Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Implications of IPv6 on IPv4 Networks

Published byBetty McGee Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Implications of IPv6 on IPv4 Networks"— Presentation transcript:

1 Security Implications of IPv6 on IPv4 Networks
(draft-gont-opsec-ipv6-implications-on-ipv4-nets) IETF 84 Vancouver, Canada. July 29-August 3, 2012

2 Overview Common claim/assumption:
“I don't need to worry about IPv6 security – my network is IPv4 only!” Truth is: Most networks have at least partial deployment of IPv6 Hence, one does need to worry about IPv6 security for “IPv4-only” networks

3 Common/general issues
IPv6-specific vulnerabilities might be exploited IPv6 could be leveraged to circumvent security controls Transition technologies might increase host exposure

4 *-opsec-ipv6-implications-on-ipv4-nets
Raises awareness about the security implications of IPv6 on “IPv4-only” networks Provides concrete advice to mitigate them

5 Security Implications of Native IPv6 Support

6 Overview Even with no infrastructure support, local hosts may communicate with IPv6 link-local addresses This may allow attackers to circumvent controls May enable exploitation of IPv6-specific vulnerabilities Global connectivity might be enabled with rogue routers And then leveraged for the same purpose

7 Possible mitigations Filter IPv6 packets at layer-2 (Ethernet Protocol 0x86dd) Mitigate SLAAC, DCHPv6, and ND attacks with: RA-Guard DHCPv6-Shield ND-Shield Enforce IPv6 controls on your “IPv4” network In specific environments (e.g. military) you may want to completely disable IPv6 support in communicating devices

8 Security Implications of Tunneling Mechanisms

9 Overview They might introduce tunnel-specific vulnerabiities
e.g. think about Nakibly et al's “automatic-tunnel loops” They might be leveraged to circumvent security controls Some (notably Teredo) might inadvertently increase host exposure e.g. allow incoming connections through a NAT-PT

10 Mitigations Enforce a “default deny” policy for tunnels
Most can be blocked by filtering IP Proto 41 Others can be trickier (e.g. TSP and Teredo) Enforce tunnel-aware security controls (NIDS, firewalling, etc.)

11 Moving forward Adopt as wg item?

12 Thanks! Fernando Gont

Download ppt "Security Implications of IPv6 on IPv4 Networks"

Similar presentations

73rd IETF meeting, November 16-21, 2008

73rd IETF meeting, November 16-21, 2008
Results of a Security Assessment of the Internet Protocol version 6 (IPv6) Fernando Gont project carried out on behalf of the UK CPNI LACNOG 2010 Sao Paulo,

Results of a Security Assessment of the Internet Protocol version 6 (IPv6) Fernando Gont project carried out on behalf of the UK CPNI LACNOG 2010 Sao Paulo,
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
IPv4 to IPv6 Migration strategies. What is IPv4  Second revision in development of internet protocol  First version to be widely implied.  Connection.

IPv4 to IPv6 Migration strategies. What is IPv4  Second revision in development of internet protocol  First version to be widely implied.  Connection.
IPv6 Privacy Hannes Tschofenig, Tara Whalen. Agenda Privacy Threats Layering Addressing Policy Questionnaire.

IPv6 Privacy Hannes Tschofenig, Tara Whalen. Agenda Privacy Threats Layering Addressing Policy Questionnaire.
Prof. Dr. Sureswaran Ramadass Director National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia Prof. Dr. Sureswaran Ramadass Director National Advanced.

Prof. Dr. Sureswaran Ramadass Director National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia Prof. Dr. Sureswaran Ramadass Director National Advanced.
17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.

17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.
IPv6 at CERN Update on Network status David Gutiérrez Co-autor: Edoardo MartelliEdoardo Martelli Communication Services / Engineering

IPv6 at CERN Update on Network status David Gutiérrez Co-autor: Edoardo MartelliEdoardo Martelli Communication Services / Engineering
1 Navaneethan C. Arjuman Phd Candidate and MyBrain Fellow National Advanced IPv6 Centre February 2012.

1 Navaneethan C. Arjuman Phd Candidate and MyBrain Fellow National Advanced IPv6 Centre February 2012.
An Overview of IPv6 Transition/Co-existence Technologies Fernando Gont UTN/FRH LACNOG 2010 Sao Paulo, Brazil, October 19-22, 2010.

An Overview of IPv6 Transition/Co-existence Technologies Fernando Gont UTN/FRH LACNOG 2010 Sao Paulo, Brazil, October 19-22, 2010.
Mitigating Teredo Routing Loop Attacks (draft-gont-6man-teredo-loops-00 ) Fernando Gont on behalf of UK CPNI IETF 79 November 7-12, 2010. Beijing, China.

Mitigating Teredo Routing Loop Attacks (draft-gont-6man-teredo-loops-00 ) Fernando Gont on behalf of UK CPNI IETF 79 November 7-12, Beijing, China.
Security implications of Network Address Translators (NATs) (draft-gont-behave-nat-security) Fernando Gont Pyda Srisuresh UTN/FRH EMC Corporation 76th.

Security implications of Network Address Translators (NATs) (draft-gont-behave-nat-security) Fernando Gont Pyda Srisuresh UTN/FRH EMC Corporation 76th.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing and Switching Essentials.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 10: DHCP Routing and Switching Essentials.
Results of a Security Assessment of the Internet Protocol version 6 (IPv6) Fernando Gont DEEPSEC 2011 Conference Viena, Austria, November 15-18, 2011.

Results of a Security Assessment of the Internet Protocol version 6 (IPv6) Fernando Gont DEEPSEC 2011 Conference Viena, Austria, November 15-18, 2011.
Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.

Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.
Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.

Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.
Ongoing work at the IETF on TCP and IP security Fernando Gont project carried out on behalf of UK CPNI HACK.LU 09 Conference October 28-30, 2009. Luxembourg.

Ongoing work at the IETF on TCP and IP security Fernando Gont project carried out on behalf of UK CPNI HACK.LU 09 Conference October 28-30, Luxembourg.
Draft-vandevelde-v6ops-ra-guard-01.txt1 IPv6 RA-Guard G. Van de Velde, E. Levy- Abegnoli, C. Popoviciu, J. Mohacsi IETF 71, March 11/14th 2008 Philadelphia.

Draft-vandevelde-v6ops-ra-guard-01.txt1 IPv6 RA-Guard G. Van de Velde, E. Levy- Abegnoli, C. Popoviciu, J. Mohacsi IETF 71, March 11/14th 2008 Philadelphia.

Similar presentations

Ads by Google