IPv6 and Security - PowerPoint PPT Presentation

1 / 61
About This Presentation
Title:

IPv6 and Security

Description:

NATs do provide a layer of security, and they do completely break the end-to-end ... There will be IPv6 NATs (soon to be a major motion picture starring Daniel ... – PowerPoint PPT presentation

Number of Views:46
Avg rating:3.0/5.0
Slides: 62
Provided by: markm199
Category:
Tags: ipv6 | nats | security

less

Transcript and Presenter's Notes

Title: IPv6 and Security


1
IPv6 and Security
Gregory Travis Center for Applied Cybersecurity
Research (CACR) Advanced Network Management
Laboratory greg_at_iu.edu
2
A Bold Statement
  • our soldiers need better information in order
    to make better decisionswho to help and who to
    kill. The lack of security and flexibility in the
    current IPv4 protocol is a drag on our wing. This
    isn't about do you trust the Internet for your
    kid's homework, it's do you trust your kid's
    life. If we fail, people die.
  • Defense Department Will Require IPv6
    Compliance, Says DoD's John Osterholz. From
    Market Wire, June 26, 2003.

3
tempered by age
  • Good judgment comes from experience and
    experience comes from bad judgment. Fred Brooks

4
Why IPv6?
5
In the beginning
  • The Internet was infinitesimally small, and no
    one could comprehend its role in the future of
    society
  • Networks, as they grew, were built and run by
    benevolent lords
  • The security concern of the time was simply a
    nuclear war

6
In the beginning
  • Security was the concern of the government
  • Cryptography was within the realm of dark
    projects
  • Secure communications were defined by the NSA

7
The IETF said let there be Autonomous Systems
and routing protocols
  • and the Internet grew and grew
  • The NSF said let there be commercialization
  • and the Internet grew and grew and grew
  • Cisco said let there be e-commerce
  • and Cisco grew and grew

8
In 1993 the IETF said the sky is falling
  • Current state-of-the-art routers couldnt hold
    the entire routing table
  • It was projected that class-B addresses, and
    eventually all addresses, would be exhausted
  • Creative IETF members said we can fix things,
    but each had his own plan

9
If youre giving away ice-cream, make sure the
scoops are small
  • The IETF said let there be CIDR
  • and classless interdomain routing became the
    efficient way to dole out IP addresses
  • Others in the IETF said CIDR is nice, but were
    still going to run out of ice-cream
  • wouldnt it be nice to have an astronomical
    amount of ice-cream, they wondered
  • Two years later, the IETF invented the equivalent
    of an astronomical amount of ice-cream IPv6

10
What is IPv6?
11
Timeline
  • 1993, the sky started to fall
  • 1996 first alpha implementations of IPv6 (on
    Linux)
  • 1997 first commercial implementation of IPv6
    (IBM)
  • 2009 Less than 1 of Internet hosts actually
    using IPv6 (Google)
  • What happened to the falling sky?

12
Key differences in IPv6 itself
  • The addresses are longer (128bits vs. 32)
  • no need to use NATs to increase usable IP space
  • possible to preserve end-to-end model
  • more flexible support of IP option headers
  • use of multicast rather than broadcast in the
    LAN
  • no need for IP fragmentation in network devices
  • could lead to explosion in routing table size
  • addresses take more special memory in routing
    equipment (e.g., TCAMS)
  • more flexible support of IP option headers
  • harder to optimize for low bandwidth connections
    and resource limited devices (e.g., sensors,
    PDAs, cell phones)

13
What else?
  • Uniform header (40 bytes) vs. variable length
    header of IPv4 (more on this later)
  • No fragmentation
  • End to end MTU discovery
  • No such thing as a static IP
  • Pervasive multicast
  • The QoS (Quality of Service) Zombie
  • IPSEC required

14
More Addresses is a Big Deal
  • If the Internet is to preserve its end-to-end
    model, then eventually IPv6 will be needed
  • Even now, there is tangible evidence of a need
    for more addresses
  • COMCAST uses IPv6 to manage its network
    infrastructure because using the 10.0.0.0/8
    network (16 million IPs) wasnt big enough
  • However, increasingly security practices are
    leaning towards breaking the end-to-end model in
    favor of better security mechanisms
  • NATs do provide a layer of security, and they do
    completely break the end-to-end model
  • There will be IPv6 NATs (soon to be a major
    motion picture starring Daniel Day Lewis)

15
And IPv6 does have an astronomical number of
addresses
  • This does allow for the flexibility to build
    network topologies which support attribution at
    the network layer.
  • But you can make quite a mess with an
    astronomical amount of ice-cream.

16
Some example IPv6 Address Block Assignments
  • US DoD /13 (largest allocation so far)
  • 4.2E34 addresses. If each address was a dollar
    coin and they were stacked on top of each other,
    the stack would be 88 billion times the diameter
    of the Milky Way
  • Put another way 4.3 1034 8600 addresses for
    every bacterium on earth
  • Italian Telecom /20
  • Assumptions
  • 268 million customers (whats Italys
    population?)
  • Each customer gets a /48 has 65k local area
    networks

17
Thats some conspicuous consumption
  • Enough addresses that every cell in the body of
    every human alive could have its own allocation
    of IP addresses 200,000 times larger than the
    entire IPv4 space.
  • You wouldnt believe it, but some are now
    beginning to worry about IPv6 address exhaustion
    as a result
  • Ice Cream Scoops got big, again

18
Whos running IPv6 now
  • A few ISPs in the US offer IPv6 (Qwest is one)
  • There are numerous test beds in Japan
  • The US RE network infrastructure (I.e.
    Internet2), and its counterparts in Europe and
    the Pacific rim have a large, high-speed, dual
    stack inter-network of native IPv6

19
Now, what is this added security that the
gentleman mentioned?
  • (not much)

20
Around the same time they were solving the
ice-cream problem, the IETF also was dealing with
security
  • SSL was standardized - now TCP connections could
    be encrypted without the user messing around with
    keys or passphrases
  • Standards were emerging for securing the network
    at the IP layer (would later be called IPSEC)

21
IPsec Support
  • The major difference is that an IPv6 device must
    support IPsec
  • IPsec is available for both IPv4 and IPv6 but is
    not a requirement for IPv4
  • Configuration and use is functionally identical
    between IPv4 and IPv6
  • This still leaves the question of when to
    actually use IPsec

22
The difference between may and must
  • The IPv6 IETF standard (RFC) specifies that a
    full implementation of IPv6 MUST support certain
    components of IPSEC
  • IPv4, which was defined before IPSEC, MAY support
    IPSEC
  • In reality, some IPv6 stacks dont support IPSEC
    and many IPv4 stacks do.
  • There are no additional security features if
    IPv6! In fact, IPv4 does have additional
    required security features (but theyre not used)

23
Is it even necessary?
24
IPsec Support
  • IPsec is difficult to install and configure on
    most platforms
  • This is especially true with the retirement of
    the FreeS/WAN project
  • Biggest problem is key distribution
  • Requires infrastructure support (e.g., special
    DNS RRs) and dedicated professional staff
  • If you get this part wrong, you gain complexity
    without any additional security

25
IPsec Adoption
  • IPsec has been around since 1995, but still sees
    limited use outside of L2TP-based VPNs
  • Why?
  • Much more ubiquitous support for SSL
  • IPsec and NAT dont mix well at all

26
SSL vs. IPsec
  • IPsec is better than SSL because it provides much
    better protection for packet headers
  • Provides confidientiality, accountability, and
    authentication
  • No more spoofed headers, etc.
  • SSL is better than IPsec because you have it
    right now and it works pretty well for just about
    everything you want to do

27
Wont NATs Go Away?
  • Part of the purpose of IPv6 is to restore the
    end-to-end model by providing more addresses
  • But address depletion is not the only motivating
    force behind NATs
  • Security practices are at least as much to blame
  • NATs probably provide the best cost-to-benefit
    ratio of any simple security measure
  • A NAT box is dirt-cheap and easy to configure
  • It also completely breaks the end-to-end model
  • There will still be NATs in IPv6

28
Address Sparsity
  • Many IPv4 worms and cracking tools do scans of
    IPv4 address space to find hosts
  • IPv6 increases the size of the address space by
    over 79,000,000,000,000,000,000,000,000,000 times
  • Properties of the address structure can pare down
    the search space somewhat
  • Nevertheless, its true that a brute force search
    of IPv6 address space will be completely
    intractable

29
Does This Gain Us Security?
  • It does eliminate a primary technique of a great
    deal of malware (and some legitimate research
    efforts)
  • Lists of hosts to attack will be harvested from
    system configuration files, e-mail addresses, Web
    sites, server logs, etc.
  • This is exactly how the Morris worm worked back
    in the late 1980s

30
Does This Gain Us Security?
  • How well-known will a host need to be before its
    address leaks into this lists?
  • How much spam do you get?
  • There is a bright side to this
  • A long list of addresses takes up a lot of space
    and provides forensic evidence
  • You wont have packet-of-death attacks like SQL
    Slammer any more
  • Worms are more likely to report back to their
    source

31
Things That Stay the Same
  • IPv6 doesnt change TCP or UDP at all
  • IPv6 doesnt patch vulnerabilities in individual
    applications or OSes
  • IPv6 doesnt force network administrators to do
    egress filtering
  • IPv6 doesnt mandate use of any security features

32
IPv6 doesnt fix everything
  • A recent survey of CERTs top 100 vulnerabilities
    shows only 1 to be specific to IPv4, the rest are
    accessible via IPv6
  • True the exploits might requiring different host
    discovery strategies, but the host
    vulnerabilities exist for IPv6
  • A host vulnerable to the slammer worm, is also
    vulnerable to an IPv6 packet using the same bug
    to run arbitrary code on the target machine
  • Spyware, stack over flow vulnerabilities, e-mail
    worms, etc., are NOT fixed with IPv6!

33
Theres nothing about IPv6 thats security related
  • Theres nothing in the packet that adds to IPv6
    security relative to IPv4
  • IPsec exists and is functionally the same for
    both IPv4 and IPv6
  • IPv6 has no additional QoS features (although
    some would argue the that the unused flow label
    is such a feature)
  • IPv6 offers no performance improvements over IPv4
  • IPv6 is about more addresses and some mobility
    features

34
other than new security threats
35
Houston, we have a problem
  • Practical and operational considerations of
    making, building, and running a network conspire
    to leverage IPv6s additional richness into
    additional complexity
  • Complexity failure
  • KISS Keep It Simple, Stupid

36
  • Einstein argued that there must be simplified
    explanations of nature, because God is not
    capricious or arbitrary. No such faith comforts
    the software engineer. Fred Brooks

37
Key differences in todays IPv6 implementations
  • Over a decade ago, the industry starting putting
    IPv4 functions in ASICs, generally, this is not
    yet the case for IPv6. This translates to slower
    firewalls, encryption hardware, routers,
    switches, and end-systems (more later)
  • There are lots of layer 3 snooping functions in
    layer 2 equipment (more later)
  • IPv6 implementations mean newer, less tested,
    more complex code (more later)
  • Despite purchasing pressure from the DoD and
    Asia, IPv6 still treated as an extra feature, not
    a core requirement

38
IPv6 support needed where it shouldnt be (layer
2 devices)
  • IP is a network layer protocol that sits above a
    data link layer like Ethernet
  • In theory IP and Ethernet are separate, such that
    Ethernet-only devices like switches need not
    support IP
  • But vendors starting adding value to their
    Ethernet switches that included snooping IP
    information
  • This snooping allowed the switches to better
    support IP multicast, enforce security policies,
    enhance management, QoS, etc.

39
IPv6 non-support in layer 2 devices
  • Somehow this issue has slipped under the radar
    for vendors and IPv6-savvy customers
  • Increasingly important as strategies for network
    security evolve
  • Single mostly likely component to prevent
    migration away from IPv4
  • Very difficult to define what IPv6 compliant
    means in this space
  • Does not easily map to IETF standards
  • Often is the most expensive part of the network
    to replace

40
IPv6 non support in layer 2 devices (cont.)
  • Practices evolving to quarantine network devices
    until they are known to be patched/up to date,
    preventing IP spoofing, providing edge QoS,
    correctly forwarding IP multicast, and E911
    support for VoIP applications are some of the
    examples of layer 2 devices snooping layer 3
    information to perform critical functions
  • Support for IPv6 in this space is not currently a
    priority for vendors but technically their layer
    2 devices are IPv6 ready now (sans the added
    features)

41
ASIC Indigestion
  • In order to be able to forward packets at line
    speeds, network vendors use ASICs (Application
    Specific ICs)
  • These chips are simple and very inflexible
  • Work best when data bits are in predictable
    locations
  • When there is something in a packet that an ASIC
    cant handle, it gets sent to the routers CPU
  • Which is several orders of magnitude slower
  • An IPv6 header is like a game of baseball you
    dont know when its going to end
  • Multi-option headers are common in IPv6. Very
    hard to deal with practically w/ASICs

42
Supports IPv6
  • Means different things. Lets examine a real
    issue of IPv6 support in two different vendors
    core routers, Cisco and Juniper
  • The test scenario define and apply a filter to
    IPv6 TCP packets destine for port 139
  • Remember that IPv6 has support for option headers
    that are at different positions in the packet

43
Supports IPv6 (cont.)
  • The access list will cause the Cisco GSR,
    regardless of line card to send all IPv6 packets
    to which the filter applies to be processed by
    the central CPU, rather than being forwarded at
    high speed (because the ASICs cant handle it)
  • The Juniper will forward the filtered packets at
    line-speed.
  • The Juniper is better, right? Perhaps not

44
Supports IPv6 (cont.)
  • The Juniper can filter at line-speed in part
    because it assumes that the TCP header will be
    the first header in the IPv6 packet. If its
    not, if there is an option header before the TCP
    header, the Juniper filter will fail to match.
  • The Cisco will search through the headers until
    it finds the TCP header, then make the right
    forwarding decision.
  • Both strategies have their advantage, but they
    are both very different. Both vendors support
    IPv6 filtering, but in extremely different ways

45
A state of resources
  • Multicast was an afterthought in IPv4, in IPv6
    its a key architectural component
  • IPv6 doesnt work unless multicast works
  • IPv4 could care less
  • Multicast is another word for state
  • State kills
  • SQL Slammer worm

46
Exposure of MAC Addresses
  • Standard IPv6 addresses contain the MAC address
    in the lower 64 bits of the addresses
  • This is information that was usually confined to
    a single broadcast domain before
  • The manufacturer of your NIC is now public
    knowledge and may associate you with a known
    vulnerability
  • Heres how we start to get the IPs of vulnerable
    hosts!

47
Competing and Complex Standards
  • In some ways, IPv6 suffers from design by
    committee spread across multiple committees
  • The IPv6 Address Oracle has to draw from over a
    dozen different RFCs
  • Examples of multiple standards
  • DNS AAAA vs. A6
  • Tunnels At least four different approaches
  • Resolver getipnodebyaddr() vs. getaddrinfo()
  • The Second System Effect
  • Fred Brooks description of what happens when a
    triumph is followed by a second version
  • Kitchen Sink effect made possible by unlimited
    resources
  • IPv6 is a classic second system

48
Code Maturity
  • Most of the IPv6 code in the world is new and
    untested in comparison to IPv4
  • This code is certain to contain more flaws and
    vulnerabilities than its IPv4 equivalents
  • Its larger and much more complex
  • It has not yet stood the test of timeor attacks
  • This situation will slowly improve over time
  • IPv6 isnt low-hanging fruit yet, so theres
    little motivation to attack it

49
Code Maturity
  • Flaws will be opened in existing applications as
    they are ported from IPv4 to IPv6
  • IPv6 involves many more programming changes than
    just bigger addresses
  • Net increase in lines of line
  • New code will be written to deal with (or
    reinvent) third-party libraries that do not
    handle IPv6 and cannot be modified

50
Protocol Maturity
  • Not only is IPv6 code comparatively immature, but
    so are its standards
  • Example A6 vs. AAAA DNS records
  • A6 was clever, but raised concerns about DoS
    attacks using infinitely recursive delegated
    lookups
  • Now relegated to experimental status
  • Similar concerns have been expressed about
    protocols for tunneling IPv6 in IPv4 networks

51
Protocol Maturity
  • Many features are not fully specified yet
  • What do you do with the Priority field?
  • Whats the exact structure of the Flow Label?
  • Whats the format of Aggregatable Global Unicast
    Addresses this year?
  • When and how often do I do MTU discovery?
  • How do anycast addresses actually work?

52
Router Maturity
  • Issues with code and protocol maturity come
    together in the routers
  • A vulnerable host may result in the loss of a
    single system
  • A vulnerable router may result in the loss of a
    substantial piece of the network
  • Catch-22 Router vendors cant spend too much on
    testing IPv6 stacks until IPv6 gets more popular,
    and IPv6 has a hard time getting more popular
    until router vendors spend more time testing
    their IPv6 stacks

53
The security community
  • Completely unprepared/unequipped for IPv6
  • Most of the tools they use simply dont support
    IPv6
  • And many of the detection schemes cant
  • Impossible to hold even a bit-map of all possible
    IPv6 addresses in memory (trivial for IPv4),
    making a lot of attack detection methods really
    hard
  • Router firewall-based mitigation very
    hard/impossible (that ASIC Indigestion, again)
  • Reality is that network-level cybersecurity is
    flying blind in the IPv6 world and will
    continue to do so for the foreseeable future

54
Experience
  • Todays use of the Internet Protocol is the
    result of decades of experience and sometimes
    painful teeth cutting. IPv6 will set us back.
    Fortunately it will also set the hackers back
  • The DoD has a mixed track record for driving the
    adoption of standards in networking, history
    would suggest a bit of caution in assuming that
    DoD procurement incentive will accelerate the
    broader adoption of a new protocol (remember OSI)

55
Best Practices
  • Be prepared to devote considerable resources to
    development and maintenance of key infrastructure
    if you plan to use IPsec
  • Adopt new features of IPv6 sparingly until their
    standards processes are finalized
  • Allow for the existence of more undiscovered
    flaws in IPv6 code when assessing risks
  • Subject ported applications to the same level of
    review and testing as new ones

56
The argument for IPv6 is to maintain the
flexibility of supporting the end-to-end network
model. IMHO, it has nothing to do with security
57
In the near term, a transition to IPv6 will
  • Increase the challenge to provide network
    security
  • Increase the overall complexity of the network
    and its operations
  • Increase downtime and instability of the network
  • Require re-training of networking staff
  • Require re-writing of applications
  • Probably change network design strategy to
    accommodate limitations in current equipment

58
In the short term, a transition to IPv6 will
  • Increase the hype from equipment and software
    vendors
  • Make it more difficult to evaluate specifications
    to determine their IPv6 support
  • Reduce network security
  • Reduce the working life of new equipment
    purchased
  • Increase the risk of spectacular failures

59
Want to make a network less secure, migrate to
IPv6 early
60
Best Practices
  • Have clear definitions of IPv6 ready and IPv6
    aware when you compare vendors products
  • Pay close attention to new RFCs as they come
    outand changes in the status of old ones
  • Design new protocols in such a way that they will
    continue to operate through a NAT
  • Dont write IPv6-only applications make them
    dual-stack instead

61
Conclusion
  • IPv6 does not make for a completely different
    world of security
  • Expect a low level of incidents initially
    (obscurity), followed by a much higher level
    (exploitation), followed by a slow decline to the
    level we see now with IPv4 (stasis)
Write a Comment
User Comments (0)
About PowerShow.com