An Analysis of IPv6 Security - PowerPoint PPT Presentation

1 / 28
About This Presentation
Title:

An Analysis of IPv6 Security

Description:

Simplified header for Routing efficiency and performance ... It is possible in IPv4 through NMAP, but IPv6 does not support NMAP. Pros and cons ... – PowerPoint PPT presentation

Number of Views:249
Avg rating:3.0/5.0
Slides: 29
Provided by: Hitu
Category:
Tags: analysis | ipv6 | nmap | security

less

Transcript and Presenter's Notes

Title: An Analysis of IPv6 Security


1
An Analysis of IPv6 Security
  • CmpE-209 Team Research Paper Presentation

Presented by Dedicated
Instructor Hiteshkumar Thakker
Prof. Richard Sinn Jimish Shah
Network security Krunal Soni
Department of CmpE Engg Kuldipsinh Rana Nghia
Nguyen Sajjad Tabib
04/08/2008
2
Agenda
  • Introduction to IPv6
  • IPv6 vs IPv4
  • IPsec Protocol
  • IPv6 Deployment
  • IPv6 Security Issues
  • Recconnaissance
  • Redirect Attacks
  • Spoofing Attacks in Tunneling
  • Dual-Stack Attacks
  • Teredo Attacks
  • Summary

3
Introduction to IPv6
  • What is IPv6 ???
  • Network layer protocol used for Internet which is
    replacing IPv4
  • Why IPv6 ???
  • Exhaustion of IPv4 Address Pool
  • Larger Address Space (3.4 x 1038 addresses) for
    global reachability and scalability
  • Simplified header for Routing efficiency and
    performance
  • Server-less auto-configuration, easier
    renumbering, multi-homing, and improved plug and
    play support
  • Security with mandatory IP Security (IPSec)
    support

4
Simplified IPv6 Header
5
IPsec
  • IPsec is a suite of protocols that provide
    network layer security.
  • What it means to provide network layer security?
  • Network Layer Confidentiality
  • Source Authentication
  • Main security goals
  • Confidentiality
  • Integrity
  • Authentication

6
IPsec protocols
  • Two protocols in IPsec that provide security.
  • AH Authentication Header protocol
  • Source authentication
  • Data Integrity
  • No confidentiality
  • ESP Encapsulation Security Payload
  • Authentication
  • Data Integrity
  • Confidentiality

7
Authentication Header Protocol
  • Procedure
  • Host establishes Security Association (SA) with
    Destination.
  • SA is a handshake which creates a logical
    connection between two machines and establishes a
    common secret key to be used for
  • Host send secure datagrams to desintation
  • Destination determines the SA from SPI field of
    the datagram.
  • Destination authenticates datagram based on SA
    and Authentication data field.
  • AH usews HMAC for authentication and integrity on
    Authentication data.

8
AH Protocol Diagram
9
ESP Encapsulation Security Payload
  • Authentication mechanism similar to AH
    Establish SA, etc.
  • Provides confidentiality by encrypting the
    TCP/UDP segment using DES-CBC.

10
ESP Diagram
11
IPv6 Deployment
  • Flag Day - x
  • Dual-Stack to allow IPv4 and IPv6 to co-exist in
    the same networks
  • Tunneling IPv6 node on sending side of tunnel
    puts its IPv6 datagram in data field of IPv4
    datagram.
  • Now more than 15 methods available for
    transition.

CmpE-209 / Spring 2008
11
12
IPv6 Security Issues
  • Reconnaissance in IPv6
  • Neighbor Discovery attacks
  • Anycast and Addressing Security
  • L3-L4 spoofing attacks in tunneling
  • Attacks through teredo
  • Routing header type-0 attack
  • Attacks through header manipulation and
    fragmentation
  • Dual-Stack Attack

CmpE-209 / Spring 2008
12
13
Recconnaissance in IPv6
  • 264 subnet addresses are in IPv6
  • So, harder to scan every address though scan
    million packets per second- It will take years to
    find the one host on the network.
  • It is possible in IPv4 through NMAP, but IPv6
    does not support NMAP.
  • Pros and cons

CmpE-209 / Spring 2008
13
14
Other Security Issues
  • Addressing Security
  • Effects of self-generated addresses
  • Addresses can be stolen by others DoS
  • Addresses cannot have pre-established IPsec
  • IPsec hard to set up in advance as It requires SA
    and destination address
  • No authorization mechanism exists for anycast
    destination addresses
  • Spoofing is possible
  • Attacks through Header manipulation and
    Fragmentation
  • Routing Header Type - 0 mechanism issue
  • Fragmentation
  • Flow label

CmpE-209 / Spring 2008
14
15
Neighbor Discovery Attacks
  • Redirect Attacks A malicious node redirects
    packets away from a legitimate receiver to
    another node on the link
  • Denial of Service Attacks(DoS) A malicious node
    prevents communication between the node under
    attack and other nodes
  • Flooding Attacks A malicious node redirects
    other hosts traffic to a victim node creating a
    flood of bogus traffic at the victim host
  • MIPv6 Challenges

CmpE-209 / Spring 2008
15
16
Redirect Attacks
CmpE-209 / Spring 2008
16
17
Spoofing Attacks in Tunneling
CmpE-209 / Spring 2008
17
18
Solution on the way
CmpE-209 / Spring 2008
18
19
IPv6 Dual-stack Attack
CmpE-209 / Spring 2008
19
20
Prevention using Multiple addresses
CmpE-209 / Spring 2008
20
21
Attack by Teredo(UDP Port-3544)
CmpE-209 / Spring 2008
21
22
Precautions to stop attacks
  • Block protocol 41
  • Handle Teredo as a dangerous UDP port at IPv4
    firewalls
  • Look for Router Advertisements and Neighbor
    Discovery Packets (SEND)

CmpE-209 / Spring 2008
22
23
Security Threats similar to IPv4
  • Sniffing without IPsec, IPv6 is no more or less
    likely to fall victim to a sniffing attack than
    IPv4
  • Application Layer Attack Even with IPsec, the
    majority of vulnerabilities on the internet today
    are at the application layer, something that
    IPsec will do nothing to prevent.
  • Rogue Devices will be as easy to insert into an
    IPv6 network as in IPv4.
  • Man-in-the-middle-attacks(MITM) without IPsec,
    any attacks utilizing MITM will have the same
    likelihood in IPv6 as in IPv4.
  • Flooding attacks

CmpE-209 / Spring 2008
23
24
Summary
  • IPv6 makes some things better, other things
    worse, and most things are just different, but no
    more or less secure
  • Better Automated scanning and worm propagation
    is harder due to huge subnets
  • Worse Increased complexity in addressing and
    configuration
  • Lack of familiarity with IPv6 among operators
  • Vulnerabilities in transition techniques
  • Dual-stack infrastructures require both IPv4 and
    IPv6 security rules

CmpE-209 / Spring 2008
24
25
Conclusion
  • Security in IPv6 is very much like in IPv4
  • IPsec is mandatory for the security of IPv6
  • IPv6(IP sec) are still emerging technologies
  • IPv6 is a very complex protocol
  • Its code is new and Untested, so while testing
    also there could be attack on existing network
  • Research is going on to overcome threats by IETF
  • Secure Transition is a major goal of IPv6 now.

CmpE-209 / Spring 2008
25
26
References
  • http//openloop.com/index.htm/education/classes/sj
    su_engr/engr_networksecurity/spring2008/index.htm
  • http//www.cs.rpi.edu/academics/courses/spring05/n
    etprog/ipsec.pdf
  • http//rfc.net/rfc2401.html
  • http//www.6net.org/events/workshop-2003/marin.pdf
  • http//technet.microsoft.com/en-us/library/bb72695
    6.aspx
  • http//www.secdev.org/conf/IPv6_RH_security-csw07.
    pdf
  • http//www.darkreading.com/document.asp?doc_id123
    506
  • http//www.seanconvery.com/ipv6.html
  • http//www.seanconvery.com/v6-v4-threats.pdf
  • http//www.seanconvery.com/SEC-2003.pdf
  • http//www.infosecwriters.com/text_resources/pdf/I
    Pv6_SSotillo.pdf
  • http//www.nav6tf.org/documents/nav6tf.security_re
    port.pdf
  • http//www.nav6tf.org/documents/arin-nav6tf-apr05/
    6.IPv6_Security_Update_JS.pdf
  • http//www.nanog.org/mtg-0405/pdf/miller.pdf
  • http//www.stindustries.net/IPv6/whitepapers.html
  • http//paintsquirrel.ucs.indiana.edu/pdf/IPv6_and_
    Security.pdf

CmpE-209 / Spring 2008
26
27
  • Thank You !!

CmpE-209 / Spring 2008
27
28
  • Questions ???

CmpE-209 / Spring 2008
28
Write a Comment
User Comments (0)
About PowerShow.com