Presentation is loading. Please wait.

Presentation is loading. Please wait.

2006 Double Shot Security, Inc. All rights reserved 1 IPv6 What Works…What Doesn’t APNIC22 - Kaohsiung, Taiwan Merike Kaeo

Published bySydney Trevor Shaw Modified over 9 years ago

Similar presentations

Presentation on theme: "2006 Double Shot Security, Inc. All rights reserved 1 IPv6 What Works…What Doesn’t APNIC22 - Kaohsiung, Taiwan Merike Kaeo"— Presentation transcript:

1 2006 Double Shot Security, Inc. All rights reserved 1 IPv6 What Works…What Doesn’t APNIC22 - Kaohsiung, Taiwan Merike Kaeo merike@doubleshotsecurity.com Author: Designing Network Security (ISBN# 1587051176)

2 2006 Double Shot Security, Inc. All rights reserved 2 Agenda Architecture Considerations…….I have an IPv6 address block…..now what? Functional Considerations My Deployment Experience Where Do I Go From Here….

3 2006 Double Shot Security, Inc. All rights reserved 3 Architecture Considerations Addressing / Naming –What subnet boundaries make sense your own network infrastructure –No universal BCP for pt-pt addressing rfc3627 offers guidelines but who follows it? –Endpoint Identifier management address automation vs obscurity vs auditability –DNS Naming Considerations Native Routing vs Tunnels Management Security [what does ‘built-in’ really mean]

4 2006 Double Shot Security, Inc. All rights reserved 4 Infrastructure Components Peer Customer NOC Syslog, TFTP, AAA, DNS, SMTP NetFlow, SNMP

5 2006 Double Shot Security, Inc. All rights reserved 5 Functional Considerations Routing Control Plane Data Path Device Management –In-Band / OOB Software Upgrade Configuration Integrity Network Services –DNS, Syslog, NTP, SNMP, Netflow Logging Filtering DoS Tracking /Tracing –Sink Hole Routing –Black-Hole Triggered Routing –Unicast Reverse Path Forwarding (uRPF) –Rate Limiting

6 2006 Double Shot Security, Inc. All rights reserved 6 Routing Control Plane Easy to configure and it just works –Route filters limit what routes are believed from a valid peer –Packet filters limit which systems can appear as a valid peer –Limiting propagation of invalid routing information Prefix filters AS-PATH filters MD-5 authentication vs IPsec –IPsec is not always available….. Not yet possible to validate whether legitimate peer has authority to send routing update (v4 or v6)

7 2006 Double Shot Security, Inc. All rights reserved 7 BGP Routing Example router bgp AS 555 bgp router-id 10.10.66.9 no bgp default ipv4-unicast neighbor 10.10.66.65 remote-as 555 neighbor 10.10.66.65 update-source Loopback0 neighbor 2001:DB8:ACD7:FEE::65 remote-as 555 neighbor 2001:DB8:ACD7:FEE::65 update-source Loopback0 neighbor 192.168.66.100 remote-as 777 neighbor 192.168.66.100 password 7 AA2F787A599D551243050B neighbor 2001:DB8:CCC:F000::97 remote-as 777 neighbor 2001:DB8:CCC:F000::97 password 7 C919268878067A2E752634 ! Note: Imagine using IPsec with neighbor 2001:db8:ccc:f000::97 pre-share ‘secret’ Peer AS 555 AS 777

8 2006 Double Shot Security, Inc. All rights reserved 8 BGP Routing Example Cont. address-family ipv6 neighbor 2001:DB8:CCC:F000::97 activate neighbor 2001:DB8:CCC:F000::97 prefix-list Public6_Only out neighbor 2001:DB8:CCC:F000::97 filter-list 1 out neighbor 2001:DB8:ACD7:FEE::65 activate neighbor 2001:DB8:ACD7:FEE::65 next-hop-self neighbor 2001:DB8:ACD7:FEE::65 filter-list 1 out network 2001:DB8:ACD7::/48 no synchronization exit-address-family ! ip as-path access-list 1 permit ^$ ! ipv6 prefix-list Public6_Only seq 10 permit 2001:DB8:ACD7::/48

9 2006 Double Shot Security, Inc. All rights reserved 9 What Needs Improvement in IPv6 Routing Not all products that support IPv4 routing will support all IPv6 routing protocols the same way –Firewalls that support OSPF but not OSPFv3 –Static IPv6 routing is NOT fun….. A product supports OSPFv3 - is lack of IPsec support a problem? (I think so….)

10 2006 Double Shot Security, Inc. All rights reserved 10 Data Path Filtering and rate limiting are primary security risk mitigation techniques in IPv4 –Configurable for v6 –Logging needs improvement (!!) Netflow is primary method used for tracking traffic flows in IPv6 (mostly v4 transport) uRPF is usually available for IPv6 What if customers start using more end-to-end encryption?

11 2006 Double Shot Security, Inc. All rights reserved 11 Device In-Band/OOB Management SSH / Telnet available using v6 transport SNMP, NTP, RADIUS, TACACS+, SYSLOG uses mostly v4 transport

12 2006 Double Shot Security, Inc. All rights reserved 12 Software Upgrade / Integrity IPv4 transport is used –All access to the systems storing images and configs are authenticated and audited –Configuration files are polled and compared on an hourly basis –Filters limit uploading / downloading of files to specific systems –Many system binaries use MD-5 checks for integrity

13 2006 Double Shot Security, Inc. All rights reserved 13 General Observations IPv6 is being used and deployed in many ISPs and the plumbing pieces work fairly well (routing, tunnels) Majority of the issues come from network services, management and security –NOT a reason to avoid IPv6 DNS worked fine although need better automation Management works OK over v4 transport Security is no worse than with v4 Monitoring / auditing tools need improvement –NEED to get vendors to make appropriate priority decisions for their roadmaps

14 2006 Double Shot Security, Inc. All rights reserved 14 General Observations (Cont.) New products need clue –“Why is NTP useful?” –Basic filtering configurable but cannot log –No IPsec support (is this IPv6 standards compliant?) –Lack of debugging tools…. –Basic security principles No clear-text passwords in configurations SSHv2 device access for both v4 and v6 Log access-list violations (v4 and v6) Timestamps must use NTP IPsec for authentication and integrity using IKEv2 Provide secure download of OS and config files

15 2006 Double Shot Security, Inc. All rights reserved 15 Operator Issue(s) I want commands to have same look and feel as in v4…..but is this really a problem? –Examples: “access-list foo” vs “ipv6 filter-list foo” “ip access-group v4_list in” vs “ipv6 traffic-filter v4_list in” ipv6 vty access-lists that cannot simply specify allowable src addresses –Scripts need to be modified anyhow so it’s just annoying because I am used to the ‘old’ way How many IOS-like CLI’s have you used?!? IPv6 is just another iteration…….

16 2006 Double Shot Security, Inc. All rights reserved 16 IPv6 Standards Fun OSPFv3 - all vendors ‘IF’ they implemented IPsec used AH….latest standard to describe how to use IPsec says MUST use ESP w/null encryption and MAY use AH Why did NAT-PT ever become a standard? IPsec IKE vs IKEv2…..require implementation of IKEv2 for IPv6 and avoid future issues…. NTP for v6 is not yet a standard…..

17 2006 Double Shot Security, Inc. All rights reserved 17 Regarding IPv6 Security Design security into IPv6 networks that do not blindly mimic the current IPv4 architectures –Don’t break working v4 infrastructure –Don’t re-architect current mess Requires some thought to policy –Where are you vulnerable today ? –*IF* IPsec was easy to configure and worked without performance hit, would you use it ? think authentication and integrity, not encryption (Syslog, TFTP, SNMP, NTP)

18 2006 Double Shot Security, Inc. All rights reserved 18 Minimal IPv6 Security IPsec ESP w/ null encryption…..products need to support operational IPsec –Data origin authentication –Data integrity Filters at edges for sanity checks….products need to support IPv6 filtering Auditing tools to see what traffic is traversing the net….products need to support logging of IPv6 traffic

19 2006 Double Shot Security, Inc. All rights reserved 19 IPsec vs MD-5 Authentication IPsec Peer Authenticate each other Peers Authenticate using: - Pre-shared key (thisisapassword) - Digital Certificate Diffie-Hellman Exchange Now Have A Shared Key (K) K is used to derive authentication key Authentication Keys get periodically re-created !!

20 2006 Double Shot Security, Inc. All rights reserved 20 IPsec Issues We Need To FIX This Vendors still have complex configurations –Consistent defaults will go a long way –Customers need to ask/push/plead for this!! Too many hypothetical problems –Doesn’t work for routing protocols –Too difficult to configure –Why do I need encryption? IPsec does NOT have to use encryption

21 2006 Double Shot Security, Inc. All rights reserved 21 Imagine ‘SIMPLE’ IPsec Commands Sample future configurations (maybe?): Syslog server authenticate esp-null sha1 pre-share ‘secret4syslog’ TFTP server authenticate esp-null aes128 pre-share ‘secret4tftp’ BGP peer 2001:db8:3:66::2 authenticate esp-null aes128 pre-share ‘secret4AS#XXX’ (default lifetimes, DH groups, PFS, etc can be modified if needed)

22 2006 Double Shot Security, Inc. All rights reserved 22 Realistic Deployment Now Provide IPv6 capability that will have appropriate cost/operational impact for you –Tunneling solution OK for minimal support but recognize lack of management and greater security risk Incremental transition to more native functionality as cost opportunities become better defined –Newest sw usually requires hw upgrade –Operational costs to run dual-stack environment Note that lack of tools and some lack of functionality in vendor products (management & security) adds to the cost –Training costs to understand IPv6

23 2006 Double Shot Security, Inc. All rights reserved 23 Critical For IPv6 Deployments (Stuff That Needs Improvement) Monitoring filtering violations Configuring NTP (v4 or v6) IPv6 tunnel broker devices need to be more operationally aware instead of just providing quick fix to get an IPv6 address Auditing tools to specifically understand and see IPv6 traffic patterns Address management tools Where is easily configurable IPsec? [if you don’t require it, vendors won’t spend resources on it]

24 2006 Double Shot Security, Inc. All rights reserved 24 The Catch-22 Vendor Customer ISP Standards Body Waiting for input……… (requirement/solution) Waiting for feature requirements with promise of purchase Waiting for useful product Waiting for service requirement that customer is willing to pay for Waiting for useful service Who makes the first move?

25 2006 Double Shot Security, Inc. All rights reserved 25 Questions ?

Download ppt "2006 Double Shot Security, Inc. All rights reserved 1 IPv6 What Works…What Doesn’t APNIC22 - Kaohsiung, Taiwan Merike Kaeo"

Similar presentations

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.
Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Enabling IPv6 in Corporate Intranet Networks

Enabling IPv6 in Corporate Intranet Networks
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
2006 Double Shot Security, Inc. All rights reserved 1 Operational Security Current Practices APNIC22 - Kaohsiung, Taiwan Merike Kaeo

2006 Double Shot Security, Inc. All rights reserved 1 Operational Security Current Practices APNIC22 - Kaohsiung, Taiwan Merike Kaeo
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.

1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.

Unleashing the Power of Ubiquitous Connectivity with IPv6 Sandeep K. Singhal, Ph.D Director of Program Management Windows Networking.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.

By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 2 – Securing Network Devices.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 2 – Securing Network Devices.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

Similar presentations

Ads by Google