irish ipv6 task force

Irish IPv6 Task Force - Irish IPv6 Task Force - http://www.ipv6.ie/http://www.ipv6.ie/

Irish IPv6 Task Force

IPv6 and Security


Irish IPv6 Task ForceIrish IPv6 Task ForceIPv6 Training Slide-setsIPv6 Training Slide-sets

1. The Bigger Picture: Why is IPv6 so Important?

2. IPv6 Deployment & Strategy (technical)

3. Introduction to IPv6 Fundamentals (technical)

4. The Business Case for IPv6

5. Mobile IPv6 (technical)

6. IPv6 Quality of Service (technical)

7. IPv6 Security (technical) <- This slide set is seventh in a series


Presentation Presentation StructureStructure

• Introduction to Security Problems

• What's new with IPv6& IPv6 Overview

• Problem solved?

• IPv6 and the “Anatomy of a Hack”

• Final thoughts


Introduction to Security Problems


Introduction to Security Introduction to Security ProblemsProblems

• Security - isn’t it all solved?

• Conventional threats

• Wireless systems now

• A vision of the future

• Protection now

• Protection in the future


Whats the problem?Whats the problem?

• We have firewalls and Intrusion Detection Systems –so we’re safe from outside attack

− They never give false positives and are trivial to configure

• VPNs, RADIUS, SSH, etc. allow secure remote access− These are all user friendly and easy to use

• PKI can be used to determine identity− And DNSsec is in operation world-wide

• S/MIME or PGP protects mail− We all use secure email

• SSL/TLS protects web access − Phishing attacks don’t work

• Virus scanning is effective− So virii are a thing of the past

• Security patches can be applied centrally –SMS− The patches never break anything

• IPv6 has complete built-in security− Which is widely deployed

• And Pigs can fly!


Why is there a problem?Why is there a problem?

• Hostile environment (motivations for attack vary)−Industrial Espionage−Ddos threats/extortion

• Lack of security consciousness

• Lots of potential points of attack

• Policies are often seen as unacceptable

• No regulatory framework

• Legal aspects unclear


Pearls of wisdomPearls of wisdom

• If you believe that encryption (or firewalls or

Intrusion Detection Systems) are the answer to all

your security problems, then you probably asked

the wrong question.

• Security is about securing a system.

• Security is a process NOT a product.

• Over-concentration on technology is deeply naïve.

• However if you do major changes, like IPv4 to

IPv6,you must ensure you have not introduced new

problems.


Network ThreatsNetwork Threats

• Passive tap

• Active tap

• Denial of service

• Faking/replay

• Traffic analysis


Other ThreatsOther Threats

• Physical attack

• Trojan Horses, viruses, worms, logic bombs

• Passwords

• Loopholes

• Collusion

• Accidental access

• Tempest

• Social Engineering


Cost Effective SecurityCost Effective Security

• Absolute security?− It is fictional in network connected system.

• Security = delay = cost to an attacker.

• Security costs to implement.

• So it is a compromise− Evaluate risks− Evaluate cost of losses − Don’t spend more than this− This is difficult because

• don’t know motivation of attacker• don’t know value of information or goodwill


New ProblemsNew Problems

• Infrastructure doesn’t protect data

• Applications can’t be trusted to secure data

• New forms of virii?

• Security in mobile devices not standardised (many

OS)

• Devices easy to lose (or steal) or break

• Radio is a broadcast medium

• Most mobile devices come with security disabled

• Data loss is painful; the more so the more one

relies on it


What is new with IPv6 & IPv6 Overview


What is new with IPv6?What is new with IPv6?

• Security was considered from the beginning in IPv6 − One can rely on certain features existing

• When new services were considered, their security was part of IPv6 thinking

• Some of the areas where the thinking is obvious are: − Threats to Mobile access and Mobile IP − Cryptographically generated addresses − Protocols for Authentication and Network Access − IPsec

• Making intrusion harder


IPv6 OverviewIPv6 Overview • Expands addresses to 128 bits• Formalised address boundaries• IPSec (backported to IPv4 some time ago)• Quality of Service (QoS) typing• Stateless and stateful address autoconfiguration• Dynamic address renumbering

• Transition tunnels and translators

• Robust resistance to brute force scanning• No broadcast addresses

• It is NOT just IPv4 with bigger addresses!


IPv6 OverviewIPv6 Overview

• IPv6 has been around for many years

• IPv6 is still under development

• IPv6 will have new bugs that don't exist in IPv4

• Few bugs derive exclusively from the IP layer

• Few vulnerabilities derive exclusively from the IP

layer

• A lot of IPv6 is very similar to IPv4

• Lessons learned in IPv4 should give IPv6 a better

start


IPv6 and IPsecIPv6 and IPsec • General IP Security mechanisms

• provides − Authentication− Confidentiality − key management -requires a PKI infrastructure (IKEv2)

• applicable to use over LANs, across public & private WANs, & for the Internet

• IPSec is not a single protocol. Instead, IPSec provides a set of security algorithms plus a general framework that allows a pair of communicating entities to use whichever algorithms provide security appropriate for the communication.

• IPSec is mandated in IPv6 –you can rely on for end-to-end security


What is IPsec?What is IPsec? • Work done by the IETF IPsec Working Group

• Applies to both IPv4 and IPv6 and its implementation is: − Mandatory for IPv6− Optional for IPv4

• IPsec Architecture: RFC 2401

• IPsec services− Authentication − Integrity− Confidentiality − Replay protection

• IPsec modes: Transport Mode & Tunnel Mode

• IPsec protocols: AH (RFC 2402) & ESP (RFC 2406)


IPsec Architecture IPsec Architecture

(RFC2401)(RFC2401)

• Security Policies: Which traffic is treated?

• Security Associations: How is traffic

processed?

• Security Protocols: Which protocols

(extension headers) are used?

• Key Management: Internet Key Exchange

(IKEv2)

• Algorithms: Authentication and Encryption


IPsec IPsec ModesModes

• Transport− Above the IP level− Below the Transport Level− Only the IP datagram payload is protected− Usage

• Host to Host Service

• Tunnel Mode− IP within IP− Below the Transport Level− All the tunneled IP datagrams are protected− Usage

• Host to Host Service• Gateway to Gateway• Host to Gateway


IPsec ProtocolsIPsec Protocols

• Authentication Header (AH)− RFC 2402

− Provides• Connectionless Integrity • Data origin authentication• Replay protection

• Encapsulating Security Payload Header (ESP)− RFC 2406− Provides

• Connectionless Integrity • Data origin authentication• Replay protection• Confidentiality


IPsec Protocols, modes and IPsec Protocols, modes and combinationscombinations

Transport Mode Tunnel Mode

AH Authenticates IP payload

and selected portions of IP

header

Authenticates entire inner

IP datagram (header &

payload) and selected

portions of the outer IP

header

ESP Encrypts IP payload Encrypts inner IP datagram

ESP with

Authentication

Encrypts IP payload and

authenticates IP payload

but not IP header

Encrypts and authenticates

inner IP datagram


IPsec Key IPsec Key ManagementManagement

• Manual− Keys configured statically on each system

• Automatic: IKEv2 (RFC 4306 - Internet Key

Exchange (IKEv2) Protocol)− IKE performs mutual authentication between two

parties and establishes an IKE security association (SA) that includes shared secret information that can be used to efficiently establish Security Associations for Enciphering and or Authenticating purposes

− Also automatically establishes a common set of cryptographic algorithms to be used.


Problem

solved?


Problem Solved?Problem Solved?

• IPsec doesn’t solve all our problems

• Other Issues to consider−Transition Mechanisms

• All the ways you didn’t know of getting in and out of your network

−Scanning and Addresses−Broadcasts


Transition MechanismsTransition Mechanisms

• Intended to promote IPv6 adoption and interoperability

• Compatibility addresses aid IPv4 – IPv6

communications

• SIT (Six in Tunnel) / 6in4

• 6to4 Automatic SIT tunnels

• IPv6 over UDP in various encapsulations

• 6over4

• Proxy Services, Services, and Protocol Bouncers

• DSTM and 4in6 provides reverse transition support

• Translators (NAT-PT, TRT)


6to4/SIT6to4/SIT

• Simple Internet Transition / Six In Tunnel

• Protocol 41 (iPv6) in IPv4

• Basis for several IPv6 tunnel schemes− Static SIT tunnels use preconfigured endpoints− Tunneling at the heart of ISATAP routed addresses

• Can pass “many” IPv4 NAT devices (proto 41 forwarding)− Not reliable and not preferred over NAT

• Most tunnel brokers provide IPv6 through SIT tunnels− Some (OCCAID, Hurricane Electric) only provide 6in4 tunnels

• 6to4 provides autoconfigured 6in4 tunnels− 2002::/16 prefix− Assigns a /48 IPv6 network to every IPv4 address!− No tunnel brokers or static configuration required


IPv6 over IPv6 over UDPUDP

• IPv6 over UDP (default - port 3544/udp)

• Intended to provide IPv6 tunnels over IPv4 NAT devices

• Both endpoints may be NATed and/or firewalled!

• Can bypass most firewalls (uses outbound UDP sockets)

• Uses a robust NAT traversal similar to STUN (RFC 3489)

• Provides peer-to-peer IPv6 connectivity for clients over NAT devices

• Clients requires a Teredo server and relay on public IPv4

• Teredo servers carry no production traffic

• Teredo relays are currently advertized in BGP

• Miredo project provides Teredo support on Linux and FreeBSD

• IANA assigned address prefix 2001:0::/32

• IETF Standard RFC 4380


More IPv6 over More IPv6 over UDPUDP

• UDP based transports work well over IPv4 NAT− Also bypasses most firewalls – including stateful firewalls− Some may be “STUN” enabled

• TSP - Tunnel Setup Protocol (3653/udp)− Promoted by FreeNet6 / Hexago− Also used with 4in6 for DSTM− Still an IETF draft

• AICCU - Automatic IPv6 Connectivity Client Utility

(8374/udp)− SixXS in Europe (HEAnet host the SixXS pop in Ireland)

• OpenVPN (1194/udp v2 – 5100/udp v1)− Used by the German “Join” project as an IPv6 tunnel broker− Uses ESPinUDP (IPSec NAT-T) encapsulation− Directly tunnels IPv6 in IPv4 without additional tunneling layers


Other methodsOther methods

• IPv6 can be transported over anything that transports IPv4.

• PPP – Native or tunneled IPv4 using 6in4

• IPSec / IPSec NAT-T− Encrypted tunnel− Encapsulation and transport of IPv6 over IPv4 using 6in4− NAT-T provides a further UDP transport, but provides no

STUN support (yet)

• 6over4 - Uses IPv4 multicast

• ISATAP - Complex setup using 6in4 - Large enterprises

• Generic Routing Encapsulation (GRE)− IPv6/4 over IPv4− IPv4/6 over IPv6


Less known Less known methodsmethods

• Used to avoid detection.

• Ping Tunnel− Tunneling over ICMP Echo / Echo Reply

• Htunnel (tunnel over http, including proxies)

• TCPtunnel− Covert Channel in TCP header bits

• Covert Channel Tunneling Tool (CCTT)− Brings several covert tunneling encapsulations under

one roof− Tunneling over ICMP− Tunneling over HTTP− Tunneling over DNS− Tunneling over NTP


The IPv6 The IPv6 UndergroundUnderground

• Already active on IPv6

• IPv6 only IRC channels

• IPv6 only FTP sites

• IPv6 only Web sites

• Many IRC bots have IPv6 patches

• IPv6 has been used for communications tunnels

• IPv6 can be used to hide backdoors

• IPv6 can be used to bypass firewalls

• IPv6 can enable end to end peer to peer connectivity− Even when all clients are behind NAT− Using 3rd party STUN or Teredo servers− Public servers carry no “malicious traffic”


Scanning and Scanning and addressesaddresses

• Several orders of magnitude harder to scan 1 IPv6 subnet than all of IPv4

• “Efficient” (dense) allocations == Feature Rich Targets

• Sparse allocations make brute force scanning impractical− Scanning for backdoors impractical

• By attackers• By defenders

− Scanning for proxies impractical− Scan-based worms can not propagate

• No more slammer• No more blaster

• Cripples brute force scanning for open relays for Spam

• Reduces hacker “hijack wars” and “shelling matches”

• Use of trivial EUI-64 derived addresses can degrade this− EUI-64 derived from interface MAC addresses− Remains constant across subnets− Potential privacy issues


IPv6 and IPv6 and BroadcastsBroadcasts

• Mostly good news

• No broadcast addresses− No local broadcast− No directed broadcast− No global broadcast

• Broadcast functions handled by various multicast

addresses− Multicast addresses may never be source addresses− Some mutlicast addresses and functions can still have a

large scope

• No more broadcast scanning for nodes

• No more directed broadcast “food fights”

• No help with local broadcast DDoS Zombies


IPv6 and the

“Anatomy of a

Hack”


IPv6 and the Anatomy of a IPv6 and the Anatomy of a HackHack

• Basic layers in the Anatomy of a Hack−Identify targets

−Initial Compromise (Gain access)

−Acquire shell

−Elevate privilege

−Clean up traces

−Secure communications and future access

• IPv6 impacts some, but not all, layers of this model


Identify Identify TargetsTargets

• Brute force scanning is impractical− Targets have to be individually chosen

• Port probes are possible once system is identified

• Security access may be on alternate addresses

• Services may be dispersed across multiple

addresses− Security services, ssh, on unpublished addresses− Public services, web, smtp, ftp, on published

addresses− No substitute for firewalls

• Result, Advantage defender


Initial Initial CompromiseCompromise

• Access to other systems may be acquired from compromised systems secured by IPv6 tunnels

• Multiple systems may be accessed and routed out through single hosts anchoring IPv6 tunnels

• Additional global routing may contribute to accessing systems behind firewalls or on private IPv4 address space

• IPv6 traffic may be detected (if you know what to look for)

• Result, a Draw


Securing AccessSecuring Access

• IPv6 aids in hiding backdoors

• Many IDS systems do not detect IPv6 traffic

• Many IDS systems do not detect communications

tunnels

• Properly configured IDS systems can detect IPv6 traffic

• Security scanners may not scan for IPv6 backdoors

• IPv6 is easy to set up without interfering with IPv4

operations

• Bots and malware may connect back to multiple

addresses

• Result, Advantage Attacker


Final thoughts


FirewallsFirewalls

• Not all firewalls configured to block protocol 41 by default− (Most now are)

• IPv4 firewalls can not see TCP or UDP in tunnels (Toredo, SIT)

• IPv6 firewalls can not see protocol 41 (or UDP) on IPv4

• Teredo, TSP, AYIYA, and OpenVPN (UDP) can bypass firewalls

• All tunnels should terminate at the firewall or security perimeter

• Unroll all encapsulations and pass IPv6 traffic natively

• Tunnels should be prohibited from within corporate networks

• 6to4 auto tunnels should be limited to external sites / clients

• Provide an external gateway for supported tunneling protocols


Providing IPv6Providing IPv6

• To provide IPv6 to a network, you must support it

• Tunnels should be terminated security perimeters (firewalls)

• 6to4 / 6in4 should be prohibited within a corporate network

• Native IPv6 should be provided within the corporate network

• Router advertisements should be monitored for anomalies

• Prefixes should be monitored for unexpected changes

• Unusual router advertisements should be investigated

• IDS systems should detect rogue routers and prefixes

• EUI policy should be defined and enforced


Avoiding IPv6Avoiding IPv6

• To avoid having IPv6 on a network, you must support it

• Tunneling protocols and transports should be blocked− At all security perimeters− At routers and subnet boundaries− All tunneling protocols must be recognized

• IDS / IPS systems should monitor for IPv6 link protocols− Neighbor discovery− Router advertisements

• NIDS systems should detect IPv6 – native and tunneled− Unroll all encapsulated traffic to get at core protocols− Watch for encrypted encapsulations

• Host systems should be monitored for IPv6


Ignoring IPv6Ignoring IPv6

• If you don't provide or prevent IPv6, you will have IPv6− You won't control it− You won't recognize it− You won't be managing it− It will still be globally addressable− It will still be fully routable (independent of IPv4

routing)− Others will be providing IPv6 routes and routers,

not you

• Others providing IPv6 will not have your best interest at heart


SummarySummary

• IPv6 carries a number of advantages− Improved addressing− Improved security− Improved routing

• IPv6 advantages can be used against networks− Backdoors hidden− Communications channels hidden− Security mechanisms bypassed

• IPv6 is easier and cheaper to provide than prevent

• Time for ignoring IPv6 is past

• Time for understanding and using IPv6 is now


AcknowledgemAcknowledgementsents

This presentation includes some material from these other sources:

• The 6DISS project www.6diss.org

• “Security Implications of IPv6”, Micheal H. Warfield, Internet

Security Systems

http://www.6diss.org/


ContactContact

Mícheál Ó Foghlú

Research Director

Telecommunications Software & Systems Group

Waterford Institute of Technology

Cork Road

Waterford

Ireland

+353 51 302963 (w)

[email protected]

http://www.tssg.org

http://www.ofoghlu.net/log (Personal Blog)

mailto:[email protected]

http://www.tssg.org/

http://www.ofoghlu.net/log


Further Further InformationInformation

Web Sites:

• National Irish IPv6 Centre http://www.ipv6-ireland.org

• Irish IPv6 Task Force http://www.ipv6.ie

• IPv6 ePrints Server (Public Documents) http://www.6journal.org/

• IPv6 Dissemination (Public Training) http://www.6diss.org/tutorials/

Individual Documents/Presentations:

• http://arstechnica.com/articles/paedia/IPv6.ars/1 (Iljitsch van Beijnum, 7th March

2007)

• http://bgp.potaroo.net/ipv4/ (Geoff Huston APNIC, 2006)

• http://www.6journal.org/archive/00000261/02/WWC_IPv6_Forum_Roadmap__Vision_2010_v6.pdf

(IPv6 Forum Roadmap & Vision, 2006)

• http://colab.cim3.net/file/work/Expedition_Workshop/2005-12-06_Advancing_Information_Sharing_And_Data_Architecture/IPV6/NIST%20ipv6-doc-eai-v4%2012062005.ppt

(Doug Montgomery NIST, 2005)

http://www.ipv6-ireland.org/

http://www.ipv6.ie/

http://www.6journal.org/

http://www.6diss.org/tutorials/

http://arstechnica.com/articles/paedia/IPv6.ars/1

http://bgp.potaroo.net/ipv4/

http://www.6journal.org/archive/00000261/02/WWC_IPv6_Forum_Roadmap__Vision_2010_v6.pdf

http://www.6journal.org/archive/00000261/02/WWC_IPv6_Forum_Roadmap__Vision_2010_v6.pdf

http://colab.cim3.net/file/work/Expedition_Workshop/2005-12-06_Advancing_Information_Sharing_And_Data_Architecture/IPV6/NIST%20ipv6-doc-eai-v4%2012062005.ppt




Thank you!Thank you!

This presentation has been shared under the Creative Commons Attribution 2.0 UK:

England & Wales Licence (http://creativecommons.org/licenses/by/2.0/u

k)by the Irish IPv6 Task Force

(http://www.ipv6.ie)

Please acknowledge this source if you use it for free or for profit

http://www.ipv6.ie/

irish ipv6 task force - irish ipv6 task force ipv6 and security

Documents

ipv6 security technical

mobile ipv6 technical

ipv6 fundamentals technical

security slide

business case

bigger picture