Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,

Slides:



Advertisements
Similar presentations
Security Assessment of Neighbor Discovery for IPv6
Advertisements

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
IPv6 Transition Roque Gagliano What is transition? IPv4 only.IPv4 Only Bone is borned IPv4 Only Experimental IPv6. Majority:
IPv6 Addressing Details LAC NIC VII October 26, 2004 Wilfried
Internet Protocol Security (IP Sec)
IP security over ATM CS 329 Hwajung Lee Computer and Communications Security The George Washington University.
Christophe Jelger – CS221 Network and Security - Universität Basel Christophe Jelger Post-doctoral researcher IP Multicasting.
Ch. 23, 25 Q and A (NAT and UDP) Victor Norman IS333 Spring 2014.
ARP Caching Christopher Avilla. What is ARP all about? Background Packet Structure Probe Announcement Inverse and Reverse Proxy Tools Poisoning MAC Flooding.
Introduction to IPv6 Presented by: Minal Mishra. Agenda IP Network Addressing IP Network Addressing Classful IP addressing Classful IP addressing Techniques.
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
Future Directions For IP Architectures Ipv6 Cs686 Sadik Gokhan Caglar.
IPv6 The New Internet Protocol Integrated Network Services Almerindo Graziano.
CS 265 – Project IPv6 Security Aspects Surekha Shinde.
CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
IPv6: The Next Generation Internet Protocol CEOS WGISS 18: Beijing, China September 2004 Dave Hartzell Computer Sciences Corp, NASA Ames
December 5, 2007 CS-622 IPv6: The Next Generation 1 IPv6 The Next Generation Saroj Patil Nadine Sundquist Chuck Short CS622-F2007 University of Colorado,
IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.
EE 545 – BOGAZICI UNIVERSITY. Agenda Introduction to IP What happened IPv5 Disadvantages of IPv4 IPv6 Overview Benefits of IPv6 over IPv4 Questions -
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.
20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Prof. Dr. Sureswaran Ramadass Director National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia Prof. Dr. Sureswaran Ramadass Director National Advanced.
17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.
IPv6 Network Security.
2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College
1 Navaneethan C. Arjuman Phd Candidate and MyBrain Fellow National Advanced IPv6 Centre February 2012.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.
Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
Internet Protocol Security (IPSec)
K. Salah1 Security Protocols in the Internet IPSec.
1 IPv6 Address Management Rajiv Kumar. 2 Lecture Overview Introduction to IP Address Management Rationale for IPv6 IPv6 Addressing IPv6 Policies & Procedures.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
7 IPv6: transition and security challenges Selected Topics in Information Security – Bazara Barry.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration IPv6.
Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.
UNIT IP Datagram Fragmentation Figure 20.7 IP datagram.
Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.
Module 4 Quiz. 1. Which of the following statements about Network Address Translation (NAT) are true? Each correct answer represents a complete solution.
Universal, Ubiquitous, Unfettered Internet © ui.com Pte Ltd Mobile Internet Protocol under IPv6 Amlan Saha 3UI.COM Global IPv6 Summit,
CCNP Network Route IPV-6 Part-I IPV6 Addressing: IPV-4 is 32-BIT, IPV-6 is 128-BIT IPV-6 are divided into 8 groups. Each is 4 Hex characters. Each group.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring Presented by: Dedicated Instructor: Hiteshkumar Thakker.
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
Bjorn Landfeldt, The University of Sydney 1 NETS 3303 IPv6 and migration methods.
Chapter 27 IPv6 Protocol.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
K. Salah1 Security Protocols in the Internet IPSec.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
IPv6 101 pre-GDB - IPv6 workshop 7th of June 2016 edoardo
Next Generation: Internet Protocol, Version 6 (IPv6) RFC 2460
IT443 – Network Security Administration Instructor: Bo Sheng
IPv6 / IP Next Generation
Internet Protocol version 6 (IPv6)
Presentation transcript:

Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,

Welcome to WatchGuards IPv6 Webinar Series! Security Implications of IPv6 v6 in a v4 world v6 security advantages/disadvantages

Youre here because v6 matters to you Were here to help!Things well answer: What are the security implications of IPv6 in my IPv4 network (Transition)? What are the inherent security advantages and disadvantages of IPv6?

Part 1: Security Implications of IPv6 in a (mostly) IPv4 World

Im Running IPv4…Does This Affect Me? Your network may be IPv4… …but your devices may be another story!

Remember This?

Tunnels In My v4? Holy Teredo! Teredo: IPv6 Tunneling Protocol ISATAP: Windows v6 Transition Tool 6in4 6over4 Freenet6 Others Abound…

Talking Behind My Back? Within the confines of your network, many devices may be communicating over IPv6, even if they are not sending packets to and from the Internet!

Remember... Visibility is Security Invisibility is Insecurity! …Which means...

Spotting and Controlling Rogue IPv6 Spotting: ipconfig and ifconfig Firewall logs SEIM Controlling: Egress Filtering Application Control

Part 2: Security Implications of IPv6

The Big IPv6 Security Question

IPv6 Offers: Security Benefits (The Good) Security Drawbacks (The Bad) Differences of Concern (The Ugl... Uh, Different)

IPv6 Security: The Good

Built-In IPSec Offers Better Security… Right? IPSec is a mandatory part of the IPv6 Protocol

Whats IPSec Again? Among other things, IPSec consists of: Authentication Headers (AH) – Provides data origin authentication and integrity (protects against replay attacks) Encapsulating Security Payloads (ESP) – Adds encryption to the mix to provide confidentiality Internet Protocol Security (IPSec) is a standard for adding strong authentication, message integrity, antireply, and encryption (confidentiality) to IP packets, thus providing secure and private communications.

What are IPv6 Extension Headers? Remember IPv6 header simplification? VersionIHL Type of Service Total Length Identification Flags Fragment Offset Time to Live ProtocolHeader Checksum Source Address Destination Address OptionsPadding IPv4 Header (20 bytes) Version Traffic Class Flow Label Payload Length Next Header Hop Limit Source Address Destination Address IPv6 Header (40 bytes) Dropped Dropped options need to go somewhere… IPv6 Header Payload IPv6 Header Extension Header Payload IPv6 Header Extension Header Payload Ext. headers may include: Hop-by-hop options Destination Options Routing Fragmentation AH Header ESP Header Etc…

Built-In IPSec Offers Better Security… Right? IPSec is a mandatory part of the IPv6 Protocol What does this really mean? Part of IPv6 protocol stack, not an optional add-on Implemented with AH and ESP Extension Headers Follows one standard (less interop issues) Every IPv6 device can do IPSec However, IPSec usage is still OPTIONAL!

Wait! Doesnt IPv4 Offer IPSec too? Some truths about IPv6s additional IPSec Security: IPv4 has it too (though, not natively) You dont have to use it, and most dont Still complex May require PKI Infrastructure So is this really a security benefit? Short term – probably no measureable advantage over IPv4 IPSec Long term – More applications will leverage it now that its mandatory!

So Long NAT! Hello, End-2-End Addressing NAT does NOT provide security! End-2-End (public) addressing increases accountability

Vast Address Space Naturally Thwarts Certain Attacks (340 unidecillion) Too big for automated reconnaissance and attack: Average network port scans would take decadesAutomated worm propagation would slow to a crawl

IPv6 Security: The Bad

Immature Protocols = Increased Vulnerability & Risk During the creation life-cycle of new standards and protocols: Security is often an after-thought Unexpected problems happen due to complex interactions Many issues dont surface until the tech receives wider usage These concepts have proven themselves with many new network protocols in the past. Most experts suspect there are many security issues in IPv6, and related protocols, that we have yet to uncover.

Unfamiliarity Causes Misconfigurations Many network administrators and IT practitioners are still relatively unfamiliar with all IPV6s ins and outs Common issues: Not realizing IPv6 is already in their network Ignorance of Tunneling Mechanisms Lack of ACL policy for IPv6 multi-homing Unawareness of potential privacy issues Over permissiveness, just to get it to work

Automatic Addressing May Pose Privacy Concerns In the first webinar, we showed one way SLAAC could automatically created a EUI-64 address. However, this makes your MAC public, which you may consider a privacy issue. Privacy Enhanced Addresses [RFC 3041] Cryptographically Generated Addresses (CGA) [RFC 3972] There are options to rectify this issue: 1.MAC Address: 90-3A-2B-06-2C-D1 2.Split in half: 90-3A-2B 06-2C-D1 3.Insert FFFE: 90:3A:2B:FF:FE:06:2C:D1 4.Change 7 th bit to 1: 92:3A:2B:FF:FE:06:2C:D1

I also have A Look Back at IPv4 ARP Poisoning Who has ? Who has ? I Do. Heres my MAC Hey Everyone. I have And , And ….. And , And ….. No authentication or security

I Do. Send traffic to me I Do. Send traffic to me Neighborhood Discovery Suffers from Similar Issues Who has 2001::3/64? Who has 2001::3/64? I Do. Heres my Layer 2 address Who has 2001::3/64? Who has 2001::3/64? Neighbor Solicitation Neighbor Advertisement ND Spoofing No authentication or security

Many Other Neighbor and Router Discovery Issues Solution: SEcure Neighbor Discovery (SEND) – RFC 3971 Essentially adds IPSec to ND communications Requires PKI Infrastructure Not available in all OSs yet X also an option Other ND related attacks: Duplicate Address Detection (DAD) DoS attack ND spoofing attack for router (allows for MitM) Neighbor Unreachability Detection (NAD) DoS attack Last Hop Router spoofing (malicious router advertisements) And many more… (

New Multicast Protocol Helps with Reconnaissance In the first webinar, we introduced IPv6 multicast addresses:IPv6 multicast includes a ton of reserved addresses. Heres a few: Multicast AddressReservation FF02::1All Host Address FF02::2All Router Address (LL) FF02::9RIP Routers FF02::AEIGRP Routers FF02::BMobile-Agents FF02::1:2All DHCP Agents FF05::2All Router Address (SL) FF05::1:3All DHCP Servers FF05::1:4ALL DHCP Relays FF0X::101NTP FF0X::106Name Service Server Attackers can use these multicast addresses to enumerate your network. Note: RFC 2375

IPv6 Security Controls Lagging Hacking Arsenal/Tools Attackeralready have many IPv6 capable tools: THC-IPv6 Attack SuiteUnfortunately, IPv6 security controls and products seems to be a bit behind.

IPv6 Security: The Different

Neutral IPv6 Differences of Concern Some of IPv6s differences have security connotations that you should know about. However, they arent necessarily inherently good or bad

Typical IPv6 Devices Have Multiple Addresses At least a Link-Local Address (FE80::/10) Likely a Unique Global Address (2000::/3) Possibly a Site-Local Address (FC00::/7) You will probably need MULTIPLE Firewall or ACL policies for these extra networks within your organization

Extra Security Can Cause Insecurity Internet

DHCPv6

Firewalls (and Admins) Must Learn New Tricks How to filter ICMPv6? Handling new extension headers Filtering Multicast and Anycast Hosts w/multiple addresses

EXTRA: The Same There are some security issues that IPv6 has little effect on: Application-layer attacks Sniffing Rogue Devices Man-in-the-Middle Attacks Flooding/DoS Attacks

IPv6 Security: Conclusion

So… Does/Will IPv6 Provide More Security? Probably Not. Few will adopt/use the IPv6 related security additions early on. Furthermore, the protocols newness and administrators unfamiliarity may result in more vulnerabilities at first. That said, IPv6 security is NOT worse than IPv4. Short Term Yes. If leveraged, some IPv6 additions can increase our overall network security. As we become more familiar with it, and more network services begin to leverage advanced options, IPv6 should prove slightly more security than IPv4. Long Term

Wrapping It Up

Coming Up Next…(1 month from now) What To Expect from IPv6 ISP activities Connecting the Islands

Major References IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation IPv6 Security Challenges IPv6 Security Challenges by Samuel Sotillo IPv6 Security Best Practices IPv6 Security Considerations and Recommendations NIST: Guidelines for the Secure Deployment of IPv6 IPv6 Transition/Coexistence Security Considerations (RFC 4942) And many more….

Thank You!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.