPv6
Servers are exposed to application level attacks even in an IPv6 experimentation environment
![Page 20: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/20.jpg)
20©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
DNS – An Application Security example
New resource record types have been added for IPv6 – AAAA, A6 and DNAME
The A6 and DNAME resource records support a distributed database containing partial information regarding IPv6 addresses
BitString labels – a new way of representing IPv6 addresses in DNS
IPv6 resource records can pass in IPv4 DNS requests
![Page 21: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/21.jpg)
21©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
End to End Encryption IPv6 mandates encryption as an integral
part of an endpoint’s implementation This method has notable advantages
– Prevents eavesdropping inside the LAN– Simplifies the security requirements at the
application layer– Increases interoperability
![Page 22: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/22.jpg)
22©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
End to End Encryption End to end encryption implies network and
application security at the endpoints However the endpoint may lack the required
abilities to address security at design and deployment phases– Awareness– Expertise– Responsiveness– Flexibility– Distribution mechanism
![Page 23: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/23.jpg)
23©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Transition Mechanisms There are several transition mechanisms
between IPv6 and IPv4– NAT-PT – translates IPv6 to IPv4 and vice
versa– SIT – Six in Tunnel (several methods)– Teredo – a NAT-friendly IPv4 tunnel (based
on UDP encapsulation)
![Page 24: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/24.jpg)
24©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Transition and tunneling IPv6 in IPv4 may be used by malicious
applications to bypass security inspections
It is best practice to – Block all of these tunnels for IPv4
deployments or– Be the endpoint of these tunnels and make
sure that the encapsulated traffic gets inspected
![Page 25: IPv6 Security Topics](https://reader036.vdocuments.us/reader036/viewer/2022062723/5681400f550346895dab4e08/html5/thumbnails/25.jpg)
25©2005 Check Point Software Technologies Ltd.
Questions?