Draft-chown-v6ops-port-scanning-implications-02 IPv6 Implications for TCP/UDP Port Scanning Tim Chown IETF 65, March 23rd 2006 Dallas,

Slides:



Advertisements
Similar presentations
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Advertisements

IPv6. Key Aspects Increased address space SLAAC Security Simplified router processing.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Draft-ietf-dhc-stateless-dhcpv6- renumbering-01 Tim Chown dhc WG, IETF 60, San Diego, August 2, 2004.
Port randomization (draft-ietf-tsvwg-port-randomization) Michael Larsen & Fernando Gont 73rd IETF Meeting, November 16-21, 2008 Minneapolis, MN, USA.
By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.
A Taxonomy of Computer Worms Ashish Gupta Network Security April 2004.
1IETF59 DNSOP WG IPv6 DNS Discovery Issues Jaehoon Paul Jeong ETRI 1st March th IETF – Seoul,
DHCPv6 and other IPv6 docs Ralph Droms IETF 55, Atlanta.
CSIS 4823 Data Communications Networking – IPv6
DHCP: Dual-Stack Issues draft-ietf-dhc-dual-stack-01 Tim Chown dhc WG, IETF 60, San Diego, August 2, 2004.
IPv6 Renumbering Tim Chown Alan Ford Mark Thompson Stig Venaas University of Southampton (UK)
Dean Cheng Jouni Korhonen Mehamed Boucadair
Draft-ietf-v6ops-scanning-implications-00 IPv6 Implications for Network Scanning Tim Chown University of Southampton (UK) IETF 66,
Draft-chown-v6ops-campus-transition-00 Tim Chown v6ops WG, IETF 60, San Diego, August 2, 2004.
Using DHCPv6 for DNS Configuration in Hosts draft-ietf-droms-dnsconfig-dhcpv6-00.txt Ralph Droms.
Draft-chown-v6ops-renumber-thinkabout-05 Things to think about when Renumbering an IPv6 network Tim Chown IETF 67, November 6th, 2006.
A SAVI Solution for DHCP Draf-ietf-savi-dhcp-06 J. Bi, J. Wu, G. Yao, F. Baker IETF79, Beijing Nov. 9, 2010.
Recommendations of Unique Local Addresses Usages draft-ietf-v6ops-ula-usage-recommendations-02 draft-ietf-v6ops-ula-usage-recommendations-02 Bing Liu(speaker),
BGP operations and security draft-jdurand-bgp-security-02.txt Jerome Durand Gert Doering Ivan Pepelnjak.
IPv6 WORKING GROUP December 2001 Salt Lake City IETF Bob Hinden / Nokia Steve Deering / Cisco Systems Co-Chairs.
Draft-vandevelde-v6ops-addcon-00.txt IPv6 Unicast Address Assignment Considerations Gunter Van de Velde (editor) Tim Chown Ciprian Popoviciu IETF 65, March.
IPv6 Address Accountability Considerations draft-chown-v6ops-address-accountability-01 IETF81, Quebec Tim Chown, July 28 th, 2011.
Draft-ietf-v6ops-addcon-02.txt IPv6 Unicast Address Assignment Considerations Olaf Bonness, Tim Chown, Christian Hahn, Ciprian Popoviciu, Gunter Van de.
Draft-chown-v6ops-campus-transition-03 IPv6 Campus Transition Scenario Description and Analysis Tim Chown University of Southampton (UK)
Guidance for Running Multiple IPv6 Prefixes (draft-liu-v6ops-running-multiple-prefixes-02) Bing Liu, Sheng Jiang (Speaker), Yang Bo IETF91
Network Architecture Protection (draft-vandevelde-v6ops-nap-01.txt) Brian Carpenter, Ralph Droms, Tony Hain, Eric L Klein, Gunter Van de Velde.
RFC 4477 DHCP: Dual-Stack Issues Speaker: Ching-Chen Chang Date:
V6OPS WG – IETF #85 IPv6 for 3GPP Cellular Hosts draft-korhonen-v6ops-rfc3316bis-00 Jouni Korhonen, Jari Arkko, Teemu Savolainen, Suresh Krishnan.
NAT64-CPE Mode Operation for Opening Residential Service Gang Chen Hui
Magnus Westerlund 1 The RTSP Core specification draft-ietf-mmusic-rfc2326bis-06.txt Magnus Westerlund Aravind Narasimhan Rob Lanphier Anup Rao Henning.
1 ipv6-node-02.PPT/ 18 November 2002 / John Loughney IETF 55 IPv6 Working Group IPv6 Node Requirements draft-ietf-ipv6-node-requirements-02.txt John Loughney.
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
Slide title In CAPITALS 50 pt Slide subtitle 32 pt Guidelines for Firewall Administrators Mobile IPv6 Suresh Krishnan, Niklas Steinleitner, Ying Qiu, Gabor.
APAN 24, August 28, 2007, Xi’an IPv6Deployment in European Academic Networks Tim Chown School of Electronics and Computer Science University of Southampton.
Defending against Hitlist Worms using NASR Khanh Nguyen.
1 ipv6-node-02.PPT/ 18 November 2002 / John Loughney IETF 55 IPv6 Working Group IPv6 Node Requirements draft-ietf-ipv6-node-requirements-02.txt John Loughney.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: IETF Liaison Report Date Submitted: January 17, 2013 Presented at IEEE session.
Behcet Sarikaya Frank Xia July 2009 Dual-stack Lite Mobility Solutions IETF-75
Slide title minimum 48 pt Slide subtitle minimum 30 pt Tunnel Security Concerns draft-ietf-v6ops-tunnel-security-concerns-02 James Hoagland Suresh Krishnan.
59th IETF Seoul, Korea Quarantine Model Overview “Quarantine model overview for ipv6 network security” draft-kondo-quarantine-overview-00.txt Satoshi kondo.
Draft-chown-v6ops-vlan-usage-01 Tim Chown v6ops WG, IETF 60, San Diego, August 2, 2004.
IPFIX Requirements: Document Changes and New Issues Raised Jürgen Quittek, NEC Benoit Claise, Cisco Tanja Zseby, Sebstian Zander, FhG FOKUS.
Draft-ietf-v6ops-addcon-01.txt IPv6 Unicast Address Assignment Considerations Gunter Van de Velde (editor), Tim Chown, Ciprian Popoviciu, Olaf Bonness,
DHCP Privacy Considerations Tomek Mrugalski IETF90, Toronto IETF-90 DHC WG1.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
1 Link Scoped IPv6 Multicast Addresses Jung-Soo Park, Myung-Ki Shin ETRI 54th IETF – Yokohama, Japan draft-ietf-ipv6-link-scoped-mcast-01.txt.
DOTS Requirements Andrew Mortensen November 2015 IETF 94 1.
Host Scanning in IPv6 Networks (draft-gont-opsec-ipv6-host-scanning) IETF 84 Vancouver, Canada. July 29-August 3, 2012.
BGP extensions for Path Computation Element (PCE) Discovery in a BGP/MPLS IP-VPN draft-kumaki-pce-bgp-disco-attribute-03.txt Kenji Kumaki KDDI R&D Labs,
IPv6 Benchmarking Methodology
IPv6 101 pre-GDB - IPv6 workshop 7th of June 2016 edoardo
GRE-in-UDP Encapsulation
IETF 55 IPv6 Working Group IPv6 Node Requirements
6lo Privacy Considerations
Gunter Van de Velde Kiran Kumar Chitimaneni Warren Kumari
Link Model Analysis for based Networks
Current Issues with DNS Configuration Options for SLAAC
DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers
ND-Shield: Protecting against Neighbor Discovery Attacks
Scaling up DNS-based service discovery
November 7-12, Beijing,China.
draft-ipdvb-sec-01.txt ULE Security Requirements
Daniel Kaiser, Christian Huitema IETF 98 March 28, 2017
Bing Liu, Sheng Jiang IETF July 2017
Computer Networks Protocols
Dayong GUO Sheng JIANG (Speaker) Remi Despres
Agenda Wednesday, March 30, :00 – 11:30 AM
Requirements for IPv6 Routers draft-ietf-v6ops-ipv6rtr-reqs-00
Requirements for IPv6 Routers draft-ali-ipv6rtr-reqs-02
Presentation transcript:

draft-chown-v6ops-port-scanning-implications-02 IPv6 Implications for TCP/UDP Port Scanning Tim Chown IETF 65, March 23rd 2006 Dallas, TX

draft-chown-v6ops-port-scanning-implications-02 Rationale The goals of the document are currently to Note the properties of the vastly increased host address space in an IPv6 subnet (/64) or site (/48) With respect to traditional port scanning probes Describe new methods that attackers may use to identify target nodes Given the target host address space is so large Make recommendations to administrators to mitigate against new attack vectors Publish document as Informational in the first instance

draft-chown-v6ops-port-scanning-implications-02 Traditional port scanning To scan one port per node in a /64 IPv6 subnet per second would require 500 billion years Can reduce search space from 64 to 24 bits If SLAAC used, knowing :fffe: padding & vendor codes Not practical; unlikely to be used by attackers Scans also used by worms Active propagation intra- or inter-subnet Address space used much more densely in IPv4 site Need to identify target nodes Used by local admins for ‘defensive’ scanning Market for IPv4 ‘penetration testing’ - what’s IPv6 market?

draft-chown-v6ops-port-scanning-implications-02 Recommendations For administrators Consider subnet/host numbering plans Potential for rolling server addresses Consider where addresses/prefixes may be gleaned Passive or active gathering Mail headers, application access logs, etc Possible site-scope multicast operations Use of RFC3041 to reduce useful lifetime of exposed address information to an attacker Contradicts ease of management Considerations for ‘defensive’ scanning

draft-chown-v6ops-port-scanning-implications-02 Comments received on -02 Title should be about ‘address’ not ‘port’ scanning Or perhaps ‘host address discovery’ Look at Bellovin paper Attackers will find a way; don’t suggest IPv6 offers protection; document new attack vectors and offer recommendations RFC3041 is a good thing Exposed to weakest of protocols in dual-stack network

draft-chown-v6ops-port-scanning-implications-02 Next steps? Various edits Need to expand Section 3 on attack vectors Add conclusions Is direction of document useful? WG adoption? Referenced in two mature v6ops drafts NAP and ICMP filtering Comments?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.