Download presentation
Presentation is loading. Please wait.
Published byMadelyn Kenderdine Modified over 9 years ago
1
Prof. Dr. Sureswaran Ramadass Director National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia Prof. Dr. Sureswaran Ramadass Director National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia IPv6 Security: Firewall Considerations IPv6 Security: Firewall Considerations
2
Why IPv6? 1.Exhaustion of the IANA IPv4 free pool. 2.Awareness activities such as the IPv6 Forum and “World IPv6 Day”. 3.Imminent exhaustion of the free pool of IPv4 addresses at the different RIRs. 4.All OS has IPv6 support part of your network is already running IPv6! 5.IPv6 is the only way moving forward! How about NAT???
3
NAT Causes Problems Breaks globally unique address model Breaks address stability Breaks always-on model Breaks peer-to-peer model Breaks some applications Breaks some security protocols Breaks some QoS functions Introduces a false sense of security Introduces hidden costs
4
Drivers for IPv6 An explosion of Internet applications, games, information sources, and financial transactions. The movement of traditional services such as voice and video from legacy circuit-based infrastructures to IP networks. Millions of new IP-enabled mobile devices, with millions more projected in the near future. Expanding economies in populous countries such as China and India, and developing economies throughout the world. Burgeoning consumer electronics industries finding new ways to exploit IP capabilities. Emerging IP-enabled sensor networks for industrial, medical, and military applications.
5
Migration Deployment IPv6
6
6 IPv6 Deployment has begun
7
IPv4 & IPv6 Coexistence 7
8
Is IPv6 more secure than IPv4? less
9
The Big IPv6 Security Question
10
Types of IPv6 Security Issues Issues due to the IPv6 protocol itself Issues due to transition mechanisms Issues due to IPv6 deployment. used in
11
Dual-stacking increase the complexity of the network, and thus the number of potential vulnerabilities. Co-existence traffic usually results in complex traffic (with multiple encapsulations). This increases the difficulty of performing Deep Packet Inspection (DPI) Increase in complexity of firewall filtering policies or detection. Co-existence Security Concerns
12
IPv6 Deployment Security Concerns There is much less experience with IPv6 than with IPv4 IPv6 implementations are less mature than their IPv4 counterparts Security products (firewalls, NIDS, etc.) have less support for IPv6 than for IPv4 The complexity of the resulting network will increase during the transition/co-existance period: –Two internetworking protocols (IPv4 and IPv6) –Increased use of NATs –Increased use of tunnels –Use of other transition/co-existance technologies Lack of well-trained IPv6 Engineers.
13
System Security Security Training & Experience Hackers Application Security Network Security
14
Attacker already have many IPv6 capable tools: THC-IPv6 Attack SuiteUnfortunately, IPv6 security controls and products seems to be a bit behind.
16
On Windows, many third party host based firewalls have only limited support for IPv6. – Some have none at all. – Others may even block some mechanisms such as DHCPv6 or SLAAC. – In Windows 7 and above, the built-in firewall has excellent support for IPv6 On *BSD, the pf kernel-based packet filter can easily be deployed as an excellent host based dual stack firewall. You can even build a full gateway firewall using it. The pfsense open source project has built a good GUI around pf, has very limited support for IPv6. On Linux, netfilter/iptables is roughly equivalent to *BSD’s pf, but is not as complete and also does have support for IPv6.
17
In addition to all the typical gateway firewall mechanisms and controls for IPv4 (including port forwarding and NAT), true dual- stack gateway firewalls should include the following new features: – Support for native dual stack service, plus tunnel endpoint support for one or more mechanisms including 6in4, TSP, 6rd, and even 4in6. – Configurable Router Advertisement Daemon – Support for multiple internal subnets with different /64 prefixes into each internal subnet. – Packet filtering controls for IPv6 traffic independent of controls for IPv4. – Independent control over all ICMPv6 messages – Dual stack application layer proxies for the most common protocols (HTTP, SMTP, SIP, etc)
18
At least a Link-Local Address (FE80::/10) Likely a Unique Global Address (2000::/3) Possibly a Site-Local Address (FC00::/7) You will probably need MULTIPLE Firewall or ACL policies for these extra networks within your organization
19
How to filter ICMPv6? Handling new extension headers Filtering Multicast and Anycast Hosts w/multiple addresses
20
20 More powerful than ICMPv4 ICMPv6 uses IPv6 extension header # 58 (RFC 2463) – TypeDescription – 1Destination Unreachable – 2Packet too Big – 3Time exceeded – 4Parameter problem – 128Echo Request – 129Echo Reply – 130Multicast Listener Query – sent to ff02::1 (all nodes) – 131Multicast Listener Report – 132Multicast Listener Done – sent to ff02::2 (all routers) – 133Router Solicitation (RS) – sent to ff01::2 (all routers) – 134Router Advertisement (RA) – sent to ff01::1 (all nodes) – 135Neighbor Solicitation (NS) – sent to ff02:0:0:0:0:1:ff00::/104 – 136Neighbor Advertisement (NA) – 137Redirect
21
Prof. Dr. Sureswaran Ramadass sures@nav6.usm.my www.nav6.usm.my Prof. Dr. Sureswaran Ramadass sures@nav6.usm.my www.nav6.usm.my THANK YOU
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.