1 / 25

IPv6 Security Topics

IPv6 Security Topics. TAU Security Forum February 2005. Yoni Appel IPv6 Project Manager yonia@checkpoint.com. Agenda. Novelties in IPv6 A short overview IPv6 deployment today Asia Cellular industry U.S Department of Defense Academia Security topics with IPv6

reya
Télécharger la présentation

IPv6 Security Topics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPv6 Security Topics TAU Security Forum February 2005 Yoni Appel IPv6 Project Manager yonia@checkpoint.com

  2. Agenda • Novelties in IPv6 • A short overview • IPv6 deployment today • Asia • Cellular industry • U.S Department of Defense • Academia • Security topics with IPv6 • New network stacks and logic • Application security • End to end encryption • Transition and tunneling

  3. Novelties in IPv6

  4. Novelties in IPv6 • Address size is 128 bits • 340,282,366,920,938,463,463,374,607,431,768,211,456 possible IP addresses • Efficient addressing • Simpler header format, reduced number of fields • Offload computation effort from the router to the end points • Fragmentation handled by the end points • Extension headers • Built in authentication and encryption • Address auto configuration

  5. IPv6 deployment today

  6. Security topics with IPv6 Asia • Major investment in IPv6 infrastructure is made by governments and technology vendors • This effort is driven mainly by the shortage of IPv4 addresses

  7. Security topics with IPv6 Asia – Japan In Japan there is a strong collaborative effort to push IPv6 by government, vendors and service providers Such collaboration is the key for solving the “Chicken and Egg” problem, which is a main theme for IPv6 • A native IPv6 link is already available for homes in Japan • NTT/Verio has built a worldwide IPv6 backbone

  8. Security topics with IPv6 Asia – Japan cont.

  9. Security topics with IPv6 Asia – Japan cont. • Webcam, VoIP and other end point equipment vendors are adding IPv6 support • 18 M$ allocated by the Japanese government for IPv6 R&D • IPv6 networks role out during 2005

  10. Security topics with IPv6 Asia - China • CNGI – China Next Generation Internet roles out during 2005 • The project will be the core of China’s infrastructure for 3G and other telecommunication services for the next decades • 169 M$ will be invested in IPv6 infrastructure by 2010

  11. Security topics with IPv6 Asia – additional countries • Substantial government investment will also be done in the next few years in additional Asian countries • 72 M$ in South Korea • 78 M$ in Taiwan

  12. Security topics with IPv6 Cellular industry • The mobile phone – a killer application for IPv6 • Handsets supporting IPv6 are ready • 3GPP release 5 introduces IMS – IP Multimedia Subsystem • IMS is based on SIP and will enable advanced mobile services • Video Streaming • Gaming • Chat • IMS requires usage of IPv6

  13. Security topics with IPv6 U.S Department of Defense • The DoD plans transition to IPv6 by 2008 • The DoD’s efforts are driven by the needs of the future battle field • Intensive industry wide IPv6 testing is conducted in the Moonv6 interoperability events • The transition will effect DoD partners and major contractors

  14. Security topics with IPv6 Academia • Universities worldwide are experimenting with IPv6 • Fully active deployments in many universities

  15. Security topics with IPv6

  16. Security topics with IPv6 New IP stacks • More devices are connected to the web and are more widely accessible as there is no NAT • Low end devices are less flexible and with little security awareness • New IP logic and new IP stack implementation will result in new vulnerabilities, and tweaks in the old ones

  17. Security topics with IPv6 New IP stacks - examples • The Rose Attack - incomplete fragments causing resource exhaustion at the attacked node • Denial of Service attacks – we have witnessed several attacks during the last year where a series of crafted packets caused a crash at the attacked node – both routers and hosts • Many IPv6 stacks may be vulnerable to these kind of attacks

  18. Security topics with IPv6 Sweep Scan • A worm scans a network to see which nodes are candidates for it to spread itself to e.g. which nodes are listening to a specific port • The Welchia worm used a ping based sweep scan for its propagation • With IPv6, Sweep scans are less practical as there will be numerous IP addresses on the local network • Sweep scan can be detected before locating a critical mass of possible propagation candidates

  19. Security topics with IPv6 Application security • Applications that deal extensively with IP addresses may be vulnerable due to • fast application conversions of legacy code • incorrect buffer handling • incorrect address calculations • different applicative logic related to IPv6 • Servers are exposed to application level attacks even in an IPv6 experimentation environment

  20. Security topics with IPv6 DNS – An Application Security example • New resource record types have been added for IPv6 – AAAA, A6 and DNAME • The A6 and DNAME resource records support a distributed database containing partial information regarding IPv6 addresses • BitString labels – a new way of representing IPv6 addresses in DNS • IPv6 resource records can pass in IPv4 DNS requests

  21. Security topics with IPv6 End to End Encryption • IPv6 mandates encryption as an integral part of an endpoint’s implementation • This method has notable advantages • Prevents eavesdropping inside the LAN • Simplifies the security requirements at the application layer • Increases interoperability

  22. Security topics with IPv6 End to End Encryption • End to end encryption implies network and application security at the endpoints • However the endpoint may lack the required abilities to address security at design and deployment phases • Awareness • Expertise • Responsiveness • Flexibility • Distribution mechanism

  23. Security topics with IPv6 Transition Mechanisms • There are several transition mechanisms between IPv6 and IPv4 • NAT-PT – translates IPv6 to IPv4 and vice versa • SIT – Six in Tunnel (several methods) • Teredo – a NAT-friendly IPv4 tunnel (based on UDP encapsulation)

  24. Security topics with IPv6 Transition and tunneling • IPv6 in IPv4 may be used by malicious applications to bypass security inspections • It is best practice to • Block all of these tunnels for IPv4 deployments or • Be the endpoint of these tunnels and make sure that the encapsulated traffic gets inspected

  25. Questions ?

More Related