©2005 Check Point Software Technologies Ltd. Proprietary & Confidential IPv6 Security Topics TAU Security Forum February 2005 Yoni Appel IPv6 Project Manager

©2005 Check Point Software Technologies Ltd. 2 Agenda  Novelties in IPv6 –A short overview  IPv6 deployment today –Asia –Cellular industry –U.S Department of Defense –Academia  Security topics with IPv6 –New network stacks and logic –Application security –End to end encryption –Transition and tunneling

©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Novelties in IPv6

©2005 Check Point Software Technologies Ltd. 4 Novelties in IPv6  Address size is 128 bits –340,282,366,920,938,463,463,374,607,431,768,211,456 possible IP addresses –Efficient addressing  Simpler header format, reduced number of fields  Offload computation effort from the router to the end points –Fragmentation handled by the end points –Extension headers  Built in authentication and encryption  Address auto configuration

©2005 Check Point Software Technologies Ltd. Proprietary & Confidential IPv6 deployment today

©2005 Check Point Software Technologies Ltd. 6 Security topics with IPv6 Asia  Major investment in IPv6 infrastructure is made by governments and technology vendors  This effort is driven mainly by the shortage of IPv4 addresses

©2005 Check Point Software Technologies Ltd. 7 Security topics with IPv6 Asia – Japan In Japan there is a strong collaborative effort to push IPv6 by government, vendors and service providers Such collaboration is the key for solving the “Chicken and Egg” problem, which is a main theme for IPv6 –A native IPv6 link is already available for homes in Japan –NTT/Verio has built a worldwide IPv6 backbone

©2005 Check Point Software Technologies Ltd. 8 Security topics with IPv6 Asia – Japan cont.

©2005 Check Point Software Technologies Ltd. 9 Security topics with IPv6 Asia – Japan cont. –Webcam, VoIP and other end point equipment vendors are adding IPv6 support –18 M$ allocated by the Japanese government for IPv6 R&D –IPv6 networks role out during 2005

©2005 Check Point Software Technologies Ltd. 10 Security topics with IPv6 Asia - China –CNGI – China Next Generation Internet roles out during 2005 –The project will be the core of China’s infrastructure for 3G and other telecommunication services for the next decades –169 M$ will be invested in IPv6 infrastructure by 2010

©2005 Check Point Software Technologies Ltd. 11 Security topics with IPv6 Asia – additional countries  Substantial government investment will also be done in the next few years in additional Asian countries –72 M$ in South Korea –78 M$ in Taiwan

©2005 Check Point Software Technologies Ltd. 12 Security topics with IPv6 Cellular industry  The mobile phone – a killer application for IPv6  Handsets supporting IPv6 are ready  3GPP release 5 introduces IMS – IP Multimedia Subsystem  IMS is based on SIP and will enable advanced mobile services –Video Streaming –Gaming –Chat  IMS requires usage of IPv6

©2005 Check Point Software Technologies Ltd. 13 Security topics with IPv6 U.S Department of Defense  The DoD plans transition to IPv6 by 2008  The DoD’s efforts are driven by the needs of the future battle field  Intensive industry wide IPv6 testing is conducted in the Moonv6 interoperability events  The transition will effect DoD partners and major contractors

©2005 Check Point Software Technologies Ltd. 14 Security topics with IPv6 Academia  Universities worldwide are experimenting with IPv6  Fully active deployments in many universities

©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Security topics with IPv6

©2005 Check Point Software Technologies Ltd. 16 Security topics with IPv6 New IP stacks  More devices are connected to the web and are more widely accessible as there is no NAT  Low end devices are less flexible and with little security awareness  New IP logic and new IP stack implementation will result in new vulnerabilities, and tweaks in the old ones

©2005 Check Point Software Technologies Ltd. 17 Security topics with IPv6 New IP stacks - examples  The Rose Attack - incomplete fragments causing resource exhaustion at the attacked node  Denial of Service attacks – we have witnessed several attacks during the last year where a series of crafted packets caused a crash at the attacked node – both routers and hosts  Many IPv6 stacks may be vulnerable to these kind of attacks

©2005 Check Point Software Technologies Ltd. 18 Security topics with IPv6 Sweep Scan  A worm scans a network to see which nodes are candidates for it to spread itself to e.g. which nodes are listening to a specific port  The Welchia worm used a ping based sweep scan for its propagation  With IPv6, Sweep scans are less practical as there will be numerous IP addresses on the local network  Sweep scan can be detected before locating a critical mass of possible propagation candidates

©2005 Check Point Software Technologies Ltd. 19 Security topics with IPv6 Application security  Applications that deal extensively with IP addresses may be vulnerable due to –fast application conversions of legacy code –incorrect buffer handling –incorrect address calculations –different applicative logic related to IPv6  Servers are exposed to application level attacks even in an IPv6 experimentation environment

©2005 Check Point Software Technologies Ltd. 20 Security topics with IPv6 DNS – An Application Security example  New resource record types have been added for IPv6 – AAAA, A6 and DNAME  The A6 and DNAME resource records support a distributed database containing partial information regarding IPv6 addresses  BitString labels – a new way of representing IPv6 addresses in DNS  IPv6 resource records can pass in IPv4 DNS requests

©2005 Check Point Software Technologies Ltd. 21 Security topics with IPv6 End to End Encryption  IPv6 mandates encryption as an integral part of an endpoint’s implementation  This method has notable advantages –Prevents eavesdropping inside the LAN –Simplifies the security requirements at the application layer –Increases interoperability

©2005 Check Point Software Technologies Ltd. 22 Security topics with IPv6 End to End Encryption  End to end encryption implies network and application security at the endpoints  However the endpoint may lack the required abilities to address security at design and deployment phases –Awareness –Expertise –Responsiveness –Flexibility –Distribution mechanism

©2005 Check Point Software Technologies Ltd. 23 Security topics with IPv6 Transition Mechanisms  There are several transition mechanisms between IPv6 and IPv4 –NAT-PT – translates IPv6 to IPv4 and vice versa –SIT – Six in Tunnel (several methods) –Teredo – a NAT-friendly IPv4 tunnel (based on UDP encapsulation)

©2005 Check Point Software Technologies Ltd. 24 Security topics with IPv6 Transition and tunneling  IPv6 in IPv4 may be used by malicious applications to bypass security inspections  It is best practice to –Block all of these tunnels for IPv4 deployments or –Be the endpoint of these tunnels and make sure that the encapsulated traffic gets inspected

©2005 Check Point Software Technologies Ltd. 25 Questions ?