Transcript Securing an IPv6 Network

Securing an IPv6 Network
Spring 2005 Internet2 Members Meeting
Arlington, VA
Ron Broersma
DREN Chief Engineer
High Performance Computing Modernization Program
[email protected]
3-May-05
IPv6 Security
1
Context
•
Historical
– 2001 – DREN IPv6 testbed
• Wide area
• Dedicated hardware – 10 “core” nodes.
• Native IPv6 over partial ATM mesh
– 2003 – DoD and IPv6
• DoD CIO issues memorandum to transition by 2008
• DREN chosen as the DoD “pilot implementation”
– 2003/2004 – DoD “pilot” on DREN production network
• dual stack, native, running on production DREN network
– 2004/2005 – additional efforts
• site deployment, multicast, DHCP/DNS, mobility
•
Within DoD…
– Each of the services (Army, Navy, Air Force) developing their own transition
plans for the “operational networks”.
• Most will not begin implementation for a year or more
• Most will not be complete until after 2008
– DREN is DoD’s “research network”, and is transitioning now.
• Chartered to support the DoD HPC community, and other R&D organizations.
3-May-05
IPv6 Security
2
DREN Today
• 10 “core nodes” on OC-192 backbone (CONUS), with
OC-12 extensions to Hawaii and Alaska.
• About 100 sites (“Service Delivery Points”),
connected at DS-3 to OC-48 rates.
• IPv4 unicast and multicast, IPv6 unicast, and ATM
services now.
• Dual IPv6 networks (“testbed”, and “production”)
• “jumbo-clean” (i.e. 9K MTU everywhere)
• Multiple security levels.
– Both unclassified and classified networks
3-May-05
IPv6 Security
3
DREN “production” network
3-May-05
IPv6 Security
4
DRENv6 “testbed”
Logical Topology
Cisco
AIX-v6
C&W
Global
Crossing
Abilene
FIX-West
Hurricane
Electric
LAVAnet
TIC
NTTCom
Verio
6TAP
Abilene
WPAFB
Dayton
ARL
JITC
HP
San Diego
WCISD
SD-NAP
SDSC
SSC San Diego
Aberdeen
Tunnel broker
AOL
Wash D.C.
HICv
6
NRL
Vicksburg
(Hawaii)
SSAPAC
SPRINT
Albuquerque
AFRL
Kirtland AFB
ATM PVC (OC-3)
tunnel
3-May-05
SSC Charleston
ERDC
Stennis
NAVO
IPv6 Security
vBNS+
IXP
Core Router
ISP or
BGP Neighbor
“site”
5
DREN IPv6 philosophy
• Push the “I believe” button, and turn on IPv6
everywhere to see what works (and what
doesn’t)
• Do it in a production environment
– can get away with this in an R&D environment,
but not on operational networks.
• Go native. (no tunnels)
• Even if the world doesn’t convert for years,
R&D environments need it now.
• Figure out how to deploy IPv6 to the rest of
DoD in the future.
3-May-05
IPv6 Security
6
Unique Security Challenges
• DoD networks are a big target
• DoD has mandatory security requirements
–
–
–
–
Certification and Accreditation (DITSCAP)
DoD ports&protocols
Navy UTN Protect Policy
etc.
• Defense in Depth model
Goal: Try to achieve equivalent security to IPv4,
so we can deploy IPv6 within DoD policy.
3-May-05
IPv6 Security
7
DoD Security Model
• “Defense in Depth”
– Protections at multiple
levels
• Problem: How to
securely deploy IPv6
in DoD without these
components.
S
Scanners
LAN
Firewall
IDS
ACL
WAN
ACL
IDS
Internet
3-May-05
IPv6 Security
8
Lack of Security Features
(Examples)
•
Router Access Control Lists (ACLs)
•
Vulnerability Assessment (Scanners)
•
Intrusion Detection Systems
•
IPSEC
•
Firewalls
– Juniper doesn’t support “tcp established”
– ISS doesn’t support IPv6 and has no published plans to do so.
– NESSUS doesn’t support IPv6 (yet)
– If we want IPv6 support, we have to add it ourselves.
– Juniper port mirroring doesn’t support IPv6
– Missing in most IPv6 implementations
– Juniper ASPIC doesn’t support IPv6 (until much later)
– Until recently, no production quality IPv6 support
– Netscreen (Juniper):
• no OSPFv3, only RIP
• IPv6 support only available in certain products
• “transparent mode” doesn’t work for IPv6
It is crucial that IPv6 products have equivalent functionality to the IPv4 world
3-May-05
IPv6 Security
9
Overcoming the security issue
(workaround)
• Use DRENv6 testbed for transit to Internet
– use to peer with rest of IPv6 enable Internet and other testbeds
– continue to operate as an “untrusted” IPv6 network
• Enable IPv6 on new DREN2 (MCI) production network.
– Dual stack everywhere.
• Establish trusted gateways between v6 enabled DREN2 and the
DRENv6 testbed
– Upgrade HPC Network Intrusion Detection Systems (NIDS) to be
v6-compliant, monitored by the HPC Computer Emergency
Response Team (CERT), and install at the trusted gateways.
– Install v6 version of standard DREN v4 Access Control Lists (ACLs)
to protect pilot network to same level as IPv4 production network.
• DREN customers receive “safe” native IPv6 service via existing
service delivery point (SDP), in parallel with IPv4 service.
3-May-05
IPv6 Security
10
DREN IPv6 transition architecture – FY04
To 6bone, Abilene, and other IPv6 enabled ISPs
IPv6 demonstrations (Moonv6)
links run native IPv6 where
possible, otherwise
tunnelled in IPv4
DRENv6 (Testbed)
Native IPv6 backbone
SSCSD
ARL-APG
ERDC
Testbed at
DREN site
Testbed at
DREN site
v6 ACL
sdp.sandiego
NIDSv6
v6 ACL
NIDSv6
NIDSv6
v6 ACL
sdp.erdc
DREN2 (Production / Pilot)
sdp.arlapg
Dual stack IPv4 and IPv6 wide area infrastructure
sdp
Goal: As secure as
the IPv4 backbone
3-May-05
sdp
sdp
Type “A” (IP) production service to DREN sites
IPv4 and IPv6 provided over the same interface
IPv6 Security
11
Site Security Solution
(Example – SPAWAR)
• SPAWAR Intrusion
Detection System (IDS)
modified to support IPv6
• Netscreen Firewall with
IPv6 support in parallel
with production firewall.
WAN
DREN
2
(Pilot)
IPv4 unicast and
multicast services
+ IPv6 unicast
SPAWAR
Border router
(Juniper M20)
IDS
IPv6
IPv4
Netscreen 2000
Firewall
Production
Firewall
Netscreen 208
Firewall
switch
IPv6 Firewall
to LAN
3-May-05
IPv6 Security
12
Other Security Issues
• IPv6 tunnels crossing security domains
• TCP and UDP port numbers aren’t in a fixed
location, so how do you filter on them?
• Privacy concerns of non-changing interface
identifier (IID)
• What issues haven’t we discovered yet?
3-May-05
IPv6 Security
13
Summary
• With some work, it is possible to secure an
IPv6 network.
• There are still some missing pieces, but it is
getting better.
• IPv6 capability in products is good, but we
cannot be satisfied unless all the security
functions and features work just as well in
IPv6 as they do in IPv4.
3-May-05
IPv6 Security
14