IPv6 & IPv4 Deployment

Download Report

Transcript IPv6 & IPv4 Deployment 

Advanced IPv6 Residential Security
draft-vyncke-advanced-ipv6-security-00.txt
Mark Townsley [email protected]
Eric Vyncke [email protected]
November 2009
1
V6OPS Simple-Security for Residential
Networks
1. Embedded (Static) Policy
Definition (e.g., from draft-v6opssimple-security.…)
2. Ports are either opened
implicitly via outbound
flows, or explicitly via policy
switches.
4. User/Application control:
Policy knobs via UI or
protocols (NAT-PMP, UPnP) to
interact with FW settings
X
3. Troubleshooting:
Typically, little to no
feedback to user on what
traffic is dropped and why
Otherwise, all
imbound traffic is
dropped….
Most Incoming flows are “Guilty until proven innocent”
Mimics the current low-end IPv4 home gateways/routers
draft-vyncke-advanced-ipv6-security-00.txt>
2
Basic Idea
Typical
Residential
IPv6 Network
“Large Enterprise”
network with a large
number of global IP
addresses
 Observation: large global addressing in IPv6 allows any residential
network to resemble an enterprise network with a large IPv4 global
address block
draft-vyncke-advanced-ipv6-security-00.txt>
3
Basic Idea
Security Features
Typical
Residential
IPv6 Network
“Large Enterprise”
network with a large
number of global IP
addresses
 V6ops is in the process of defining what residential IPv6 security
should look like, so perhaps we should examine security features
that are used in enterprise networks today and see how they might
apply in a residential security setting
draft-vyncke-advanced-ipv6-security-00.txt>
4
Basic Idea
Security Features
Typical
Residential
IPv6 Network
“Large Enterprise”
network with a large
number of global IP
addresses
 These techniques are not IPv6-specific per se, but we were
discussing them within the context of IPv6 in v6ops.
draft-vyncke-advanced-ipv6-security-00.txt>
5
Overview
 7 policies are identified in the -00. These are largely
based on features which are commonly available in
“advanced” security gear for enterprises today
 Home edge router is not something that is purchased
and thrown away when obsolete. Instead, it is actively
updated like many other consumer devices are today
(PCs, iPods and iPhones, etc.)
 Business model may include a paid subscription
service from the manufacturer, a participating service or
content provider, consortium, etc.
draft-vyncke-advanced-ipv6-security-00.txt>
6
Advanced Security
On-line Access to
IP Address
Reputation
Dynamic Policy &
Signatures
Update
IPS
User control
User Feedback
draft-vyncke-advanced-ipv6-security-00.txt>
7
Why is this important to IPv6?
 Security policy can be adjusted to match the threat as
attacks arrive
 We don’t break end-to-end IPv6, unless we
absolutely have to
 While providing arguably better security, troublehooting,
etc. than we would otherwise
draft-vyncke-advanced-ipv6-security-00.txt>
8
Default Security Policy
1.
RejectBogon:
•
2.
5.
ProtectLocalOnly:
•
including uRPF checks
Block all inbound traffic to inside which
never transmitted to the outside (à la
full-cone)
BlockBadReputation:
•
3.
for in/outbound traffic
6.
AllowReturn:
•
4.
and apply IPS on
in/outbound traffic
AllowToPublicDnsHost
•
Allow inbound traffic to
inside host with a AAAA &
reverse-DNS
draft-vyncke-advanced-ipv6-security-00.txt>
7.
CrypoIntercept:
•
Intercept all inbound SSL/TLS
connection, present (self-signed) cert,
decrypt and re-encrypt
•
Goal is to apply IPS
ParanoidOpeness:
•
Allow ALL inbound traffic by
default
•
See more next slide
9
More on Paranoid Openness
 All other inbound flow is permitted
 Rate limit (SYN & plain data)
To protect low-bandwidth residential links
Basic protection against host scan
 If authenticated flow (e.g. HTTP)
Perform dictionary attack on credential and reject too obvious
ones (or default ones)
Goal is to force user to select good credentials
 IPS must be applied
If protocol unknown, then flow MAY be permitted
If attack is detected, then flow MUST be denied
draft-vyncke-advanced-ipv6-security-00.txt>
10
Conclusion
 “simple-security” as is being defined now, is not the
only possible residential gateway security model
 “Advanced” security methods can provide adaptable
and robust security that can better track threats as
attacks appear on IPv6…
….giving us the chance for more open policies with
respect to end-to-end connectivity
draft-vyncke-advanced-ipv6-security-00.txt>
11
Our Ask to V6OPS as of Tuesday
Possible Next Steps…
 Nothing, continue with simple-security as is
 See what modern security methods we might be able to
bring into simple-security, while keeping the “static”
mode of operation it assumes now
 Define an “advanced security” mode that includes
dynamic tracking of threats as attacks arrive, and
adjusts policies accordingly
draft-vyncke-advanced-ipv6-security-00.txt>
12
Consensus at V6OPS
 Very nice proposal
 Incorporation of some parts in simple-security I-D
 Propose a BoF for Anaheim
Potentially move to HOMEGATE WG ?
 Several other people interested in working on this
draft-vyncke-advanced-ipv6-security-00.txt>
13