Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2005 Check Point Software Technologies Ltd. Proprietary & Confidential IPv6 Security Topics TAU Security Forum February 2005 Yoni Appel IPv6 Project Manager.

Published byBenjamin Moreno Modified over 9 years ago

Similar presentations

Presentation on theme: "©2005 Check Point Software Technologies Ltd. Proprietary & Confidential IPv6 Security Topics TAU Security Forum February 2005 Yoni Appel IPv6 Project Manager."— Presentation transcript:

1 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential IPv6 Security Topics TAU Security Forum February 2005 Yoni Appel IPv6 Project Manager yonia@checkpoint.com

2 ©2005 Check Point Software Technologies Ltd. 2 Agenda  Novelties in IPv6 –A short overview  IPv6 deployment today –Asia –Cellular industry –U.S Department of Defense –Academia  Security topics with IPv6 –New network stacks and logic –Application security –End to end encryption –Transition and tunneling

3 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Novelties in IPv6

4 ©2005 Check Point Software Technologies Ltd. 4 Novelties in IPv6  Address size is 128 bits –340,282,366,920,938,463,463,374,607,431,768,211,456 possible IP addresses –Efficient addressing  Simpler header format, reduced number of fields  Offload computation effort from the router to the end points –Fragmentation handled by the end points –Extension headers  Built in authentication and encryption  Address auto configuration

5 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential IPv6 deployment today

6 ©2005 Check Point Software Technologies Ltd. 6 Security topics with IPv6 Asia  Major investment in IPv6 infrastructure is made by governments and technology vendors  This effort is driven mainly by the shortage of IPv4 addresses

7 ©2005 Check Point Software Technologies Ltd. 7 Security topics with IPv6 Asia – Japan In Japan there is a strong collaborative effort to push IPv6 by government, vendors and service providers Such collaboration is the key for solving the “Chicken and Egg” problem, which is a main theme for IPv6 –A native IPv6 link is already available for homes in Japan –NTT/Verio has built a worldwide IPv6 backbone

8 ©2005 Check Point Software Technologies Ltd. 8 Security topics with IPv6 Asia – Japan cont.

9 ©2005 Check Point Software Technologies Ltd. 9 Security topics with IPv6 Asia – Japan cont. –Webcam, VoIP and other end point equipment vendors are adding IPv6 support –18 M$ allocated by the Japanese government for IPv6 R&D –IPv6 networks role out during 2005

10 ©2005 Check Point Software Technologies Ltd. 10 Security topics with IPv6 Asia - China –CNGI – China Next Generation Internet roles out during 2005 –The project will be the core of China’s infrastructure for 3G and other telecommunication services for the next decades –169 M$ will be invested in IPv6 infrastructure by 2010

11 ©2005 Check Point Software Technologies Ltd. 11 Security topics with IPv6 Asia – additional countries  Substantial government investment will also be done in the next few years in additional Asian countries –72 M$ in South Korea –78 M$ in Taiwan

12 ©2005 Check Point Software Technologies Ltd. 12 Security topics with IPv6 Cellular industry  The mobile phone – a killer application for IPv6  Handsets supporting IPv6 are ready  3GPP release 5 introduces IMS – IP Multimedia Subsystem  IMS is based on SIP and will enable advanced mobile services –Video Streaming –Gaming –Chat  IMS requires usage of IPv6

13 ©2005 Check Point Software Technologies Ltd. 13 Security topics with IPv6 U.S Department of Defense  The DoD plans transition to IPv6 by 2008  The DoD’s efforts are driven by the needs of the future battle field  Intensive industry wide IPv6 testing is conducted in the Moonv6 interoperability events  The transition will effect DoD partners and major contractors

14 ©2005 Check Point Software Technologies Ltd. 14 Security topics with IPv6 Academia  Universities worldwide are experimenting with IPv6  Fully active deployments in many universities

15 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Security topics with IPv6

16 ©2005 Check Point Software Technologies Ltd. 16 Security topics with IPv6 New IP stacks  More devices are connected to the web and are more widely accessible as there is no NAT  Low end devices are less flexible and with little security awareness  New IP logic and new IP stack implementation will result in new vulnerabilities, and tweaks in the old ones

17 ©2005 Check Point Software Technologies Ltd. 17 Security topics with IPv6 New IP stacks - examples  The Rose Attack - incomplete fragments causing resource exhaustion at the attacked node  Denial of Service attacks – we have witnessed several attacks during the last year where a series of crafted packets caused a crash at the attacked node – both routers and hosts  Many IPv6 stacks may be vulnerable to these kind of attacks

18 ©2005 Check Point Software Technologies Ltd. 18 Security topics with IPv6 Sweep Scan  A worm scans a network to see which nodes are candidates for it to spread itself to e.g. which nodes are listening to a specific port  The Welchia worm used a ping based sweep scan for its propagation  With IPv6, Sweep scans are less practical as there will be numerous IP addresses on the local network  Sweep scan can be detected before locating a critical mass of possible propagation candidates

19 ©2005 Check Point Software Technologies Ltd. 19 Security topics with IPv6 Application security  Applications that deal extensively with IP addresses may be vulnerable due to –fast application conversions of legacy code –incorrect buffer handling –incorrect address calculations –different applicative logic related to IPv6  Servers are exposed to application level attacks even in an IPv6 experimentation environment

20 ©2005 Check Point Software Technologies Ltd. 20 Security topics with IPv6 DNS – An Application Security example  New resource record types have been added for IPv6 – AAAA, A6 and DNAME  The A6 and DNAME resource records support a distributed database containing partial information regarding IPv6 addresses  BitString labels – a new way of representing IPv6 addresses in DNS  IPv6 resource records can pass in IPv4 DNS requests

21 ©2005 Check Point Software Technologies Ltd. 21 Security topics with IPv6 End to End Encryption  IPv6 mandates encryption as an integral part of an endpoint’s implementation  This method has notable advantages –Prevents eavesdropping inside the LAN –Simplifies the security requirements at the application layer –Increases interoperability

22 ©2005 Check Point Software Technologies Ltd. 22 Security topics with IPv6 End to End Encryption  End to end encryption implies network and application security at the endpoints  However the endpoint may lack the required abilities to address security at design and deployment phases –Awareness –Expertise –Responsiveness –Flexibility –Distribution mechanism

23 ©2005 Check Point Software Technologies Ltd. 23 Security topics with IPv6 Transition Mechanisms  There are several transition mechanisms between IPv6 and IPv4 –NAT-PT – translates IPv6 to IPv4 and vice versa –SIT – Six in Tunnel (several methods) –Teredo – a NAT-friendly IPv4 tunnel (based on UDP encapsulation)

24 ©2005 Check Point Software Technologies Ltd. 24 Security topics with IPv6 Transition and tunneling  IPv6 in IPv4 may be used by malicious applications to bypass security inspections  It is best practice to –Block all of these tunnels for IPv4 deployments or –Be the endpoint of these tunnels and make sure that the encapsulated traffic gets inspected

25 ©2005 Check Point Software Technologies Ltd. 25 Questions ?

Download ppt "©2005 Check Point Software Technologies Ltd. Proprietary & Confidential IPv6 Security Topics TAU Security Forum February 2005 Yoni Appel IPv6 Project Manager."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Saif Bin Ghelaita Director of Technologies & Standards TRA UAE

Saif Bin Ghelaita Director of Technologies & Standards TRA UAE
NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.
IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
IPv6 Keith Wichman. History Based on IPv4 Based on IPv4 Development initiated in 1994 Development initiated in 1994.

IPv6 Keith Wichman. History Based on IPv4 Based on IPv4 Development initiated in 1994 Development initiated in 1994.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
EE 545 – BOGAZICI UNIVERSITY. Agenda Introduction to IP What happened IPv5 Disadvantages of IPv4 IPv6 Overview Benefits of IPv6 over IPv4 Questions -

EE 545 – BOGAZICI UNIVERSITY. Agenda Introduction to IP What happened IPv5 Disadvantages of IPv4 IPv6 Overview Benefits of IPv6 over IPv4 Questions -
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.

Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.
Prof. Dr. Sureswaran Ramadass Director National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia Prof. Dr. Sureswaran Ramadass Director National Advanced.

Prof. Dr. Sureswaran Ramadass Director National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia Prof. Dr. Sureswaran Ramadass Director National Advanced.
Enabling IPv6 in Corporate Intranet Networks

Enabling IPv6 in Corporate Intranet Networks
17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.

17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
IPv4 vs. IPv6 Anne-Marie Ethier Andrei Iotici This report was prepared for Professor L. Orozco- Barbosa in partial fulfillment of the requirements for.

IPv4 vs. IPv6 Anne-Marie Ethier Andrei Iotici "This report was prepared for Professor L. Orozco- Barbosa in partial fulfillment of the requirements for.
IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.

IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.
Understanding IPv6 Slide: 1 Lesson 1 Introduction to IPv6.

Understanding IPv6 Slide: 1 Lesson 1 Introduction to IPv6.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.

6 The IP Multimedia Subsystem Selected Topics in Information Security – Bazara Barry.

Similar presentations

Ads by Google