Security Implications of IPv6 on IPv4 Networks

Slides:



Advertisements
Similar presentations
73rd IETF meeting, November 16-21, 2008
Advertisements

Results of a Security Assessment of the Internet Protocol version 6 (IPv6) Fernando Gont project carried out on behalf of the UK CPNI LACNOG 2010 Sao Paulo,
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
IPv4 to IPv6 Migration strategies. What is IPv4  Second revision in development of internet protocol  First version to be widely implied.  Connection.
IPv6 Privacy Hannes Tschofenig, Tara Whalen. Agenda Privacy Threats Layering Addressing Policy Questionnaire.
Prof. Dr. Sureswaran Ramadass Director National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia Prof. Dr. Sureswaran Ramadass Director National Advanced.
17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.
IPv6 at CERN Update on Network status David Gutiérrez Co-autor: Edoardo MartelliEdoardo Martelli Communication Services / Engineering
1 Navaneethan C. Arjuman Phd Candidate and MyBrain Fellow National Advanced IPv6 Centre February 2012.
An Overview of IPv6 Transition/Co-existence Technologies Fernando Gont UTN/FRH LACNOG 2010 Sao Paulo, Brazil, October 19-22, 2010.
Mitigating Teredo Routing Loop Attacks (draft-gont-6man-teredo-loops-00 ) Fernando Gont on behalf of UK CPNI IETF 79 November 7-12, Beijing, China.
Security implications of Network Address Translators (NATs) (draft-gont-behave-nat-security) Fernando Gont Pyda Srisuresh UTN/FRH EMC Corporation 76th.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing and Switching Essentials.
Results of a Security Assessment of the Internet Protocol version 6 (IPv6) Fernando Gont DEEPSEC 2011 Conference Viena, Austria, November 15-18, 2011.
Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.
Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.
Ongoing work at the IETF on TCP and IP security Fernando Gont project carried out on behalf of UK CPNI HACK.LU 09 Conference October 28-30, Luxembourg.
Draft-vandevelde-v6ops-ra-guard-01.txt1 IPv6 RA-Guard G. Van de Velde, E. Levy- Abegnoli, C. Popoviciu, J. Mohacsi IETF 71, March 11/14th 2008 Philadelphia.
IPv6 Home Networking Architecture - update IETF homenet WG Interim meeting Philadelphia, 6 th Oct 2011 draft-chown-homenet-arch-00.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing and Switching Essentials.
1 AutoconfBOF2.PPT / Aug / Singh,Perkins,Clausen IETF Not Confidential Ad hoc network autoconfiguration: definition and problem statement (draft-singh-autoconf-adp-00.txt)
1 IPv6 Deployment Scenarios in (e) Networks draft-ietf-v6ops deployment-scenarios-01 Myung-Ki Shin, ETRI Youn-Hee Han, KUT Sang-Eon Kim, KT.
1 Behcet Sarikaya Frank Xia Ted Lemon July 2011 DHCPv6 Prefix Delegation as IPv6 Migration Tool in Mobile Networks IETF 81
Ch 6: IPv6 Deployment Last modified Topics 6.3 Transition Mechanisms 6.4 Dual Stack IPv4/IPv6 Environments 6.5 Tunneling.
1 NCM _05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. How would you prepare for the technology you need.
An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring Presented by: Dedicated Instructor: Hiteshkumar Thakker.
IPv6 Site-Local Discussion Bob Hinden & Margaret Wasserman IETF 56 San Francisco March 2003.
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
1 Extreme Networking at Home Jari Arkko, Ericsson.
IPv6 - The Way Ahead Christian Huitema Architect Windows Networking & Communications
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
Balanced Security for IPv6 CPE draft-ietf-v6ops-balanced-ipv6-security-01 IETF89 London M. Gysi, G. Leclanche, E. Vyncke, R. Anfinsen.
Multicast Considerations for Gateway Initiated Dual-Stack lite (draft-brockners-softwire-mcast-gi-ds-lite-00) Authors: Frank Brockners
Security “Automatic Border Detection” is essential – For service discovery scope – For prefix assignment and routing – For security Default filters (ULAs?)
GOOD MORNING TO ONE AND ALL. OUR TEAM VENKATESH THARUN SADIK FROM AVANTHI ENGG. COLLEGE.
Slide title minimum 48 pt Slide subtitle minimum 30 pt Tunnel Security Concerns draft-ietf-v6ops-tunnel-security-concerns-02 James Hoagland Suresh Krishnan.
IPv6 Neighbor Discovery over Syam Madanapalli Samsung ISO IETF 64 – Vancouver, Canada November 8 th 2005.
PANA in DSL networks draft-morand-pana-panaoverdsl-00.txt Lionel Morand Roberta Maglione John Kaippallimalil Alper Yegin IETF-67, San Diego.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv6 Transition Mechanisms, their Security and Management Georgios Koutepas National Technical.
Routing Loop Attack Using IPv6 Automatic Tunnels: Problem Statement and Proposed Mitigations (RFC 6324) Po-Kang Chen Oct 19,
6MoN plus geographically distributed dual stack network monitoring #TNC16 | #IIT-CNR | #6MoN Speaker: Abraham Gebrehiwot.
03 Jun 2011There's no place like ::1 Introduction to IPv6 Protocol part 2 George Kargiotakis oss-unipi: Event #27.
Results of a Security Assesment of the Internet Protocol version 6 (IPv6) Hack In Paris 2012 Paris, France. June 18-22, 2012.
Security Implications of Predictable Fragment Identification Values
Host Scanning in IPv6 Networks (draft-gont-opsec-ipv6-host-scanning) IETF 84 Vancouver, Canada. July 29-August 3, 2012.
V4 traversal for IPv6 mobility protocols - Scenarios Mip6trans Design Team MIP6 and NEMO WGs, IETF 63.
أمن المعلومات لـ أ. عبدالرحمن محجوب حمد mtc.edu.sd أمن المعلومات Information Security أمن المعلومات Information Security  أ. عبدالرحمن محجوب  Lec (5)
Instructor Materials Chapter 5: Network Security and Monitoring
IPv6 Overview Address space Address types IPv6 and Tunneling.
FIREWALL configuration in linux
Chapter 6 Exploring IPv6.
draft-baker-opsawg-firewalls
Gunter Van de Velde Kiran Kumar Chitimaneni Warren Kumari
Current Issues with DNS Configuration Options for SLAAC
Chapter 10: DHCP Routing & Switching Chapter 10: DHCP
Introducing To Networking
DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers
ND-Shield: Protecting against Neighbor Discovery Attacks
Chapter 5: Network Security and Monitoring
* Essential Network Security Book Slides.
NT2640 Unit 9 Activity 1 Handout
Firewalls Routers, Switches, Hubs VPNs
Static and Default Routing
IP-Spoofing and Source Routing Connections
IP Addresses & Ports IP Addresses – identify a device on a network
Requirements for IPv6 Routers draft-ietf-v6ops-ipv6rtr-reqs-00
M. Boucadair, J. Touch, P. Levis and R. Penno
Presentation transcript:

Security Implications of IPv6 on IPv4 Networks (draft-gont-opsec-ipv6-implications-on-ipv4-nets) IETF 84 Vancouver, Canada. July 29-August 3, 2012

Overview Common claim/assumption: “I don't need to worry about IPv6 security – my network is IPv4 only!” Truth is: Most networks have at least partial deployment of IPv6 Hence, one does need to worry about IPv6 security for “IPv4-only” networks

Common/general issues IPv6-specific vulnerabilities might be exploited IPv6 could be leveraged to circumvent security controls Transition technologies might increase host exposure

*-opsec-ipv6-implications-on-ipv4-nets Raises awareness about the security implications of IPv6 on “IPv4-only” networks Provides concrete advice to mitigate them

Security Implications of Native IPv6 Support

Overview Even with no infrastructure support, local hosts may communicate with IPv6 link-local addresses This may allow attackers to circumvent controls May enable exploitation of IPv6-specific vulnerabilities Global connectivity might be enabled with rogue routers And then leveraged for the same purpose

Possible mitigations Filter IPv6 packets at layer-2 (Ethernet Protocol 0x86dd) Mitigate SLAAC, DCHPv6, and ND attacks with: RA-Guard DHCPv6-Shield ND-Shield Enforce IPv6 controls on your “IPv4” network In specific environments (e.g. military) you may want to completely disable IPv6 support in communicating devices

Security Implications of Tunneling Mechanisms

Overview They might introduce tunnel-specific vulnerabiities e.g. think about Nakibly et al's “automatic-tunnel loops” They might be leveraged to circumvent security controls Some (notably Teredo) might inadvertently increase host exposure e.g. allow incoming connections through a NAT-PT

Mitigations Enforce a “default deny” policy for tunnels Most can be blocked by filtering IP Proto 41 Others can be trickier (e.g. TSP and Teredo) Enforce tunnel-aware security controls (NIDS, firewalling, etc.)

Moving forward Adopt as wg item?

Thanks! Fernando Gont fgont@si6networks.com www.si6networks.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.