Post on 02-Jan-2016
description
transcript
CS 265 – ProjectIPv6 Security Aspects
Surekha Shinde
IPv6 Security Aspects
Agenda
• Introduction to IPv6• IPv4 and IPv6 Comparison• Current issues in IPv4• IPv6 solutions for IPv4 issues• New issues of new protocol• Hacking Tools• Conclusion
Introduction to IPv6
• Why IPv6
• IPv6 Important features : Wish-list• Faster Packet Processing
• Enhanced QOS
• Improved Security
• Greater protocol Flexibility
• Dual-Stack approach
0 31
Version Class Flow Label
Payload Length Next Header Hop Limit
128 bit Source Address
128 bit Destination Address
4 12 2416
The IPv6 Header 40 Octets, 8 fields
0 31
Ver IHL Total Length
Identifier Flags Fragment Offset
32 bit Source Address
32 bit Destination Address
4 8 2416
Service Type
Options and Padding
Time to Live Header Checksum Protocol
Shaded fields are absent from IPv6 header
The IPv4 Header 20 octets + options : 13 fields, including 3 flag bits
IPv6 Addressing
IPv6 Addressing rules are covered by multiples RFC’s
Architecture defined by RFC 2373 Address Types are :
Unicast : One to One Anycast : One to Nearest Multicast : One to Many Reserved
A single interface may be assigned multiple IPv6 addresses of any type (unicast, anycast, multicast)
No Broadcast Address -> IPv6 Use Multicast
Notation & Abbreviation
Notation
1111110111101100 1111111111111111
128 Bits = 16 bytes = 32 Hex digits
: 7654 3210:: ADBF : BBFF 2922 FFFF:::FDEC BA98
FDEC : BA98 : 0074 : 3210 : 000F : BBFF : 0000 : FFFF
FDEC : BA98 : 74 : 3210 : F : BBFF : 0 : FFFF
Abbreviation
Unabbreviated
Abbreviated
FDEC : 0 : 0 : 0 : 0 : BBFF : 0 : FFFF
FDEC : 00 : BBFF : 0 : FFFF
Abbreviated
More Abbreviated
IPv6 Addressing for IPv4
IPv4-Compatible IPv6 Address format
IPv4-Mapped IPv6 Address format
0 IPv4 Address
96 Bits 32 Bits
0:0:0:0:0:0 192.168.10.10
IPv4 Compatible Address = 0:0:0:0:0:0:192.168.10.10
= ::192.168.10.10
0 IPv4 Address
80 Bits 32 Bits
0:0:0:0:0:0 192.168.10.10
FFFF
16 Bits
IPv4-Mapped Address = 0:0:0:0:0:FFFF:192.168.10.10
IPv6 over IPv4 Tunnels
Tunneling is encapsulating the IPv6 packet in the IPv4 packet Tunneling can be used by routers and hosts
IPv4IPv6 Network
IPv6 Network
Tunnel: IPv6 in IPv4 packet
IPv6 HostA
Dual-Stack RouterB
Dual-Stack RouterA
IPv6 HostB
IPv6 HeaderIPv6 HeaderIPv4 HeaderIPv4 Header
IPv6 HeaderIPv6 Header Transport Header
Transport Header DataData
DataDataTransport Header
Transport Header
Dual Stack Approach & DNS
In a dual stack case, an application that: Is IPv4 and IPv6-enabled Asks the DNS for all types of addresses Chooses one address and, for example, connects to the IPv6 address
DNS Server
IPv4
IPv6
www.sjsu.com = * ?
3ffe:b00::1
3ffe:b00::110.1.1.1
Security Advantages ofIPv6 Over IPv4
IPv4 - NAT breaks end-to-end network security
IPv6 - Huge address range – No need of NAT
IPv4 – IPSEC is Optional
IPv6 - Mandatory in v6
IPv4 - Security extension headers(AH,ESP) – Back ported
IPv6 - Built-in Security extension headers
IPv4 - External Firewalls introduce performance bottlenecks
IPv6 - Confidentiality and data integrity without need for additional firewalls
Security Advantages ofIPv6 Over IPv4 (2)
IPv4 - Security issues related to ICMPV4.
IPv6 - ICMPV6 uses IPSEC authentication and encryption.
IPv4 - No mechanism for resistance to scanning
IPv6 - RTS possible only in IPV6
IPV4 - Doesn’t support Auto configuration
IPv6 - Built in Auto configuration support
Ignorance of network administrator to IPV6 But, Thanks to the transitional efforts of IETF
• IPV4 - Security option field and Optional IPSEC
• IPV6 - IPSEC part of protocol suite-mandatory IPSEC provides network-level security
• IPSEC uses:- AH ( Authentication Header) ESP( Encapsulating Security Payload) Header
Important Security fields in IPv6
Authentication Header(AH)
• Data integrity• Data authentication• Anti-replay protection
Next Header Hdr Ext Len
Security Parameters Index (SPI)
Reserved
Sequence Number
Authentication Data
Fig.- Authentication Header(AH) Packet Format
Authentication Header fields
• SPI:-Security parameter index• Sequence number field :- Anti-replay protection• Authentication data :- ICV-authentication and data integrity• HMAC(Hash message authentication code)+MD5 & HMAC+SHA-1• AH supports several authentication algorithms• Prevents IP spoofing attacks• Prevents DOS attacks
Encapsulating Security Payload (ESP)
• Data confidentiality • Data integrity• Data authentication• Anti-replay protection• Authentication applied only to data being encrypted• Optional services-select at least one
Payload
Next Header
Security Parameters Index (SPI)Sequence Number
Authentication Data
Padding LengthPadding
ESP Packet Header Format
ESP Packet Header
• ESP header with confidentiality service –
prevents sniffing Ex.TCP dump & Windump
• ESP - symmetric key algorithms like DES, 3DES
and AES
ESP Header Fields:
• SPI:-Security parameter index
• Sequence number field :- Anti-replay protection
Security issues in IPV6:
• IPSEC Relies on PKI , Not yet fully Standardized
• Scanning possible – If poorly designed
• No protection against all denial of service attack (DoS attacks difficult to prevent in most cases)
• No many firewalls in market with V6 capable
But ??????
By The Way…IPv6 Hacking Tools
•Sniffer/packet capture Analyzer
Snort TCP dump
EtherealWindumpWinPcap
•ScannersIPV6 security scannerHalfscan6 Nmap
•DOS Tools6tunneldos
4to6DDOS Imps6-tools
•Packet forgersSendIP
Packit Spak6
•WormsSlapper
RealSecure & Proventia Tools
Conclusion
‘Black Hats’ Vs ‘White Hats’
Time for ignoring IPV6…..PAST
Time for understanding,recognizing
and deploying it……NOW
References
• http://www.ipv6.org
• http://www.cisco.com/ipv6/
• http://netscreen.com
• http://www.sans.org
• Computer Networks By Larry Peterson
and Bruce Davie
Questions ?