An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring 20081 Presented by: Dedicated Instructor: Hiteshkumar Thakker

An Analysis of IPv6 An Analysis of IPv6 SecuritySecurityCmpE-209: Team Research Paper Presentation

CmpE-209 / Spring 2008 1

Presented by: Dedicated Instructor:

Hiteshkumar Thakker Prof. Richard Sinn Jimish Shah Network securityKrunal Soni Department of CmpE EnggKuldipsinh Rana Nghia Nguyen Sajjad Tabib

04/08/2008

AgendaAgendaIntroduction to IPv6

◦ IPv6 vs IPv4IPsec ProtocolIPv6 Deployment IPv6 Security Issues

◦ Recconnaissance◦ Redirect Attacks◦ Spoofing Attacks in Tunneling ◦ Dual-Stack Attacks◦ Teredo Attacks

Summary


Introduction to IPv6Introduction to IPv6What is IPv6 ???

◦ Network layer protocol used for Internet which is replacing IPv4

Why IPv6 ??? Exhaustion of IPv4 Address PoolLarger Address Space (3.4 x 1038 addresses) for

global reachability and scalability Simplified header for Routing efficiency and

performanceServer-less auto-configuration, easier renumbering,

multi-homing, and improved plug and play support Security with mandatory IP Security (IPSec) support


Simplified IPv6 Header Simplified IPv6 Header


IPsecIPsecIPsec is a suite of protocols that

provide network layer security.What it means to provide network

layer security?◦ Network Layer Confidentiality◦ Source Authentication

Main security goals◦ Confidentiality◦ Integrity◦ Authentication


IPsec protocolsTwo protocols in IPsec that

provide security.◦AH: Authentication Header protocol

Source authentication Data Integrity No confidentiality

◦ESP: Encapsulation Security Payload Authentication Data Integrity Confidentiality

Authentication Header ProtocolProcedure1. Host establishes Security

Association (SA) with Destination.

◦ SA is a handshake which creates a logical connection between two machines and establishes a common secret key to be used for

2. Host send secure datagrams to desintation

3. Destination determines the SA from SPI field of the datagram.

4. Destination authenticates datagram based on SA and Authentication data field.

1. AH usews HMAC for authentication and integrity on Authentication data.

AH Protocol Diagram

ESP: Encapsulation Security PayloadAuthentication mechanism

similar to AH – Establish SA, etc. Provides confidentiality by

encrypting the TCP/UDP segment using DES-CBC.

ESP – Diagram

IPv6 Deployment IPv6 Deployment Flag Day - xDual-Stack: to allow IPv4 and IPv6

to co-exist in the same networksTunneling: IPv6 node on sending

side of tunnel puts its IPv6 datagram in data field of IPv4 datagram.

Now more than 15 methods available for transition.


IPv6 Security IssuesIPv6 Security IssuesReconnaissance in IPv6Neighbor Discovery attacksAnycast and Addressing SecurityL3-L4 spoofing attacks in tunnelingAttacks through teredoRouting header type-0 attackAttacks through header

manipulation and fragmentationDual-Stack Attack


Recconnaissance in IPv6Recconnaissance in IPv6264 subnet addresses are in IPv6 So, harder to scan every address

though scan million packets per second- It will take years to find the one host on the network.

It is possible in IPv4 through NMAP, but IPv6 does not support NMAP.

Pros and cons


Other Security IssuesOther Security Issues Addressing Security Effects of self-generated addresses

◦ Addresses can be “stolen” by others [DoS]◦ Addresses cannot have pre-established IPsec ◦ IPsec hard to set up in advance as It requires SA and

destination address No authorization mechanism exists for anycast

destination addresses

◦ Spoofing is possible

Attacks through Header manipulation and Fragmentation

◦ Routing Header Type - 0 mechanism issue

◦ Fragmentation

◦ Flow label


Neighbor Discovery Neighbor Discovery Attacks Attacks

Redirect Attacks: A malicious node redirects packets away from a legitimate receiver to another node on the link

Denial of Service Attacks(DoS): A malicious node prevents communication between the node under attack and other nodes

Flooding Attacks: A malicious node redirects other hosts’ traffic to a victim node creating a flood of bogus traffic at the victim host

MIPv6 Challenges CmpE-209 / Spring 2008 15

Redirect AttacksRedirect Attacks


Spoofing Attacks in Spoofing Attacks in TunnelingTunneling


Solution on the way…Solution on the way…


IPv6 Dual-stack AttackIPv6 Dual-stack Attack


Prevention using Multiple Prevention using Multiple addressesaddresses


Attack by Teredo(UDP Port-Attack by Teredo(UDP Port-3544)3544)


Precautions to stop Precautions to stop attacksattacks

Block protocol 41Handle Teredo as a “dangerous

UDP port” at IPv4 firewalls Look for Router Advertisements

and Neighbor Discovery Packets (SEND)


Security Threats similar to Security Threats similar to IPv4IPv4

Sniffing: without IPsec, IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4

Application Layer Attack: Even with IPsec, the majority of vulnerabilities on the internet today are at the application layer, something that IPsec will do nothing to prevent.

Rogue Devices will be as easy to insert into an IPv6 network as in IPv4.

Man-in-the-middle-attacks(MITM): without IPsec, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4.

Flooding attacks


Summary Summary IPv6 makes some things better, other things

worse, and most things are just different, but no more or less secure

Better: Automated scanning and worm propagation is harder due to huge subnets

Worse: Increased complexity in addressing and configuration

Lack of familiarity with IPv6 among operators

Vulnerabilities in transition techniquesDual-stack infrastructures require both IPv4

and IPv6 security rulesCmpE-209 / Spring 2008 24

ConclusionConclusion

Security in IPv6 is very much like in IPv4 IPsec is mandatory for the security of IPv6 IPv6(IP sec) are still emerging technologiesIPv6 is a very complex protocol Its code is new and Untested, so while testing

also there could be attack on existing network

Research is going on to overcome threats by IETF

Secure Transition is a major goal of IPv6 now.


ReferencesReferences http://openloop.com/index.htm/education/classes/sjsu_engr/engr_networksecurit

y/spring2008/index.htm http://www.cs.rpi.edu/academics/courses/spring05/netprog/ipsec.pdf http://rfc.net/rfc2401.html http://www.6net.org/events/workshop-2003/marin.pdf http://technet.microsoft.com/en-us/library/bb726956.aspx http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf http://www.darkreading.com/document.asp?doc_id=123506 http://www.seanconvery.com/ipv6.html http://www.seanconvery.com/v6-v4-threats.pdf http://www.seanconvery.com/SEC-2003.pdf http://www.infosecwriters.com/text_resources/pdf/IPv6_SSotillo.pdf http://www.nav6tf.org/documents/nav6tf.security_report.pdf http://www.nav6tf.org/documents/arin-nav6tf-

apr05/6.IPv6_Security_Update_JS.pdf http://www.nanog.org/mtg-0405/pdf/miller.pdf http://www.stindustries.net/IPv6/whitepapers.html http://paintsquirrel.ucs.indiana.edu/pdf/IPv6_and_Security.pdf


Thank You !!


Questions ???


Documents

An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring 20081 Presented by: Dedicated Instructor: Hiteshkumar Thakker