IPv6-security

Download Report

Transcript IPv6-security 

IPv6 Security Topics
TAU Security Forum
February 2005
Yoni Appel
IPv6 Project Manager
[email protected]
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Agenda
 Novelties in IPv6
– A short overview
 IPv6 deployment today
–
–
–
–
Asia
Cellular industry
U.S Department of Defense
Academia
 Security topics with IPv6
–
–
–
–
New network stacks and logic
Application security
End to end encryption
Transition and tunneling
2
©2005 Check Point Software Technologies Ltd.
Novelties in IPv6
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Novelties in IPv6
 Address size is 128 bits
– 340,282,366,920,938,463,463,374,607,431,768,211,456 possible
IP addresses
– Efficient addressing
 Simpler header format, reduced number of
fields
 Offload computation effort from the router to the
end points
– Fragmentation handled by the end points
– Extension headers
 Built in authentication and encryption
 Address auto configuration
4
©2005 Check Point Software Technologies Ltd.
IPv6 deployment today
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Security topics with IPv6
Asia
 Major investment in IPv6 infrastructure is
made by governments and technology
vendors
 This effort is driven mainly by the
shortage of IPv4 addresses
6
©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Asia – Japan
In Japan there is a strong collaborative effort to
push IPv6 by government, vendors and service
providers
Such collaboration is the key for solving the
“Chicken and Egg” problem, which is a main
theme for IPv6
– A native IPv6 link is already available for homes in
Japan
– NTT/Verio has built a worldwide IPv6 backbone
7
©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Asia – Japan cont.
8
©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Asia – Japan cont.
– Webcam, VoIP and other end point
equipment vendors are adding IPv6 support
– 18 M$ allocated by the Japanese
government for IPv6 R&D
– IPv6 networks role out during 2005
9
©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Asia - China
– CNGI – China Next Generation Internet roles
out during 2005
– The project will be the core of China’s
infrastructure for 3G and other
telecommunication services for the next
decades
– 169 M$ will be invested in IPv6 infrastructure
by 2010
10
©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Asia – additional countries
 Substantial government investment will
also be done in the next few years in
additional Asian countries
– 72 M$ in South Korea
– 78 M$ in Taiwan
11
©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Cellular industry
 The mobile phone – a killer application for IPv6
 Handsets supporting IPv6 are ready
 3GPP release 5 introduces IMS –
IP Multimedia Subsystem
 IMS is based on SIP and will enable advanced
mobile services
– Video Streaming
– Gaming
– Chat
 IMS requires usage of IPv6
12
©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
U.S Department of Defense
 The DoD plans transition to IPv6 by 2008
 The DoD’s efforts are driven by the
needs of the future battle field
 Intensive industry wide IPv6 testing is
conducted in the Moonv6 interoperability
events
 The transition will effect DoD partners
and major contractors
13
©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Academia
 Universities worldwide are experimenting
with IPv6
 Fully active deployments in many
universities
14
©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential
Security topics with IPv6
New IP stacks
 More devices are connected to the web and are
more widely accessible as there is no NAT
 Low end devices are less flexible and with little
security awareness
 New IP logic and new IP stack implementation
will result in new vulnerabilities, and tweaks in
the old ones
16
©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
New IP stacks - examples
 The Rose Attack - incomplete fragments
causing resource exhaustion at the attacked
node
 Denial of Service attacks – we have witnessed
several attacks during the last year where a
series of crafted packets caused a crash at the
attacked node – both routers and hosts
 Many IPv6 stacks may be vulnerable to these
kind of attacks
17
©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Sweep Scan
 A worm scans a network to see which nodes
are candidates for it to spread itself to e.g.
which nodes are listening to a specific port
 The Welchia worm used a ping based sweep
scan for its propagation
 With IPv6, Sweep scans are less practical as
there will be numerous IP addresses on the
local network
 Sweep scan can be detected before locating a
critical mass of possible propagation
candidates
18
©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Application security
 Applications that deal extensively with IP
addresses may be vulnerable due to
–
–
–
–
fast application conversions of legacy code
incorrect buffer handling
incorrect address calculations
different applicative logic related to IPv6
 Servers are exposed to application level
attacks even in an IPv6 experimentation
environment
19
©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
DNS – An Application Security example
 New resource record types have been added
for IPv6 – AAAA, A6 and DNAME
 The A6 and DNAME resource records support
a distributed database containing partial
information regarding IPv6 addresses
 BitString labels – a new way of representing
IPv6 addresses in DNS
 IPv6 resource records can pass in IPv4 DNS
requests
20
©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
End to End Encryption
 IPv6 mandates encryption as an integral
part of an endpoint’s implementation
 This method has notable advantages
– Prevents eavesdropping inside the LAN
– Simplifies the security requirements at the
application layer
– Increases interoperability
21
©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
End to End Encryption
 End to end encryption implies network and
application security at the endpoints
 However the endpoint may lack the required
abilities to address security at design and
deployment phases
–
–
–
–
–
Awareness
Expertise
Responsiveness
Flexibility
Distribution mechanism
22
©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Transition Mechanisms
 There are several transition mechanisms
between IPv6 and IPv4
– NAT-PT – translates IPv6 to IPv4 and vice
versa
– SIT – Six in Tunnel (several methods)
– Teredo – a NAT-friendly IPv4 tunnel (based
on UDP encapsulation)
23
©2005 Check Point Software Technologies Ltd.
Security topics with IPv6
Transition and tunneling
 IPv6 in IPv4 may be used by malicious
applications to bypass security
inspections
 It is best practice to
– Block all of these tunnels for IPv4
deployments or
– Be the endpoint of these tunnels and make
sure that the encapsulated traffic gets
inspected
24
©2005 Check Point Software Technologies Ltd.
Questions ?
25
©2005 Check Point Software Technologies Ltd.