Securing an IPv6 Network
Download
Report
Transcript Securing an IPv6 Network
Securing an IPv6 Network
Spring 2005 Internet2 Members Meeting
Arlington, VA
Ron Broersma
DREN Chief Engineer
High Performance Computing Modernization Program
[email protected]
3-May-05
IPv6 Security
1
Context
•
Historical
– 2001 – DREN IPv6 testbed
• Wide area
• Dedicated hardware – 10 “core” nodes.
• Native IPv6 over partial ATM mesh
– 2003 – DoD and IPv6
• DoD CIO issues memorandum to transition by 2008
• DREN chosen as the DoD “pilot implementation”
– 2003/2004 – DoD “pilot” on DREN production network
• dual stack, native, running on production DREN network
– 2004/2005 – additional efforts
• site deployment, multicast, DHCP/DNS, mobility
•
Within DoD…
– Each of the services (Army, Navy, Air Force) developing their own transition
plans for the “operational networks”.
• Most will not begin implementation for a year or more
• Most will not be complete until after 2008
– DREN is DoD’s “research network”, and is transitioning now.
• Chartered to support the DoD HPC community, and other R&D organizations.
3-May-05
IPv6 Security
2
DREN Today
• 10 “core nodes” on OC-192 backbone (CONUS), with
OC-12 extensions to Hawaii and Alaska.
• About 100 sites (“Service Delivery Points”),
connected at DS-3 to OC-48 rates.
• IPv4 unicast and multicast, IPv6 unicast, and ATM
services now.
• Dual IPv6 networks (“testbed”, and “production”)
• “jumbo-clean” (i.e. 9K MTU everywhere)
• Multiple security levels.
– Both unclassified and classified networks
3-May-05
IPv6 Security
3
DREN “production” network
3-May-05
IPv6 Security
4
DRENv6 “testbed”
Logical Topology
Cisco
AIX-v6
C&W
Global
Crossing
Abilene
FIX-West
Hurricane
Electric
LAVAnet
TIC
NTTCom
Verio
6TAP
Abilene
WPAFB
Dayton
ARL
JITC
HP
San Diego
WCISD
SD-NAP
SDSC
SSC San Diego
Aberdeen
Tunnel broker
AOL
Wash D.C.
HICv
6
NRL
Vicksburg
(Hawaii)
SSAPAC
SPRINT
Albuquerque
AFRL
Kirtland AFB
ATM PVC (OC-3)
tunnel
3-May-05
SSC Charleston
ERDC
Stennis
NAVO
IPv6 Security
vBNS+
IXP
Core Router
ISP or
BGP Neighbor
“site”
5
DREN IPv6 philosophy
• Push the “I believe” button, and turn on IPv6
everywhere to see what works (and what
doesn’t)
• Do it in a production environment
– can get away with this in an R&D environment,
but not on operational networks.
• Go native. (no tunnels)
• Even if the world doesn’t convert for years,
R&D environments need it now.
• Figure out how to deploy IPv6 to the rest of
DoD in the future.
3-May-05
IPv6 Security
6
Unique Security Challenges
• DoD networks are a big target
• DoD has mandatory security requirements
–
–
–
–
Certification and Accreditation (DITSCAP)
DoD ports&protocols
Navy UTN Protect Policy
etc.
• Defense in Depth model
Goal: Try to achieve equivalent security to IPv4,
so we can deploy IPv6 within DoD policy.
3-May-05
IPv6 Security
7
DoD Security Model
• “Defense in Depth”
– Protections at multiple
levels
• Problem: How to
securely deploy IPv6
in DoD without these
components.
S
Scanners
LAN
Firewall
IDS
ACL
WAN
ACL
IDS
Internet
3-May-05
IPv6 Security
8
Lack of Security Features
(Examples)
•
Router Access Control Lists (ACLs)
•
Vulnerability Assessment (Scanners)
•
Intrusion Detection Systems
•
IPSEC
•
Firewalls
– Juniper doesn’t support “tcp established”
– ISS doesn’t support IPv6 and has no published plans to do so.
– NESSUS doesn’t support IPv6 (yet)
– If we want IPv6 support, we have to add it ourselves.
– Juniper port mirroring doesn’t support IPv6
– Missing in most IPv6 implementations
– Juniper ASPIC doesn’t support IPv6 (until much later)
– Until recently, no production quality IPv6 support
– Netscreen (Juniper):
• no OSPFv3, only RIP
• IPv6 support only available in certain products
• “transparent mode” doesn’t work for IPv6
It is crucial that IPv6 products have equivalent functionality to the IPv4 world
3-May-05
IPv6 Security
9
Overcoming the security issue
(workaround)
• Use DRENv6 testbed for transit to Internet
– use to peer with rest of IPv6 enable Internet and other testbeds
– continue to operate as an “untrusted” IPv6 network
• Enable IPv6 on new DREN2 (MCI) production network.
– Dual stack everywhere.
• Establish trusted gateways between v6 enabled DREN2 and the
DRENv6 testbed
– Upgrade HPC Network Intrusion Detection Systems (NIDS) to be
v6-compliant, monitored by the HPC Computer Emergency
Response Team (CERT), and install at the trusted gateways.
– Install v6 version of standard DREN v4 Access Control Lists (ACLs)
to protect pilot network to same level as IPv4 production network.
• DREN customers receive “safe” native IPv6 service via existing
service delivery point (SDP), in parallel with IPv4 service.
3-May-05
IPv6 Security
10
DREN IPv6 transition architecture – FY04
To 6bone, Abilene, and other IPv6 enabled ISPs
IPv6 demonstrations (Moonv6)
links run native IPv6 where
possible, otherwise
tunnelled in IPv4
DRENv6 (Testbed)
Native IPv6 backbone
SSCSD
ARL-APG
ERDC
Testbed at
DREN site
Testbed at
DREN site
v6 ACL
sdp.sandiego
NIDSv6
v6 ACL
NIDSv6
NIDSv6
v6 ACL
sdp.erdc
DREN2 (Production / Pilot)
sdp.arlapg
Dual stack IPv4 and IPv6 wide area infrastructure
sdp
Goal: As secure as
the IPv4 backbone
3-May-05
sdp
sdp
Type “A” (IP) production service to DREN sites
IPv4 and IPv6 provided over the same interface
IPv6 Security
11
Site Security Solution
(Example – SPAWAR)
• SPAWAR Intrusion
Detection System (IDS)
modified to support IPv6
• Netscreen Firewall with
IPv6 support in parallel
with production firewall.
WAN
DREN
2
(Pilot)
IPv4 unicast and
multicast services
+ IPv6 unicast
SPAWAR
Border router
(Juniper M20)
IDS
IPv6
IPv4
Netscreen 2000
Firewall
Production
Firewall
Netscreen 208
Firewall
switch
IPv6 Firewall
to LAN
3-May-05
IPv6 Security
12
Other Security Issues
• IPv6 tunnels crossing security domains
• TCP and UDP port numbers aren’t in a fixed
location, so how do you filter on them?
• Privacy concerns of non-changing interface
identifier (IID)
• What issues haven’t we discovered yet?
3-May-05
IPv6 Security
13
Summary
• With some work, it is possible to secure an
IPv6 network.
• There are still some missing pieces, but it is
getting better.
• IPv6 capability in products is good, but we
cannot be satisfied unless all the security
functions and features work just as well in
IPv6 as they do in IPv4.
3-May-05
IPv6 Security
14