Transcript Security Consideration of Migration to IPv6 with Nat(network

Security Consideration of Migration to
IPv6 with NAT (Network Address
Translation) Methods
PRESENTER: PATRICK N. ZWANE
ADVISOR: DR. KAI-WEI KEA
DATE: 25/01/2016
Outline
• Introduction
• Network Address Translation (NAT)
• Attack Categories, Threats and Vulnerabilities
• Special vulnerability NAT64 and solution
• Conclusion
• Reference
Introduction
• IPv4 in use for almost 30 years
• Around 1980s IPv4 was declared to be in the final stages of exhausting its
unallocated address space.
• IPv6 comes from 1990s, but motion towards it carries out slowly.
• In December 2008 the leaders were the leaders were Russia (0.76%), France
(0.65%), Ukraine (0.64%), Norway (0.49%), and the United States (0.45%).
Introduction (cont.’s)
• In March 2014
• Of all networks in the global Border Gateway Protocol (BGP) routing table,
17.4% had IPv6 protocol support
•
These companies are isolated from IPv4 domain, three method used to create
the link:
A. NAT
Introduction (cont.’s)
B. Dual
stack:
provide complete IPv4 and IPv6 protocol stacks in the same network node
facilitates native communications between nodes using either protocol
Introduction (cont.’s)
C. Tunnelling:
use IPv4 infrastructure to carry IPv6 packets which encapsulates IPv6 packets
within IPv4, in effect using IPv4 as a link layer for IPv6
Introduction (cont.’s)
• IPv6 comes with :
A. Increase in IPv6 address space and its header structure
B. more security
C. have ease of mobility and renumbering
D. end to end connectivity
Network Address Translation
• Allow translation of IPv4 addresses to IPv6 and vice versa.
• allow IPv6 services to interact with IPv4 systems.
NAT64/DNS64
• NAT64 is about using DNS64 to only IPv6 tie to connect with IPv4 tie
NAT64/DNS64 (cont.’s)
• e.g algorithmic writing of record AAAA NAT64 with the algorithmic writing
translate
IPv4 server
Bump In The API (BIA) (Application Layer)
• IPv4 and IPv6 host connect to application programs without changing the
programme.
• Works by calling API function socket IPv4 to calling API function socket IPv6
and vice verse translation.
Bump In The Stack (BIS) (Network Layer)
• Cause IPv4 application program over BIS host connects with IPv6 acting
program in destination host.
Transport Relay Translator (TRT)
• Function in the Transport Layer
• Connect traffic (TCP/UDP) between IPv4 and IPv6 hosts
• Execute one protocol for establishing the connection with client and another
protocol to establish connection with the server
• Keeps records of the connection and delete it as soon as the connection is
terminated
Attack Categories, Threats And Vulnerabilities
• Vulnerability: is a weakness or exposure to certain damage or danger that
can be exploited by many threats.
• Threats: un wanted action that causes loss to systems or organisations valued
property
• Attack: is an abuse to security system with an intelligent threat to inflict harm
to system
Attack Categories, Threats And Vulnerabilities
(cont.'s.)
• Impossibility of usage of IPSec (except Tunnel Encapsulating Security Payload
(ESP) Mode)
- each layer 3 protocol defers from each other with different signature
- IPsec work with Authentication Header (AH) while NAT changes the IP address in
the source or destination field
• solution:
- Use of SSL for encryption and authentication protocol in the upper layer
- Use UDP for encapsulation of packets
Attack Categories, Threats And Vulnerabilities
(cont.'s.)
• Incompatibility with Domain Name System Security (DNSSec)
- it provides a building block for providing additional data security in
applications
- because modifying A records into AAAA records breaks DNSSEC
• solution:
- Use of DNS64/NAT64 for signature
Attack Categories, Threats And Vulnerabilities
(cont.'s.)
• No limitation over the number of open sessions
- Attacker can stimulate the host sending a lot of request
- Fill a binding NAT list with sending SYNchronize request live forever
• solution:
- NAT cannot refresh bindings when getting the packet only refresh when
sending.
Special Vulnerability NAT64 And Solution (cont.’s)
• Hall of NAT
- Open hole of NAT of by using an open port NAT64 getting into the internal
network
- Open sessions allowing the access of internal public internet
• Solution:
- Firewall and port restriction
Special Vulnerability NAT64 And Solution (cont.’s)
• Fragmented packages
- Attacker may send fragmented packages to NAT64 consume resources
• Solutions:
- Limit the number of fragmented packages per user
- Limit time of receiving next fragmentation
- Limit the number of fragmented special package
Special Vulnerability NAT64 And Solution
• Hairpinning loops (sending packages with NAT destination)
- Attacker tie an IPv4 address NAT64 to an IPv6 address and send a fake
package using the fake address to create a loop
• Solutions:
- Use an Access Control List (ACL)
- Remove destination IPv6 that the departure address has NAT64 tie IPv6
prefix
Conclusion
Vulnerability
Attacks
Solutions
Impossibility of usage of IPSec (except Tunnel
ESP Mode)
Source spoofing
Using UDP encapsulation or upper
layer protocols (SSL)
Incompatibility with Domain Name System
Security (DNSSec)
DoS, Man in the
Middle (MITM)
DNS64/NAT64 support the
signature verification mechanism
and resigning
No limitation over the number of open sessions
DoS
Set rim limit for idle sessions
Hall of NAT
Scanning node
initiated session
by NAT
Using static firewall or port and
address restriction by NAT
Fragmented packages
DoS
Resource allocation by reassemble
Hairpinning loops (sending packages with NAT
destination)
DoS
Ingress filtering and prevent from
source spoofing
Reference:
•
Huai-Jen Liu; Pang-Shih Liu "Hierarchical Routing Architecture for Integrating IPv4
and IPv6 Networks", Asia-Pacific Services Computing Conference, 2008. APSCC '08.
IEEE, On page(s): 703 - 706
•
•
S. Hogg , IPv6 Security , 2008 :Cisco Press
•
B. Huang, H. Deng and T. Savolainen , "Dual-Stack Hosts Using Bump-in-the-Host(BIH)"
, (February 2012). RFC 6535 , 2012
M. Bagnulo, P. Matthews and P. Matthews , "Stateful NAT64: Network Address and
Protocol Translation" , RFC 6146 , 2011.
THANKS
IPv6 is certainly no 'instant on' -- it's a long hard road to get it done.
~ Ed Moyle