1 / 30

E n a b l i n g N e w e 2 e S e c u r i t y M o d e l s

IP v 6 The T w o - W a y I n t e r n e t. E n a b l i n g N e w e 2 e S e c u r i t y M o d e l s. Security History (Network). None (we are all friends) Early Internet users were researchers Personal Computing revolution had yet to start. 1988: Uh Oh!

gaius
Télécharger la présentation

E n a b l i n g N e w e 2 e S e c u r i t y M o d e l s

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IP v 6 The T w o - W a y I n t e r n e t E n a b l i n g N e w e 2 e S e c u r i t y M o d e l s

  2. Security History (Network) • None (we are all friends) • Early Internet users were researchers • Personal Computing revolution had yet to start • 1988: Uh Oh! • Internet Worm, first time Internet made television... in a bad way • Today • Security threats abound, but security technology is an add-on

  3. Security is not Deployed • Internet is “edge” centric • Hard to add security in the middle • Firewalls attempt to add security “quasi” edge • Security is Hard • It is a “negative deliverable” • You don’t know when you have it, only when you have lost it! • Users don’t ask for it, so the market doesn’t demand it

  4. You are here Some Internet Security Protocols Political Application - e-mail + PGP, S/MIME Transport - Primarily Web + SSL/TLS + Secure Shell (SSH) Network+ IPsec - MIPv6 Routing security Infrastructure+ DNSsec - PKI + SNMPv3 security Economic Application Presentation Session Transport Network Link Physical

  5. IPv4 Address Space is Melting! So, is Security!

  6. The End of The End-2-End model Distribution of IPv4 addresses by /8 21.1% remaining Study done by Tony hain @ Cisco

  7. The End of The End-2-End model The v4 Address Space Is Melting! Just 25% left See November issue of the Cisco Internet Protocol Journal www.cisco.com/ipj

  8. Oops! AnAccident email WWW phone... SMTP HTTP RTP... TCP UDP… IP ethernet PPP… CSMA async sonet... copper fiber radio... • NATs & ALGsused to glue the broken pieces • lots of kinds of new glue being invented—ruins predictability • some apps remain broken, since repairs are incomplete

  9. Large-Scale End-to-End Security Easy to setup IP-VPN between end-to-end terminals with IPv6 Global Address Private Address Private Address NAT NAT Secure Transmission IPv4-NAT The Internet IPsec Terminal IPsec terminal R R Office A Office B Site-to-Site Secure Communication Low security on the LAN Low interoperability between different vendors Global Address Secure Transmission IPv6 The Internet R R Office A Office B R End-to-End Secure Communications Secure Transmission Business Partner End-to-end secure communication Easy to partner with new customer

  10. Can you do 3 things in ONE GO? It‘s Acrobatic! e2e Communication e2e Security The Road Warrier Is A Clown! Mobility

  11. v6 - IPsec Roadmap Scenaria IPv6 Deployment Address Transparency IPsec FOG Issues Scenario 1 Scenario 2 Successful Restored e-2-e e-2-e works Clears! Intranet, Proxies & Firewalls may remain Complete Failure Recycling IP Addresses Limited Noticeable Fog Generalised use of NAPT, RSIP? Exhaustion NAT-over-NAT Broken Permanet Thick Fog NATs between even ISPs

  12. INTERNETLargest Man-Made Digital FOG!

  13. IPsec • Protects all upper-layer protocols. • Requires no modifications to applications. • But smart applications can take advantage of it. • Useful for host-to-host, host to gateway, and gateway-to-gateway. • Latter two used to build VPNs.

  14. Doesn’t IPsec work with IPv4? • Yes, but… • It isn’t standard with v4. • Few implementations support host-to-host mode. • Even fewer applications can take advantage of it.

  15. No NATs • NATs break IPsec, especially in host-to-host (P2P) mode. • With no NATs needed, fewer obstacles to use of IPsec. • Note carefully: NATs provide no more security than an application-level firewall.

  16. Richard Clarke, Special Advisor to the President for Cyberspace Security, Critical Infrastructure Assurance Office (CIAO) Recommendations of ISOC/IAB/IETFINET 2002 June 19 Vint CerfScott Bradner Fred BakerLynn St. AmourLeslie Daigle Harald Alvestrand Brian Carpenter • - the proliferation of NATs makes end to end encryption orauthentication difficult,meaning we need to actively deploy IPv6 in routers and end nodes to eliminatethat issue. Please specify IPv6 support on all future procurements (shades of GOSIP)

  17. Richard Clarke Recommendations of ISOC/IAB/IETFINET 2002 June 19 • - while export controls have loosened, Cisco and others are still forcedtodistinguish between US and non-US versions of code, around crypto. • It was suggestedthat USG simply drop all export restrictions on crypto code using thenewAdvanced Encryption Standard • - we still don't know how to deploy a global Public Key Infrastructure,makingglobal IPSEC privacy/authentication difficult (research funding) • - ditto secure/scalable/quickly-converging global and local routing • - ditto on intrusion detection as a service provider service (detectingandmitigating attacks of various kinds)

  18. Identify First Then Authenticate !!! • Identify in order to Authenticate • Before authentification the source has to be identified • Node Identification is still done based on the IP Address • The IP address should be unique and global – Only IPv6 can provide such a critical resource. • IPsec doesn‘t really work with NATs • With IPv6, NATs are no longer needed. • The ability to get rid of NATs will remove a major current difficultyin deploying secure (encrypted) VPNs. We see many customer scenarios inwhich NAT traversal by IPSEC is a big issue today.

  19. Distinct Security Enhancements on IPv6 • IPsec Mandated in IPv6, meaning ... • Yes, my peer supports IPsec • OS, Routers, Hosts have to support IPsec • New Security Models can be built • Large Address Space for new models • Assign multiple addresses to a single host • Local address for local access and global addresse for Internet access. • Enhanced Filtering: One Application = One IPv6 Address

  20. Distinct Security Enhancements on IPv6 • More Robust IP Datagram • No more Fragmentation as in IPv4 • More rigorous chaining of datagrams • Will better resist to DOS at IP/ICMP/TCP/UDP levels • No change at application layer • Large Addresses, no doubt more routed addresses • Search for valid addresses and open services will take longer and will be more complex for the attacker to find.

  21. IPv6 New Security Benefits • End-2-end Security Model: • Simple security (VPN Plug & Play@ low cost ) • Reachability/Tracability/Predictability of addressable devices • Large-scale VPNs • More flexibility due to end-2-end network Mandated Deployment (vendors) • New cherries: • CGA, Scanning made difficult, … • Could help with spam

  22. Cryptographically Generated Address Subnet prefix (64 bit) CGA specific ID (64 bit) Hash of sender public key Cryptographically Generated Addresses • IPv6 addresses, which carry hashed information about public key in the identifier part • Benefits • Certificate functionality without requiring a key management infrastructure • Solution for securing IPv6 Neighbor Discovery (resolve chicken-egg problem of IPsec)

  23. Cryptographic Generated Addresses (CGA) • This is a key differentiator – • it is not possible to retrofit this • functionality to IPv4

  24. Privacy IssuesConfiguring Interface IDs Several choices for configuring the interface ID of an address: • manual configuration (of interface ID or whole addr) • DHCPv6 (configures whole address) • automatic derivation from 48-bit IEEE 802 addressor 64-bit IEEE EUI-64 address • pseudo-random generation (for client privacy) the latter two choices enable “serverless” or “stateless” autoconfiguration, when combined with high-order part of the address learned via Router Advertisements

  25. Addressing Privacy • In IPv4, privacy is a by-product of • dynamic addressing and/or NAT • For users with static, public • addresses, there is NO technical • privacy solution in IPv4

  26. IPv6 Addressing Privacy • IPv6 privacy addresses: • - Huge number range available for host addressing • - Choose random numbers and • check for potential duplicates • Provides anonymity to mobile nodes, and • fixed nodes over time • This functionality is enabled by default

  27. Random or static identifier (64 bit) Subnet prefix (64 bit) Tracability of (mobile) users • In stateless IPv6 address autoconfiguration identifiers can be derived from HW (static part in address) • Does this mean that I‘m trackable (location, sites visited, …)? • IPv6 supports also random identifiers for privacy reasons • These random identifiers are default setting in some operating systems

  28. SCANNING 128 bits • At 100M pings / second (40 Gbps fdx), it takes 5,800 years to scan the address range for just one subnet. Worm and virus propagation will fail or will have to find an alternative search path. So will scanning based network management products… Routing Interface ID 64 bits 64 bits

  29. Distributed Security with IPv6 Folks, Just Surfing with Random Address for Privacy IPv6 Firewall IPv6 Firewall Steel Pipe IPsec-o-IPv6

  30. SEINIT‘s principle of virtualization User Virtualisation TCP / UDP TCP / UDP TCP / UDP IPv6 IPv6 IPv6 DSL 3G WLAN Security Domain B: Home Network Security Domain C: Car Network Security Domain A: Hotel Network

More Related