Transcript Slide 1
IPv4 to IPv6 Migration & Security Nir Shahaf February 2007 17 July 2015 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Agenda Introduction Transition Techniques Security Aspects 17 July 2015 2 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Business Drivers – Address Space The most obvious reason Increasing number of internet enabled devices At the current rate, address space exhaustion is expected in less than 5 years Created by Randall Munroe 17 July 2015 3 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Business Drivers – Regulations In many countries regulation require new network equipment to support IPv6 In some places, such as several sub agencies of the US DoD, a target date was set for transition 17 July 2015 4 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Business Drivers – Software Requirements All recent Microsoft operating systems have an extensive IPv6 support, including many transition mechanisms IPv6 is the preferred network protocol in Windows Vista IPv6 exposure in the private market will be increased 17 July 2015 5 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Business Drivers – The Mobile World VoIP on handheld devices IPv6-based IMS is the goal for new mobile-tomobile services 17 July 2015 6 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Transition Techniques – Scenario 1 4 6 4 6 4 All the component in the network are dual stack: support both IPv4 and IPv6 17 July 2015 6 7 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Transition Techniques – Scenario 2 4 6 4 4 The endpoint is dual stack. The equipment on the way is not Tunneling is required for IPv6 17 July 2015 6 8 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Tunneling Protocols Isolated IPv6 nodes tunnel their traffic to the IPv6 internet in IPv4 packets (protocol 41) Configured tunneling: requires explicit configuration (tunnel broker services, “IPv6 ISP”) Automatic tunneling: tunnel endpoints are automatically determined by the infrastructure. Examples: 6to4, 6over4, Teredo, ISATAP 17 July 2015 9 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Transition Techniques – Scenario 3 6 4 6 4 A host on an IPv6 site is trying to connect the IPv4 internet Translation is required 17 July 2015 10 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Scenario 3 - NAT-PT Network address translation – protocol translation Translation between IPv4 and IPv6 Includes ICMP messages translation Application level translation (FTP, DNS) 17 July 2015 11 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Transition Techniques – Scenario 4 6 4 6 A secure connection between two IPv6 sites is needed 17 July 2015 12 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Transition Techniques – IPSec over Tunneling 6 4 6 IPv6 IPSec IPv6 IPSec Tunnel 17 July 2015 13 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Transition Techniques – Tunneling over IPSec 6 4 Tunnel 6 Tunnel IPv4 IPSec 17 July 2015 14 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential IPv6 Security All old security issues are still there The perimeter firewall model is still relevant, with some adaptation to support IPv6 addressing and the new challenges posed by the new protocol – Mobility – Integrated IPsec support – MTU discovery 17 July 2015 15 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Challenges for Firewalls – Routing Extension Header Extension headers replace the IP options in IPv4 The standard defines 6 extension headers: – – – – – – 17 July 2015 AH ESP Routing Hop-by-hop Destination Fragmentation 16 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Challenges for Firewalls – Routing Extension Header Routing extension header – specifies a list of routers that should be visited – The destination of the packet is the next hop – The real destination is specified in the extension header Can be used to override access control lists Solution – Firewalls should inspect all the hops and not only the “destination” of packets – Filter/block routing extension headers 17 July 2015 17 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Challenges for Firewalls – Tunneling Tunneling protocols can be used in order to “smuggle” packets into the network Can be used to override access control lists Several tunneling protocols (e.g. Teredo) use mechanisms of “hole punching” through firewalls. Solution: – Firewalls should inspect the traffic running through the tunnel – Block tunneling protocols 17 July 2015 18 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Challenges for Firewalls – Neighbor Discovery Neighbor solicitation/advertisement – Replacement for ARP – Can be used to for duplicate address detection Router solicitation/advertisement – Used to automatically configure nodes on the network – Routers advertise their network ID, nodes should allocate interface ID for themselves 17 July 2015 19 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Challenges for Firewalls – Neighbor Discovery DAD – duplicate address detection Can be used for DoS attacks 17 July 2015 20 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential Summary IPv6 is starting to happen and is expected to spread quickly in the next few years Transition mechanisms are required for coexistence Transition techniques pose new security risks and new challenges 17 July 2015 21 ©2005 Check Point Software Technologies Ltd. Proprietary & Confidential