CS%20265%20

1
CS 265 Project IPv6 Security Aspects Surekha
Shinde
2
IPv6 Security Aspects

• Agenda
• Introduction to IPv6
• IPv4 and IPv6 Comparison
• Current issues in IPv4
• IPv6 solutions for IPv4 issues
• New issues of new protocol
• Hacking Tools
• Conclusion

3
Introduction to IPv6

• Why IPv6
• IPv6 Important features Wish-list
• Faster Packet Processing
• Enhanced QOS
• Improved Security
• Greater protocol Flexibility
• Dual-Stack approach

4
The IPv6 Header 40 Octets, 8 fields
5
The IPv4 Header 20 octets options 13 fields,
including 3 flag bits
0
31
4
8
24
16
Ver
IHL
Total Length
Service Type
Identifier
Flags
Fragment Offset
Time to Live
Protocol
Header Checksum
32 bit Source Address
32 bit Destination Address
Options and Padding
Shaded fields are absent from IPv6 header
6
IPv6 Addressing

• IPv6 Addressing rules are covered by multiples
  RFCs
• Architecture defined by RFC 2373
• Address Types are
• Unicast One to One
• Anycast One to Nearest
• Multicast One to Many
• Reserved
• A single interface may be assigned multiple IPv6
  addresses of any type (unicast, anycast,
  multicast)
• No Broadcast Address -gt IPv6 Use Multicast

7
Notation Abbreviation
Notation
Abbreviation
Unabbreviated
FDEC BA98 0074 3210 000F BBFF
0000 FFFF
FDEC BA98 74 3210 F BBFF 0
FFFF
Abbreviated
FDEC 0 0 0 0 BBFF 0 FFFF
Abbreviated
FDEC 00 BBFF 0 FFFF
More Abbreviated
8
IPv6 Addressing for IPv4
IPv4-Compatible IPv6 Address format
96 Bits
32 Bits
0
IPv4 Address
192.168.10.10
000000
IPv4 Compatible Address 000000192.168.10.
10 192.168.10.10
IPv4-Mapped IPv6 Address format
80 Bits
16 Bits
32 Bits
0
IPv4 Address
FFFF
192.168.10.10
000000
IPv4-Mapped Address 00000FFFF192.168.10.10
9
IPv6 over IPv4 Tunnels
IPv6 Header
Data
IPv6 HostA
IPv6 HostB
Dual-Stack RouterB
Dual-Stack RouterA
Tunnel IPv6 in IPv4 packet
IPv6 Header
IPv4 Header
Data

• Tunneling is encapsulating the IPv6 packet in the
  IPv4 packet
• Tunneling can be used by routers and hosts

10
Dual Stack Approach DNS
www.sjsu.com ?
IPv4
DNS Server
IPv6
3ffeb001

• In a dual stack case, an application that
• Is IPv4 and IPv6-enabled
• Asks the DNS for all types of addresses
• Chooses one address and, for example, connects
  to the IPv6 address

11
Security Advantages of IPv6 Over IPv4
IPv4 - NAT breaks end-to-end network security
IPv6 - Huge address range No need of NAT
IPv4 IPSEC is Optional
IPv6 - Mandatory in v6
IPv4 - Security extension headers(AH,ESP) Back
ported
IPv6 - Built-in Security extension headers
IPv4 - External Firewalls introduce performance
bottlenecks
IPv6 - Confidentiality and data integrity without
need for additional firewalls
12
Security Advantages of IPv6 Over IPv4 (2)
IPv4 - Security issues related to ICMPV4.
IPv6 - ICMPV6 uses IPSEC authentication and
encryption.
IPv4 - No mechanism for resistance to scanning
IPv6 - RTS possible only in IPV6
IPV4 - Doesnt support Auto configuration
IPv6 - Built in Auto configuration support
Ignorance of network administrator to IPV6 But,
Thanks to the transitional efforts of IETF
13
Important Security fields in IPv6

• IPV4 - Security option field and Optional IPSEC
• IPV6 - IPSEC part of protocol suite-mandatory
• IPSEC provides network-level
  security 

• IPSEC uses-
• AH ( Authentication Header)
• ESP( Encapsulating Security Payload) Header
  

14
 Authentication Header(AH)

• Data integrity
• Data authentication
• Anti-replay protection

  Fig.- Authentication Header(AH) Packet Format
15
Authentication Header fields

• SPI-Security parameter index
• Sequence number field - Anti-replay protection
• Authentication data - ICV-authentication and
• data integrity
• HMAC(Hash message authentication code)MD5
• HMACSHA-1

• AH supports several authentication algorithms
• Prevents IP spoofing attacks
• Prevents DOS attacks 

16
Encapsulating Security Payload (ESP)

• Data confidentiality
• Data integrity
• Data authentication
• Anti-replay protection
• Authentication applied only to data being
  encrypted
• Optional services-select at least one

17
ESP Packet Header Format
18
ESP Packet Header
 ESP Header Fields

• SPI-Security parameter index
• Sequence number field - Anti-replay protection

• ESP header with confidentiality service
• prevents sniffing Ex.TCP dump Windump
•  ESP - symmetric key algorithms like DES, 3DES
• and AES

19
But ??????
Security issues in IPV6

• IPSEC Relies on PKI , Not yet fully Standardized
• Scanning possible If poorly designed
• No protection against all denial of service
  attack
• (DoS attacks difficult to prevent in most
  cases)
• No many firewalls in market with V6 capable

20
By The Way IPv6 Hacking Tools

• Sniffer/packet capture
• Analyzer
• Snort
• TCP dump
• Ethereal
• Windump
• WinPcap
• Scanners
• IPV6 security scanner
• Halfscan6
• Nmap
•  

• DOS Tools
• 6tunneldos
• 4to6DDOS
• Imps6-tools
• Packet forgers
• SendIP
• Packit
• Spak6
• Worms
• Slapper

RealSecure Proventia Tools
21
Conclusion
Black Hats Vs White Hats Time for
ignoring IPV6..PAST Time for
understanding,recognizing and deploying itNOW  
22
References

• http//www.ipv6.org
• http//www.cisco.com/ipv6/
• http//netscreen.com
• http//www.sans.org
• Computer Networks By Larry Peterson
• and Bruce Davie

23
Questions ?
24
Thank You...