IPv6Security - Personal.kent.edu
Download
Report
Transcript IPv6Security - Personal.kent.edu
IPv6 Has built in security via IPsec (Internet
Protocol Security).
◦ IPsec Operates at OSI layer 3 or internet layer of the
Internet Protocol Suite.
IPsec
◦
◦
◦
◦
Internet Engineering Task Force (IETF)
Encrypts the IP connection between computers
Data is encrypted at the packet level
The standard for IP encryption
IPSec provides four major functions:
Confidentiality – The sender can encrypt the
packets before transmitting them across the
network. If the communication is intercepted, it
cannot be read by anybody.
Data Integrity – The receiver can verify whether
the data was changed while travelling the
internet.
Origin authentication – The receiver can
authenticate the source of the packet.
Anti replay protection – The receiver can verify
that each packet is unique and not duplicated.
◦ IPsec is a framework of open standards which uses
the following three protocols:
Security association
Authentication Header
Encapsulating Security Payload
Security Association: Handles protocols and
algorithms used to generate the encryption
and authentication keys used by Ipsec.
Authentication Header provides
connectionless integrity and data origin
authentication for IP datagrams.
Encapsulating Security Payload provides
confidentiality, data origin authentication and
connectionless integrity.
IPsec was developed in conjunction with IPv6
and it is required in all implementations of
IPv6.
Although IPsec was designed for IPv6 it can
be and has been used to secure IPv4 traffic
for some time now.
Although IPv6 itself has built in security, the
coming change to IPv6 and away from IPv4
has raised security concerns over how the
change from one protocol to another may be
exploited.
The main catalyst for IPv6 is the soon to be
depleted number of IPv4 addresses. Some
estimates say it may take more than a decade
for IPv6 capabilities to spread throughout the
network community.
During this transition time and even
afterwards there will be servers available over
IPv4 only, some will only be available to IPv6
and some available to both protocols.
Support and security for both of these
protocols will be needed for an extended
period.
The security concerns at this early stage deal
with the minimal but growing amount of IPv6
traffic running across IPv4 networks that are
not secure against threats arriving via this
IPv6 traffic.
Most U.S. organizations have hidden IPv6
traffic running across their networks. They
can have IPv6 running on their networks and
not know it.
Windows 7, Vista, Windows Server 2008, MAC
OS X, Linux And Solaris all ship with IPv6
enable by default.
The main concern lies with security meant to
monitor IPv4 traffic. This security needs to be
updated to include IPv6.
Firewalls need to be able to distinguish
between IPv4 and IPv6. If you only have an
IPv4 firewall you can have IPv6 running
between you and the threat.
Tunneling is another area of concern. IPv6
traffic can be tunneled over IPv4 using
programs such as Teredo, 6to4, or ISATAP.
Typical IPV4 security devices are not tuned to
look for tunneled traffic. Tunneled traffic can
be hard to discern and decipher in any case
as the following example suggests >> you
can tunnel IPv6 over HTTP over IPv4.
Rogue IPv6 traffic can include attacks such as
botnet commands and controls.
One example of an botnet attack using IPv6
had the IPv6 protocol hiding itself as IPv4
through the router. It was then attacking and
issuing command and controls to a botnet in
the far east. Another type of threat has seen
illegal file sharing that leverages IPv6 for peer
to peer communications.
The type 0 routing header is another
potential security problem with IPv6. This
feature of IPv6 allows you to specify in the
header what route is used to forward traffic.
A hacker could use this to overwhelm a part
of the network generating denial-of-service
traffic.
RFC 5095 dated December 2007 called for
measures to confront this problem.
Implemented yet?
The number of attacks via IPv6 has been low
but this can be attributed to the low amount
of IPv6 traffic and the fact that the vast
majority of the prime targets are still using
IPv4.
Organizations will have to mirror what they
have done for IPv4 security with IPv6. Until
recently IPv4 was the only protocol used and
the only one that network security needed to
be concerned with. Now there is IPv4, IPv6
and IPv6 tunneled over IPv4.
Companies are now coming out with products
to deal with these issues.
Command Information Assure 6 and McAfee
Network Security Platform both provide full
IPv6 and tunnel inspection.
Cisco and Juniper offer IPv6 enabled routers
and firewalls.