Architectural Risks and Mitigations in IPv6 - PowerPoint PPT Presentation

Loading...

PPT – Architectural Risks and Mitigations in IPv6 PowerPoint presentation | free to view - id: 1a4764-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Architectural Risks and Mitigations in IPv6

Description:

Information scope is limited, additional readings required. Presentation ... Prepend FF onto 3A:9E9A. Append the result to the SNMA Prefix FF02::1:FF3A:9E9A ... – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 110
Provided by: jamesrl4
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Architectural Risks and Mitigations in IPv6


1
Architectural Risks and Mitigations in IPv6
  • James R Lindley
  • CISSP-ISSAP/ISSEP/ISSMP, CISA, CHS-III
  • Senior Computer Engineer
  • (Security Architectures)
  • IRS IT Security Architectures Engineering

2
Disclaimers
  • Information scope is limited, additional readings
    required
  • Presentation Organization
  • A SHORT review of the IPv6 Protocol Suite
  • Architectural Insecurities
  • Possible Mitigations

3
Features of Network Layer Protocols
  • Logical Addressing
  • Route Discovery
  • Quality of Service
  • Packet Header Structures
  • Fragmentation Methods
  • Supporting Protocols

4
How to Use 128 Bits
  • We really dont get 3.31038

32-bits 4,294,967,295
18,014,398,509,481,983_at_54
18,446,744,073,709,551,615 potential hosts
4,294,967,295_at_32
65,535_at_48
64 bits - Host
A /16 281,474,976,710,655 networks
5
IPv6 Address Types
  • Unicast
  • Address of a single interface
  • One to one delivery to single interface
  • Multicast
  • Address of a set of interfaces
  • One to many - delivery to all interfaces in the
    set
  • Anycast
  • Address of a set of interfaces
  • One to one-of-many - delivery to the closest
    single interface in the set
  • No more broadcast addresses

6
Unicast IPv6 Addresses
  • Aggregatable Global Unicast Addresses (AGUA)
  • Link-local addresses
  • Site-local addresses (not SLA see later)
    (deprecated)
  • Unique Local Addresses (replaces Site-local)
  • Special addresses
  • Compatibility addresses
  • NSAP addresses (Network Service Access Point)

7
IPv6 Address Summary
  • Global
  • Typically begins with 2 or 3 (ARIN 26000)
  • Unique for the entire IPv6 Internet
  • Link-local
  • Begin with FE80
  • Unique for a single link
  • Site-local (deprecated)
  • Begins with FEC0
  • Local
  • Begin with FD00
  • Multicast
  • Begin with FF00

8
Multiple Addresses on a Node
  • Unlike IPv4, an IPv6 node always has multiple
    addresses
  • Link-local, site-local, global, etc.
  • It is the job of the nodes protocol stack to
    decide most efficient address to use to reach the
    destination
  • Greatly simplifies routing

9
Assigning Interface Addresses
  • Two ways to assign addresses
  • Static assignment
  • Automatic assignment
  • via DHCP (stateful)
  • via autoconfiguration (stateless)
  • Static assignment will be challenging because of
    the address size
  • Automatic assignment will be much more common

10
Six Paths to an IPv6 Interface ID (Address)
  • Extended Unique Identifier (EUI-64) address
  • Randomly generated value (SeND)
  • A value assigned by a stateful address
    configuration protocol such as DHCPv6
  • Expanded IPv4 Address
  • A manually configured value
  • A value assigned during the establishment of a
    Point-to-Point Protocol connection

11
Extended Unique Identifier (EUI-64) address
  • Derived from IEEE MAC-48 address
  • Privacy considerations in host ID
  • MAC-48 structured address architecture makes
    range scanning easier

12
Randomly generated value (SeND)
  • RGV Randomly Generated Value
  • Sometimes AKA Cryptographically Generated Address
    (CGA)
  • Greater privacy (RGV also used in EUI-64 privacy
    extensions)
  • Maximum range scanning difficulty due to
    unstructured address architecture
  • Loss of administrative address control

13
IPv6 Interface ID Configuration DHCPv6
  • Value assigned by a stateful address
    configuration protocol (i.e., DHCPv6)
  • Requires router Managed Address parameter
    configuration
  • Requires DHCPv6 server and administration
  • May result in address assignment patterns that
    make range scanning easier

14
IPv6 Interface ID Configuration eXIPv4
  • Expanded IPv4 Address
  • Used with 4to6 and 6over4 and ISATAP tunneling
  • May reveal IPv4 use and address
  • May make U-Turn Attacks easier

15
IPv6 Interface ID Configuration Manual/PPP
  • Manually configured value
  • More labor required
  • Pattern establishment possible
  • Does not make best use of dynamic and automatic
    IPv6 address assignment tools
  • Value assigned during the establishment of a
    Point-to-Point Protocol connection
  • Used only with PPP
  • Found only with MODEM dialup connections

16
Stateless Autoconfiguration
  • Hosts generate IP address automatically by
    combining link information with Interface ID
  • EUI-64
  • Privacy Extensions
  • Link information is retrieved via Router
    Solicitations (RS) or Advertisements (RA)

17
Router Advertisements
  • RA/RSs are a subset of Neighbor Discovery (ND)
    protocol
  • All routers send RAs every 5 minutes from each
    defined link local address to FF021
    (All-nodes-on-link)
  • If the Default Router field has a non-zero time
    listed, it may be used as a default router
  • RAs have a Managed Address flag if set, it
    means host must contact DHCP server to generate
    Global Unicast Addresses (Stateful configuration
    mandated)

18
Quality of Service
  • IPv4 Type of Service header field has been
    renamed Traffic Class in IPv6 with identical bit
    assignment and processing
  • IPv4 has no mechanism for recognizing data
    streams, focuses on guarantees of delivery and
    TOS field
  • IPv6 has a Flow Control header field that routers
    use to prioritize data stream processing
  • Integrated Services (RFC 1633) prioritization
    without Transport Layer data inspection
  • Requires Resource Reservation Protocol (RSVP)
    RFC 2205
  • Eliminates redundant route resolution processing
  • No standard definition of FC field values
  • Introduces a potential DOS vulnerability

19
Packet Header Changes
  • IPv4 has variable length packet header
  • Many fields unused
  • Use of options add to variability
  • Variability led to integrity check calculation
    processing requirement
  • Options limited in complexity
  • IPv6 has fixed length packet header
  • All fields used
  • Options are well-defined
  • No requirement for integrity check processing
  • Multiple options may be stacked

20
IPv6 Header (Fixed length, 40 bytes) RFC 2460
21
IPv6 Header Detail Flow Control
  • Defined in RFC 3697
  • Size is 20 bits (2.5 bytes)
  • A random number selected by the sending host used
    to specify a particular flow of data
  • Not fully defined yet, but has the potential to
    reduce processing latency for a flow of data,
    even if it comes from different applications
  • Routers keep track of flows and once received, do
    not have to reprocess routing information for
    additional packets in that flow

22
IPv6 Header Detail Next Header
  • Size is 1 byte
  • Was called Protocol Type field in v4
  • Specifies what type of header is coming next in
    the packet (TCP/UDP/ICMPv6, etc)
  • If extension headers are used, the type of
    extension header is listed here
  • Common values 6 (TCP), 17 (UDP), 58 (ICMP6)

23
IPv6 Extension Headers
24
Extension Headers Intermediate Nodes
  • Hop-by-Hop Options Header
  • Jumbo Payload option
  • Router Alert option Router must process the
    datagram
  • Destination Options header
  • Used by intermediate nodes when Routing header is
    present
  • Routing header
  • Used for source routing and MobileIP

25
Extension Headers Destination Node
  • Fragment header
  • Used only by the source and destination nodes
  • IPSec specific headers
  • Authentication header (AH)
  • Encapsulating Security Payload (ESP) header
  • Destination Options header
  • Used only by destination node when Routing Header
    is not present
  • Used by MobileIP

26
IPv4 Fragmentation Control
  • Maximum Transmission Unit (MTU) defines the
    largest amount of data in octets that a device
    can send or forward in a single datagram
  • Path MTU (PMTU) is the smallest MTU of all the
    devices between a source and destination host
  • IPv4 has no PMTU discovery mechanism and sends
    packets at the size defined in the source host
    configuration
  • An IPv4 intermediate node receiving a packet
    larger than the nodes MTU divides a packet into
    several smaller packets before forwarding the
    new, smaller packets
  • This introduces latency and increased traffic
    into the network

27
IPv6 Fragmentation Control
  • Before sending a packet, IPv6 sends a test packet
    sized to the source hosts pre-defined MTU to the
    destination
  • IPv6 listens for ICMP Packet too large messages
    and, if one is received, sends progressively
    smaller packets until a Packet too large
    message is not returned
  • IPv6 resizes the real packets to match the
    discovered PMTU
  • IPv6 requires ICMPv6 to pass thru firewalls

28
IPSec for IPv6
  • Mandatory inclusion in implementation
  • Three User Options
  • No Use
  • Gateway-Gateway (Available in IPv4)
  • Peer-Peer
  • Use Requires a Security Association
  • IKE RFC 2409
  • PKI/PKM (static keying is possible but
    problematic)
  • Two Modes
  • Transport (Peer-Peer)
  • Tunnel (VPN Gateway-Gateway)
  • Modes can be combined
  • Two Header Options
  • Authenticated Header (AH)
  • Encapsulating Security Payload (ESP)
  • Options can be combined

29
IPSec for IPv6
  • Authentication Header (AH)
  • RFC 2402
  • Whole packet integrity
  • Source authentication
  • Replay protection
  • Does NOT Encrypt, Uses Checksum
  • Does NOT provide Confidentiality

30
IPSec for IPv6
  • Encapsulating Security Payload (ESP)
  • RFC 2406)
  • Confidentiality
  • Integrity of the Encapsulated Packet
  • Authentication of the source
  • Anti-replay protection
  • Encrypts
  • Has more limited integrity check than AH
  • Encapsulating Packet is NOT protected

31
DHCPv6
  • RFC 3315
  • Totally rewritten protocol
  • Required for Managed Address systems
  • Stateful Configuration
  • Automatic Address Assignment

32
DHCPv6
  • Many benefits
  • Uses multicast instead of broadcast
  • Verifies that client is on-link (only supplies
    addresses from link-local addresses)
  • Relay agent is simplified since it doesnt need a
    list of DHCPv6 servers just sends to
    All-DHCP-servers address
  • Server can push an update when changes occur
  • Address Lease Lifetime is infinite when
    changes occur, they are pushed less traffic

33
Neighbor Discovery (ND) Protocol
  • Neighbor Discovery has two main subsets
  • Router Solicitation/Router Advertisement (RS/RA)
    to communicate with Routers
  • Neighbor Solicitation/Neighbor Advertisements
    (NS/NA) to communicate with hosts on link
  • The ultimate job of ND is to allow a node that
    knows an IPv6 address to determine the MAC
    address of the on-link recipient node
  • Very similar to ARP in IPv4, but uses multicast
    rather than broadcast

34
Why Neighbor Discovery?
  • Doesnt an IPv6 address advertise the MAC
    address?
  • No, it advertises the EUI-64 address, from which
    one can determine the MAC address
  • The EUI-64 isnt guaranteed to be accurate
  • It could have been randomly entered by the node
    owner
  • It could be randomly changing to protect privacy
  • The Layer 2 might not require MAC addresses
    (Frame Relay)
  • Therefore ND is always performed (unless already
    cached)
  • Next slide explains IEEE EUI-64 MAC-64

35
EUI-64 IEEE Extended Unique Identifier64 bits
  • To facilitate the creation of globally unique
    node addresses using the network adapters Media
    Access Code (MAC) number, the IEEE established 2
    new standards EUI-64 and MAC-64.
  • Both MAC-64 and EUI-64 split the current EUI-48
    MAC-48 bit numbers into two 24-bit sections and
    then insert either FFFF (MAC-64) or FFFE (EUI-64)
    between the two sections
  • MAC-64 is meant to be used with network adapters,
    but the IPv6 specification writers used the
    EUI-64 standard instead

36
Solicited Node Multicast Address (SNMA)
  • SNMA is used to avoid duplicate IPv6 addresses
  • Created by adding FF (last 24 bits of Interface
    ID) onto FF021
  • Clients IPv6 address is 3001B00012126BFFFE3
    A9E9A
  • Take the last 24 bits 3001B00012126BFFFE3A9
    E9A
  • Prepend FF onto 3A9E9A
  • Append the result to the SNMA Prefix
    FF021FF3A9E9A
  • Host listens on the SNMA corresponding to each
    assigned IPv6 address

37
Duplicate Address Detection (DAD)
  • As a function of ND, when a node generates (or
    receives) a IPv6 address, it automatically sends
    a NS packet to the SNMA that it is configuring
  • If a NA is received, node knows that address is
    in use and address is not used

38
Secure Neighbor Discovery (SeND)
  • Requires each node to have a trusted router
    certificate list
  • List different for each network segment
  • Uses Cryptographically Generated Addresses (CGA)
    (RFC 3972) to verify neighbors address ownership
  • Solves router trust security problems in IPv6
    Neighbor Discovery node address configuration
  • No IPv6 automatic method for creating or
    updating host and router certificate lists

39
ICMPv6
  • In IPv4, the Internet Control Messaging Protocol
    (ICMP) was used for some utilities such as ping
    and tracert
  • Many organizations block in/out ICMP at the
    firewall
  • In IPv6, Neighbor Discovery utilizes ICMPv6, and
    ND is mandatory for delivering packets
  • Path MTU discovery is ICMPv6 based
  • Therefore, ICMPv6 is mandatory in IPv6 and
    cannot be shut off completely at the firewall

40
DNSv6
  • Same functionality as DNS in IPv4
  • IPv6 uses AAAA records, IPv4 uses A
  • DNS queries return AAAA before A records
  • Some implementations will not return an IPv4
    address if an IPv6 address exists for the host
  • DNS server with faked IPv6 record for IPv4-only
    box will refer all traffic to IPv6 site
  • DNS Server discovery mechanisms still a work in
    progress

41
MobileIP
  • Present in IPv4 (RFC 3344), difficult to use
  • MobileIPv4
  • Mobile Node
  • Home Agent
  • Foreign Agent
  • UDP-based
  • Home Agent-(Server) centric

42
MobileIP
  • Visited networks must open their firewalls to
    special IPv6 packets
  • IPv6 Modes
  • Bi-directional Tunneling (Home Agent centric)
  • Route Optimization (Peer-to-Peer)
  • You can do Binding Updates with any correspondent
    to establish a direct path, but ONLY after
    establishing a security association with the home
    agent or correspondent.

43
MobileIP
  • Do not confuse MobileIP with Mobile
    Telephony, which concerns ISO Layers 1 2
    devices.
  • MobileIP is ISO Layer 3
  • Requires a functioning Layer 1 2 network
    infrastructure
  • Requires a way to establish security associations
    (PKI?)

44
Key Risk Considerations
  • Each network layer has characteristic types of
    attacks
  • Internet Protocol is an address management and
    traffic delivery protocol suite
  • Characteristic attacks and activities at the IP
    level are Address Manipulation, Denials of
    Service, and supporting activities
    (reconnaissance, etc.)
  • Some attacks utilize upper layer protocols that
    support IP functionality (ICMP, TCP, UDP, etc.)
  • Almost all IPv6 security enhancements require a
    way to establish a security association (PKI?)
    (SeND, IPSec, etc.)

45
Key Considerations
  • IPv6 address management suite
  • Neighbor Discovery / Router Identification
  • Autoconfiguration
  • Domain Name Service
  • Dynamic Host Control Protocol
  • ICMP
  • Packet Header Changes
  • Supporting Activities

46
Neighbor Discovery
  • Key concerns
  • Neighbor Solicitations / Advisories
  • Router Solicitations / Advisories
  • ICMP messages
  • Secure ND requires trust lists
  • IPv6 IPv4 (NDAC ARP, etc.)
  • Attacks
  • DoS
  • Redirects
  • Configuration Attacks

47
Neighbor Discovery
  • Neighbor Solicitation and Advertisement (NS/NA)
    Spoofing
  • N3 sends an NS or NA with N1, N2, or R1 addresses
    and N3 link-layer address.
  • Traffic goes to N3 instead of valid neighbors.

48
Neighbor Discovery
  • Fake on-link Prefix
  • N3 executes NA/NS Spoofing
  • N3 sends RA with invalid prefix identified as
    on-link
  • Off-link traffic to the prefix is either denied
    or sent to N3

49
Neighbor Discovery
  • Neighbor Unreachability Detection (NUD) Denial of
    Service
  • N3 sends NA responding to NUD NS messages of all
    or some of others on network
  • NUDed nodes are now considered unreachable by
    other nodes, who cease sending

50
Neighbor Discovery
  • Router Flood
  • N3 sends randomly addressed packets
  • R1 sends NS messages that are never answered

51
Neighbor Discovery
  • Default Router Disabling
  • N3 sends RA with R1 address and a lifetime of
    zero
  • R1 is dropped as the default router by other nodes

52
Neighbor Discovery
  • Router/DHCPv6 Masquerade
  • N3 sends RA with a DHCPv6 configuration that
    points to a DHCPv6 server running on N3
  • Nodes obtain addressing information from N3

53
Neighbor Discovery
  • Default Router Masquerade
  • N3 sends RA as Default Router
  • Other nodes start sending traffic to N3
  • N3 becomes Man in the middle.
  • N3 can also DoS net by sending RA with an invalid
    network renumbering scheme

54
Neighbor Discovery
  • Duplicate Address Detection (DAD) Denial of
    Service
  • N3 responds to every DAD NS message by claiming
    to already have that address
  • Nodes are never able to configure an address

55
Neighbor Discovery
  • Prefix Spoofing
  • N3 sends RA with invalid network prefix for
    autoconfiguration
  • Autoconfigured nodes send traffic with invalid
    prefix
  • Nodes never receive misdirected response traffic

56
Neighbor Discovery
  • Prefix Flooding
  • N3 sends an RA flood with randomly selected
    invalid prefixes
  • Nodes eventually drop valid prefixes

57
Neighbor Discovery
  • ICMP Redirect
  • N3 sends R1-spoofed ICMP redirect message
  • Nodes send traffic to N3

58
Neighbor Discovery
  • NDAC uses Multicast
  • IPSec uses IKE
  • IKE has no mechanism for a group key
  • IKE does not support Multicast Security
    Associations
  • IPSec does not easily support Multicast

59
Autoconfiguration
  • Well-known addresses
  • EUI-64 creation
  • Privacy extensions (Randomization)

60
Autoconfiguration
  • Well known multicast addresses
  • All routers at FF052
  • All DHCP servers at FF0513
  • All nodes at FF021
  • Human pattern issues remain (pattern in choice of
    key server addresses)

61
Autoconfiguration
  • EUI-64 address creation
  • Exposes Layer 2 address
  • Privacy Issues
  • Privacy extensions (Randomization)
  • Loss of tracking ability

62
Domain Name Service
  • Default Action with AAAA vs A records
  • Public servers still public
  • DNSv6 attacks still similar to IPv4 (Zone
    Transfers, dynamic DNS, etc.)

63
ICMP
  • ICMP message control requirements more granular
  • ICMP attacks can reach layers above IP
  • IPSec/IKE does not secure ICMP

64
Packet Header Changes
  • Fragmentation attacks still possible
  • Flow Control field manipulation can cause router
    overflow conditions
  • Header chaining can create overflow conditions

65
Supporting Activities
  • Reconnaissance
  • More difficult, not impossible
  • Minus for both attackers and vulnerability
    assessors
  • Source routing still available for Man-in-Middle
  • SYNFloods and other DoS/DDoS still available for
    complex or Mitnick-type attacks
  • Smurf may still be possible using ICMP Packet too
    large and Parameter problem messages

66
Technology Support and Transition Strategy
  • There are three pieces to the IPv6 transition
  • Infrastructure transition
  • Host transition
  • Application transition
  • Coexistence during transition
  • The transition from IPv4 to IPv6 will take years
  • Some hosts will use IPv4 indefinitely
  • Transition is the long term goal, coexistence in
    the interim

67
Infrastructure Transition
  • There are two main ways of providing IPv6
    connectivity to your users
  • Upgrade all layer 3 devices to support IPv6 and
    ensure routing tables reflect new IPv6 routes
    this is the ultimate goal
  • Use a transition technology to provide IPv6
    connectivity to users in the absence of A.

68
ISATAP
  • Intra-Site Automatic Tunnel Addressing Protocol
  • Provides unicast IPv6 connectivity between IPv6
    hosts across a IPv4 intranet
  • Can use private IPv4 addresses
  • Prefix FE8000000000000000005EFE ends with
    the IPv4 address in hex form
  • One dual stack ISATAP router per site relays data
  • Benefit allows scoped deployment of IPv6
    services across without upgrading infrastructure

69
6to4
  • Similar to ISATAP, but requires a public IPv4
    address

70
Tunnel Broker
  • Both ISATAP and 6to4 provide access to IPv6
    resources based on the IPv4 address
  • An unauthorized user could change their IP
    address and gain access to IPv6 services
  • Tunnel Brokers add an additional layer of
    authentication into the process by leveraging a
    IAS server
  • This can be especially helpful for externally
    facing 6to4 relays

71
Teredo
  • ISATAP and 6to4 rely on a translation server in
    the local subnet
  • Home users will not have this option, and they
    are behind a NAT
  • Teredo was designed to allow home users access to
    IPv6 services by tunneling IPv6 through an IPv4
    NAT
  • Microsoft does not recommend the use of Teredo in
    the Enterprise

72
Routing Transition Technologies
  • ISATAP or 6to4 provides connectivity between dual
    stacked and native v6 clients within your
    network
  • IF you choose to install an ISATAP/6to4 router
    or enable BGP/OSPF IPv6 routing, then IPv6 will
    be routed into/out of your network
  • IPv6 PACKETS CANNOT LEAVE THE LOCAL SUBNET UNTIL
    THEY ARE ROUTED OUT!
  • This is nothing different from IPv4

73
Host Transition
  • Ideal Transition Stages
  • Native IPv4
  • Dual Stack or Dual IP
  • Native IPv6
  • Dual stack will be preferred for many years
  • Very few IPv6 application issues on
    dual-stack/dual IP machines
  • Dual stack gives you the advantages of IPv6
    without requiring that every application be fully
    tested
  • Microsoft Vista is NOT dual-stack!

74
Application Transition
  • Wouldnt be necessary in a perfect world.
  • Maintains operation for older software, leverages
    power of v6 for new software
  • Software with embedded IPv4 addresses can operate
    without alteration in a dual stack environment
  • New or upgraded software should rigorously
    enforce OSI layer separation no embedded
    addresses or URLs

75
Technical Transition Criteria
  • Existing IPv4 hosts can be upgraded at any time
    independent of the upgrade of other hosts or
    routers
  • New hosts using only IPv6 can be added at any
    time without dependencies on other hosts or
    routing infrastructure
  • Existing IPv4 hosts with IPv6 installed can
    continue to use their IPv4 address and do not
    need additional addresses
  • Little preparation is needed to upgrade existing
    IPv4 nodes to IPv6 or to deploy new IPv6 nodes

76
Regulatory Environment
  • Non-technical environment doesnt change
  • For federal government, FISMA, NIST SP 800-53,
    etc. dont go away
  • Legal system definitions and requirements will
    have a significant impact on IPv6 technical
    implementations

77
Some Security Practices Must Change
  • Protecting system boundaries becomes more
    difficult
  • Network Address Translation (NAT) may gradually
    disappear
  • IPv6 subnet size makes net scanning more
    difficult for both protector and attacker
  • Firewalls border and personal will flourish
  • Host IDS will become more important
  • Combination security devices may become more
    common
  • Firewalls must perform very granular control of
    ICMPv6

78
IPv6 Security
  • Ask a lot of people about security in IPv6 and
    youll hear one thing IPsec
  • IPsec is important, but there is more to Security
    than a single protocol
  • The most important thing to do is test
  • IRS IPv6 transition should be lab tested

79
Work, Work, Work!
  • Firewall rules will need to be redone from
    scratch
  • Broadcasts may be gone, but there are many new
    multicasts to be filtered
  • Protocol types are more important than ever
  • Implement Microsoft Active Directory based Server
    and Domain Isolation
  • Implement ingress filtering of packets with IPv6
    multicast source addresses
  • Many of the security recommendations of IPv4 are
    still in IPv6

80
Transition Security Recommendations
  • General Principles
  • Security Tools
  • Windows Domain Management
  • Tunneling
  • Flow Control
  • IPSec
  • MobileIP
  • Applications
  • Databases

81
General Considerations
  • IPv6 is a Work In Progress. Vulnerabilities,
    attack vectors, and security requirements will
    change as the protocol suite is further defined.
  • An IPv6 feature or improvement may not be
    relevant to your current or future business
    needs or in a federal environment.
  • As a general goal, IPv6 transition should not
    cause a redefinition of the logical security
    boundaries of previously certified and accredited
    (CA) systems.
  • Any IPv6 capabilities that differ from IPv4
    should be used only in response to clearly stated
    business requirements.
  • Realizing the full benefits of IPSec and SEND
    will require a previous installation of both PKI
    and MS Active Directory.

82
General Considerations
  • Security costs will increase due to the need to
    secure two network access protocols and the
    interactions between them
  • Technology Refresh purchase schedules may
    result in IPv6-capable systems being procured
    out of phase with same-network IPv6-capable
    security devices. Interior IPv6 capabilities
    should not be implemented without adequate
    traffic control and security by IPv6-capable
    network and perimeter control and security
    devices.
  • The possibility of U-Turn attacks must be
    considered when opening internal to external
    channels

83
Security Tools
  • Routing devices (routers, firewalls, etc.) should
    deny passage of any externally-generated IPv6
    traffic that uses User Datagram Protocol (UDP) to
    bypass firewalls or other security tools.
  • Intrusion detection or prevention systems
    (IDS/IPS) should have the ability to perform
    analysis of tunneled IPv6 traffic without regard
    to the number of tunnel layers.
  • IDS/IPS should have the ability to analyze packet
    headers that exceed 512 octets.
  • Firewalls should have the ability to analyze both
    IPv4 and IPv6 ICMP traffic and to permit or deny
    access to such traffic based on type and message
    content.

84
Windows Domain Management
  • Windows Active Directory should be implemented to
    support Domain and Server Isolation.
  • All Domains and Servers should be isolated IAW
    Microsoft recommendations.
  • Active Directory should be combined with PKI

85
Tunneling
  • No automatic tunnels.
  • No tunnels based on UDP (e.g., Toredo).

86
Flow Control
  • Devices that respond to Flow Control in any
    fashion should be thoroughly tested for response
    to out-of-bound conditions.
  • Device is meant to refer to hardware or
    software or any combination thereof that works as
    a logical machine.

87
IPsec
  • IPSec should be implemented in a G2G mode that
    honors current CA logical system boundaries
    except (potentially) in the following cases.
  • Where considerations of data confidentiality on
    untrusted networks require end-to-end IPSec
    implementation.
  • Where IPSec communication is between member
    servers of the Trusted Computer Base (TCB).
  • IPSec Security Associations required for P2P use
    IKE. P2P mode is best served in a PKI
    environment.
  • Irrespective of IPSec mode implementation, all
    MS-based systems should be placed in isolated
    domains.
  • Full use of IPSec requires implementation of
    PKM/PKI.

88
MobileIP
  • Visited networks must open their firewalls to
    special IPv6 packets
  • IPv6 in IPv6 packets
  • IPv6 packets with mobility headers
  • IPv6 packets with home address destination option
  • ICMPv6 mobility packets
  • IPv6 packets with routing headers

89
Applications
  • Ideally, applications should have no awareness of
    IP layer protocols.
  • Applications with a network layer component
    should be tested for compatibility with IPv4,
    IPv6, and/or whichever 4to6 and 6to4 tunneling
    mechanisms are implemented.
  • Applications that capture IP addresses should
    correctly process input of the various legal
    address format permutations and store and display
    such addresses in an enterprise-wide standard
    format.
  • Applications with embedded IPv4 addresses may
    have to be recoded depending on any network
    renumbering during the transition.
  • Note There is no current standard data field
    description for IPvX addresses.

90
Databases
  • Databases containing network layer addresses
    should be capable of storing both IPv4 and IPv6
    addresses in an enterprise-wide standard format.
  • Network-capable DBS should be tested for
    compatibility with IPv4, IPv6, and/or whichever
    4to6 and 6to4 tunneling mechanisms are
    implemented by the IRS.

91
End of Presentation
  • Questions?
  • Thanx for your attention and time.
  • JamesRLindley_at_verizon.net

92
BLANK SLIDE
  • This slide purposely left blank.

93
Extra Slides
  • Following slides are examples of some of the
    items covered in the main presentation.

94
Features of Network Layer Protocols
  • Logical Addressing
  • IPv6 Address Space and Syntax
  • IPv6 Address Types and Uses
  • IPv6 Interface Address Configuration
  • Route Discovery
  • Quality of Service
  • Packet Header Structures
  • Fragmentation Methods
  • Supporting Protocols

95
Aggregatable Global Unicast Addresses (RFC 3513)
  • Refers to the ability to collapse or aggregate
    these addresses in a routing table
  • Used for
  • Top-Level Aggregation ID (TLA ID)
  • Next-Level Aggregation ID (NLA ID)
  • Site-Level Aggregation ID (SLA ID) (deprecated)
  • Interface ID

96
Aggregating The /48
  • Address scope is the entire IPv6 Internet
  • Equivalent to public IPv4 addresses
  • Known as a /48 since 48 bits denote the routing
    prefix
  • This is the standard (smallest) IANA allocation
  • Permits 65,532 subnets

97
Local-Use Unicast Addresses
  • Link-local Unicast
  • Used between on-link neighbors
  • Equivalent to IPv4 APIPA addresses
  • Single subnet, Routers will not forward
  • Neighbor Discovery Autoconfiguration (NDAC)
  • Link-Local Unicast Address Format
  • Prefix is 1111 1110 10 or FE80/64
  • Site-local addresses (deprecated)
  • Used between nodes in the same site

98
Site-Local Unicast
  • Address scope is a single site
  • Equivalent to private IPv4 addresses (RFC 1918)
  • Prefix Format 1111 1110 11
  • FEC0/10 prefix for site
  • Used for local site only
  • Deprecated, but may be seen

99
Unique Local Addresses (RFC 4193)
  • Private to an organization, yet unique across all
    of the sites of the organization
  • Depends on Router Filtering to maintain locality
  • FD00/8 prefix
  • Replacement for site-local addresses
  • Global scope within the site, no router zone ID
    required

100
Special IPv6 Addresses
  • Unspecified address (new thing!)
  • 00000000 or
  • Loopback address
  • 00000001 or 1
  • DNS server is normally at
  • FEC0000FFFF1
  • FEC0000FFFF2, or
  • FEC0000FFFF3

101
Compatibility Addresses
  • Used to create tunneling or IPv4-derived IPv6
    addresses
  • IPv4-compatible address 000000w.x.y.z or
    w.x.y.z
  • IPv4-mapped address 00000FFFFw.x.y.z or
    FFFFw.x.y.z
  • 6over4 address Interface ID of WWXXYYZZ
  • 6to4 address Prefix of 2002WWXXYYZZ/48
  • ISATAP address Interface ID of 05EFEw.x.y.z

102
NSAP Addresses (RFC 1888)
  • NSAP or Network Service Access Point is an OSI IP
    (not IPv4) addressing scheme which may become
    popular in the future, so was made fully
    compatible with IPv6
  • Currently unused

103
Multicast Addresses
  • Replaces IPv4 broadcast addressing
  • First byte is always FF
  • Lifetime (4 bits) 0 if permanent, 1 if temporary
  • Scope (4 bits) 2 link, 5 site, 8
    organization, E global
  • Some IANA defined multicast (group) addresses
  • FF021 (All nodes on the link)
  • FF022 (All routers on the link)
  • FF0513 (All DHCP servers in the site)

104
Anycast Address
  • Used to send a packet to a group of hosts and the
    closest host will respond
  • A Unicast address assigned to more than one
    interface/host
  • Last Hop Routers are configured with a full
    128-bit route
  • Routers must join the All routers on link
    Anycast group
  • Now a host can send a packet to discover the
    closest available Default Gateway
  • Can also be used for clustering server solutions
  • Anycast still undergoing definition

105
EUI-64 Example
  • Host has a MAC-48 address of 00-AA-00-3F-2A-1C
  • 1. Convert MAC address to EUI-64 format by
    inserting Hex FF FE between the Manufacturers ID
    and the Adapter Serial Number
  • 00-AA-00-FF-FE-3F-2A-1C
  • 2. Complement the 7th bit of first byte
  • The first byte in binary form is 00000000. When
    the seventh bit is complemented, it becomes
    00000010 (0x02).
  • 02-AA-00-FF-FE-3F-2A-1C
  • 3. Convert to colon hexadecimal notation and
    suppress leading zeros
  • 2AAFFFE3F2A1C
  • Link-local address for node with the MAC address
    of 00-AA-00-3F-2A-1C is FE802AAFFFE3F2A1C

106
EUI-64 Privacy Extensions
  • Since the EUI-64/MAC address doesnt change,
    there are privacy concerns
  • RFC 3041 Privacy Extensions defines how the
    Interface ID can be randomly generated and
    changed often to protect privacy
  • Leverages preferred and valid lifetimes - 24
    hours preferred, 6 days valid
  • Privacy Extensions make internal tracking and
    scanning more difficult

107
Router Solicitations
  • When a host boots, it cannot wait for 5 minutes
    for configuration data
  • Host will send a Router Solicitation (RS) to
    FF022 (All-routers-on-link)

108
Boot Sequence Address Configuration
  • Host generates a link-local address using
    Local-Link prefix Interface ID
  • Host checks for address collision (Duplicate
    Address Detection)
  • Host sends Router Solicitation to FF022
  • Router sends Router Advertisement
  • If RA Managed Address field1, host contacts DHCP
    for Global Unicast address (FF0212 or
    FF0215 if no response)
  • If RA Managed Address field 0, host combines
    link prefix with Interface ID to create Global
    Unicast Address

109
MobileIP
  • RFC 3775
  • Components
  • Mobile Node
  • Home Agent (Transfer agent)
  • Home Address (HA) (Permanent Address)
  • Care-of-Address (CoA) (Hosting Net Address)
  • uses Packet Extension Headers
  • Can be P2P with route optimization
About PowerShow.com