Upload
herman-munoz
View
26
Download
2
Tags:
Embed Size (px)
DESCRIPTION
CS 265 – Project IPv6 Security Aspects Surekha Shinde. IPv6 Security Aspects. Agenda Introduction to IPv6 IPv4 and IPv6 Comparison Current issues in IPv4 IPv6 solutions for IPv4 issues New issues of new protocol Hacking Tools Conclusion. Introduction to IPv6. Why IPv6 - PowerPoint PPT Presentation
Citation preview
CS 265 – ProjectIPv6 Security Aspects
Surekha Shinde
IPv6 Security Aspects
Agenda
• Introduction to IPv6• IPv4 and IPv6 Comparison• Current issues in IPv4• IPv6 solutions for IPv4 issues• New issues of new protocol• Hacking Tools• Conclusion
Introduction to IPv6
• Why IPv6
• IPv6 Important features : Wish-list• Faster Packet Processing
• Enhanced QOS
• Improved Security
• Greater protocol Flexibility
• Dual-Stack approach
0 31
Version Class Flow Label
Payload Length Next Header Hop Limit
128 bit Source Address
128 bit Destination Address
4 12 2416
The IPv6 Header 40 Octets, 8 fields
0 31
Ver IHL Total Length
Identifier Flags Fragment Offset
32 bit Source Address
32 bit Destination Address
4 8 2416
Service Type
Options and Padding
Time to Live Header Checksum Protocol
Shaded fields are absent from IPv6 header
The IPv4 Header 20 octets + options : 13 fields, including 3 flag bits
IPv6 Addressing
IPv6 Addressing rules are covered by multiples RFC’s
Architecture defined by RFC 2373 Address Types are :
Unicast : One to One Anycast : One to Nearest Multicast : One to Many Reserved
A single interface may be assigned multiple IPv6 addresses of any type (unicast, anycast, multicast)
No Broadcast Address -> IPv6 Use Multicast
Notation & Abbreviation
Notation
1111110111101100 1111111111111111
128 Bits = 16 bytes = 32 Hex digits
: 7654 3210:: ADBF : BBFF 2922 FFFF:::FDEC BA98
FDEC : BA98 : 0074 : 3210 : 000F : BBFF : 0000 : FFFF
FDEC : BA98 : 74 : 3210 : F : BBFF : 0 : FFFF
Abbreviation
Unabbreviated
Abbreviated
FDEC : 0 : 0 : 0 : 0 : BBFF : 0 : FFFF
FDEC : 00 : BBFF : 0 : FFFF
Abbreviated
More Abbreviated
IPv6 Addressing for IPv4
IPv4-Compatible IPv6 Address format
IPv4-Mapped IPv6 Address format
0 IPv4 Address
96 Bits 32 Bits
0:0:0:0:0:0 192.168.10.10
IPv4 Compatible Address = 0:0:0:0:0:0:192.168.10.10
= ::192.168.10.10
0 IPv4 Address
80 Bits 32 Bits
0:0:0:0:0:0 192.168.10.10
FFFF
16 Bits
IPv4-Mapped Address = 0:0:0:0:0:FFFF:192.168.10.10
IPv6 over IPv4 Tunnels
Tunneling is encapsulating the IPv6 packet in the IPv4 packet Tunneling can be used by routers and hosts
IPv4IPv6 Network
IPv6 Network
Tunnel: IPv6 in IPv4 packet
IPv6 HostA
Dual-Stack RouterB
Dual-Stack RouterA
IPv6 HostB
IPv6 HeaderIPv6 HeaderIPv4 HeaderIPv4 Header
IPv6 HeaderIPv6 Header Transport Header
Transport Header DataData
DataDataTransport Header
Transport Header
Dual Stack Approach & DNS
In a dual stack case, an application that: Is IPv4 and IPv6-enabled Asks the DNS for all types of addresses Chooses one address and, for example, connects to the IPv6 address
DNS Server
IPv4
IPv6
www.sjsu.com = * ?
3ffe:b00::1
3ffe:b00::110.1.1.1
Security Advantages ofIPv6 Over IPv4
IPv4 - NAT breaks end-to-end network security
IPv6 - Huge address range – No need of NAT
IPv4 – IPSEC is Optional
IPv6 - Mandatory in v6
IPv4 - Security extension headers(AH,ESP) – Back ported
IPv6 - Built-in Security extension headers
IPv4 - External Firewalls introduce performance bottlenecks
IPv6 - Confidentiality and data integrity without need for additional firewalls
Security Advantages ofIPv6 Over IPv4 (2)
IPv4 - Security issues related to ICMPV4.
IPv6 - ICMPV6 uses IPSEC authentication and encryption.
IPv4 - No mechanism for resistance to scanning
IPv6 - RTS possible only in IPV6
IPV4 - Doesn’t support Auto configuration
IPv6 - Built in Auto configuration support
Ignorance of network administrator to IPV6 But, Thanks to the transitional efforts of IETF
• IPV4 - Security option field and Optional IPSEC
• IPV6 - IPSEC part of protocol suite-mandatory IPSEC provides network-level security
• IPSEC uses:- AH ( Authentication Header) ESP( Encapsulating Security Payload) Header
Important Security fields in IPv6
Authentication Header(AH)
• Data integrity• Data authentication• Anti-replay protection
Next Header Hdr Ext Len
Security Parameters Index (SPI)
Reserved
Sequence Number
Authentication Data
Fig.- Authentication Header(AH) Packet Format
Authentication Header fields
• SPI:-Security parameter index• Sequence number field :- Anti-replay protection• Authentication data :- ICV-authentication and data integrity• HMAC(Hash message authentication code)+MD5 & HMAC+SHA-1• AH supports several authentication algorithms• Prevents IP spoofing attacks• Prevents DOS attacks
Encapsulating Security Payload (ESP)
• Data confidentiality • Data integrity• Data authentication• Anti-replay protection• Authentication applied only to data being encrypted• Optional services-select at least one
Payload
Next Header
Security Parameters Index (SPI)Sequence Number
Authentication Data
Padding LengthPadding
ESP Packet Header Format
ESP Packet Header
• ESP header with confidentiality service –
prevents sniffing Ex.TCP dump & Windump
• ESP - symmetric key algorithms like DES, 3DES
and AES
ESP Header Fields:
• SPI:-Security parameter index
• Sequence number field :- Anti-replay protection
Security issues in IPV6:
• IPSEC Relies on PKI , Not yet fully Standardized
• Scanning possible – If poorly designed
• No protection against all denial of service attack (DoS attacks difficult to prevent in most cases)
• No many firewalls in market with V6 capable
But ??????
By The Way…IPv6 Hacking Tools
•Sniffer/packet capture Analyzer
Snort TCP dump
EtherealWindumpWinPcap
•ScannersIPV6 security scannerHalfscan6 Nmap
•DOS Tools6tunneldos
4to6DDOS Imps6-tools
•Packet forgersSendIP
Packit Spak6
•WormsSlapper
RealSecure & Proventia Tools
Conclusion
‘Black Hats’ Vs ‘White Hats’
Time for ignoring IPV6…..PAST
Time for understanding,recognizing
and deploying it……NOW
References
• http://www.ipv6.org
• http://www.cisco.com/ipv6/
• http://netscreen.com
• http://www.sans.org
• Computer Networks By Larry Peterson
and Bruce Davie
Questions ?