Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presenter: Patrick N. zwane Advisor: Dr. Kai-Wei Kea Date: 25/01/2016

Published byLindsey Bryant Modified over 6 years ago

Similar presentations

Presentation on theme: "Presenter: Patrick N. zwane Advisor: Dr. Kai-Wei Kea Date: 25/01/2016"— Presentation transcript:

1 Presenter: Patrick N. zwane Advisor: Dr. Kai-Wei Kea Date: 25/01/2016
Security Consideration of Migration to IPv6 with NAT (Network Address Translation) Methods Presenter: Patrick N. zwane Advisor: Dr. Kai-Wei Kea Date: 25/01/2016

2 Outline Introduction Network Address Translation (NAT)
Attack Categories, Threats and Vulnerabilities Special vulnerability NAT64 and solution Conclusion Reference

3 Introduction IPv4 in use for almost 30 years
Around 1980s IPv4 was declared to be in the final stages of exhausting its unallocated address space. IPv6 comes from 1990s, but motion towards it carries out slowly. In December 2008 the leaders were the leaders were Russia (0.76%), France (0.65%), Ukraine (0.64%), Norway (0.49%), and the United States (0.45%).

4 Introduction (cont.’s)
In March 2014 Of all networks in the global Border Gateway Protocol (BGP) routing table, 17.4% had IPv6 protocol support These companies are isolated from IPv4 domain, three method used to create the link: NAT

5 Introduction (cont.’s)
B. Dual stack: provide complete IPv4 and IPv6 protocol stacks in the same network node facilitates native communications between nodes using either protocol

6 Introduction (cont.’s)
C. Tunnelling: use IPv4 infrastructure to carry IPv6 packets which encapsulates IPv6 packets within IPv4, in effect using IPv4 as a link layer for IPv6

7 Introduction (cont.’s)
IPv6 comes with : Increase in IPv6 address space and its header structure more security have ease of mobility and renumbering end to end connectivity

8 Network Address Translation
Allow translation of IPv4 addresses to IPv6 and vice versa. allow IPv6 services to interact with IPv4 systems.

9 NAT64/DNS64 NAT64 is about using DNS64 to only IPv6 tie to connect with IPv4 tie

10 NAT64/DNS64 (cont.’s) e.g algorithmic writing of record AAAA NAT64 with the algorithmic writing translate IPv4 server

11 Bump In The API (BIA) (Application Layer)
IPv4 and IPv6 host connect to application programs without changing the programme. Works by calling API function socket IPv4 to calling API function socket IPv6 and vice verse translation.

12 Bump In The Stack (BIS) (Network Layer)
Cause IPv4 application program over BIS host connects with IPv6 acting program in destination host.

13 Transport Relay Translator (TRT)
Function in the Transport Layer Connect traffic (TCP/UDP) between IPv4 and IPv6 hosts Execute one protocol for establishing the connection with client and another protocol to establish connection with the server Keeps records of the connection and delete it as soon as the connection is terminated

14 Attack Categories, Threats And Vulnerabilities
Vulnerability: is a weakness or exposure to certain damage or danger that can be exploited by many threats. Threats: un wanted action that causes loss to systems or organisations valued property Attack: is an abuse to security system with an intelligent threat to inflict harm to system

15 Attack Categories, Threats And Vulnerabilities (cont.'s.)
Impossibility of usage of IPSec (except Tunnel Encapsulating Security Payload (ESP) Mode) each layer 3 protocol defers from each other with different signature IPsec work with Authentication Header (AH) while NAT changes the IP address in the source or destination field solution: Use of SSL for encryption and authentication protocol in the upper layer Use UDP for encapsulation of packets

16 Attack Categories, Threats And Vulnerabilities (cont.'s.)
Incompatibility with Domain Name System Security (DNSSec) it provides a building block for providing additional data security in applications because modifying A records into AAAA records breaks DNSSEC solution: Use of DNS64/NAT64 for signature

17 Attack Categories, Threats And Vulnerabilities (cont.'s.)
No limitation over the number of open sessions Attacker can stimulate the host sending a lot of request Fill a binding NAT list with sending SYNchronize request live forever solution: NAT cannot refresh bindings when getting the packet only refresh when sending.

18 Special Vulnerability NAT64 And Solution (cont.’s)
Hall of NAT Open hole of NAT of by using an open port NAT64 getting into the internal network Open sessions allowing the access of internal public internet Solution: Firewall and port restriction

19 Special Vulnerability NAT64 And Solution (cont.’s)
Fragmented packages Attacker may send fragmented packages to NAT64 consume resources Solutions: Limit the number of fragmented packages per user Limit time of receiving next fragmentation Limit the number of fragmented special package

20 Special Vulnerability NAT64 And Solution
Hairpinning loops (sending packages with NAT destination) Attacker tie an IPv4 address NAT64 to an IPv6 address and send a fake package using the fake address to create a loop Solutions: - Use an Access Control List (ACL) Remove destination IPv6 that the departure address has NAT64 tie IPv6 prefix

21 Conclusion Vulnerability Attacks Solutions
Impossibility of usage of IPSec (except Tunnel ESP Mode) Source spoofing Using UDP encapsulation or upper layer protocols (SSL) Incompatibility with Domain Name System Security (DNSSec) DoS, Man in the Middle (MITM) DNS64/NAT64 support the signature verification mechanism and resigning No limitation over the number of open sessions DoS Set rim limit for idle sessions Hall of NAT Scanning node initiated session by NAT Using static firewall or port and address restriction by NAT Fragmented packages Resource allocation by re-assemble Hairpinning loops (sending packages with NAT destination) Ingress filtering and prevent from source spoofing

22 Reference: Huai-Jen Liu; Pang-Shih Liu "Hierarchical Routing Architecture for Integrating IPv4 and IPv6 Networks",  Asia-Pacific Services Computing Conference, APSCC '08. IEEE, On page(s): S. Hogg , IPv6 Security , 2008 :Cisco Press M. Bagnulo, P. Matthews and P. Matthews , "Stateful NAT64: Network Address and Protocol Translation" ,  RFC 6146 , 2011. B. Huang, H. Deng and T. Savolainen , "Dual-Stack Hosts Using Bump-in-the-Host(BIH)" , (February 2012). RFC 6535 , 2012

23 THANKS IPv6 is certainly no 'instant on' -- it's a long hard road to get it done. ~ Ed Moyle

Download ppt "Presenter: Patrick N. zwane Advisor: Dr. Kai-Wei Kea Date: 25/01/2016"

Similar presentations

Secure Mobile IP Communication

Secure Mobile IP Communication
IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
1 Teredo - Tunneling IPv6 through NATs Date: 2003-10-31 Speaker: Quincy Wu National Chiao Tung University.

1 Teredo - Tunneling IPv6 through NATs Date: Speaker: Quincy Wu National Chiao Tung University.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Host Identity Protocol

Host Identity Protocol
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.

8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Chapter 13 – Network Security

Chapter 13 – Network Security
OV 12 - 1 Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Similar presentations

Ads by Google