of 16
8/2/2019 IPV6 Security Consideration
1/16
Click to edit Master subtitle style
5/5/12
8/2/2019 IPV6 Security Consideration
2/16
5/5/12
IPv6 Security Considerations
8/2/2019 IPV6 Security Consideration
3/16
5/5/12
IPv6 Security Considerations
Authorization for automatically assigned addressesand configurations
Protection of IPv6 packets
Host protection from scanning and attacks
8/2/2019 IPV6 Security Consideration
4/16
5/5/12
Authorization for AutomaticallyAssigned Addressesand Configurations
IPv6 hosts can use the following methods to obtain an address
configuration:
1-Neighbor Discovery (ND) with an exchange of RouterSolicitation and Router Advertisement messages.
2-Dynamic Host Configuration Protocol for IPv6 (DHCPv6).
8/2/2019 IPV6 Security Consideration
5/16
5/5/12
Authorization for AutomaticallyAssigned Addressesand Configurations
For ND-based IPv6 configuration, SEcure NeighborDiscovery (SEND) (defined in RFC 3971) can provideprotection for Router Solicitation and Router
Advertisement messages. SEND can also provideprotection for Neighbor Solicitation and NeighborAdvertisement message exchanges for address
resolution or neighbor unreachability detection.
IPv6 in Windows Server 2008 and Windows Vista does
not support SEND.
8/2/2019 IPV6 Security Consideration
6/16
5/5/12
Recommendations
To prevent unauthorized computers from communicating
on intranets, the recommendation is that you use IEEE802.1X authentication to authenticate all computers thatare connecting to your network with wired or wirelessconnections.
With IEEE 802.1Xbased authentication at the link layer,
computers cannot send any network traffic until theyhave authenticated themselves to a switch or wirelessaccess point. Only after a successful IEEE 802.1Xauthentication can an IPv6 host use addressautoconfiguration protocols such as ND or DHCPv6 to
obtain an automatically assigned IPv6 addressconfiguration.
8/2/2019 IPV6 Security Consideration
7/16
5/5/12
Protection of IPv6 Packets
To help protect IPv6 packets from tampering
(data modification) and interpretation
(passive capturing) by intermediate or
neighboring nodes, IPv6 packets can beprotected with Internet Protocol security (IPsec).
IPsec uses cryptographic security services toprovide tampering protection, spoofingprotection, and optional encryption for IPpackets.
8/2/2019 IPV6 Security Consideration
8/16
5/5/12
Host Protection from Scanningand Attacks
Address Scanning :
With IPv6, the scanning of a subnet for valid unicast IPv6addresses is made much more difficult by the large
number of possible addresses.
an attacker must theoretically scan up to 264 possible
addresses.
8/2/2019 IPV6 Security Consideration
9/16
5/5/12
Host Protection from Scanningand Attacks
Port Scanning :
To prevent a port scan, hosts should use a host-based stateful firewall.
Host-based stateful firewalls silently discard all incoming traffic thatdoes not correspond to either traffic sent in response to a request of thecomputer (solicited traffic) or unsolicited traffic that has been specifiedas allowed (excepted traffic).
A host-based stateful firewall will not prevent an attacker fromdetermining open ports on a host if those ports are being used for activecommunication or the ports correspond to a service being offered by thehost.
8/2/2019 IPV6 Security Consideration
10/16
5/5/12
Control of What Traffic IsExchanged with the Internet
To prevent unwanted traffic from the Internet,organizations typically deploy edge firewalls, proxies,and intrusion detection systems (IDSs).
These security devices attempt to ensure that anattackers traffic from the Internet .cannot penetrate tothe intranet
8/2/2019 IPV6 Security Consideration
11/16
5
/5/12
Recommendations
To prevent unwanted and unauthorizedIPv6 traffic from the Internet, you can dothe following:
v Upgrade your edge firewall, proxy, and IDS to include IPv6and tunneled IPv6
functionality.
v If your intranet computers must communicate with hosts onthe IPv6 Internet,
upgrade your edge firewall between your intranet and the IPv6Internet to support
stateful IPv6 firewalling.
8/2/2019 IPV6 Security Consideration
12/16
5
/5/12
Recommendations
v For IPv6-over-IPv4 tunneled traffic from Internet hosts tointranet hosts,
configure your IPv4-based edge firewall to drop all IPv4 protocol
41 packets on its
Internet interface. An exception is when you are using 6to4. The6to4 router must
be able to receive IPv6- over-IPv4 tunneled traffic from the
Internet.
v For Teredo traffic from intranet hosts to Internet hosts,configure your
IPv4-based edge firewall to silently discard all IPv4 traffic withthe source or
8/2/2019 IPV6 Security Consideration
13/16
5
/5/12
Recommendations
v Deploy ISATAP correctly on your intranet so that default route traffic isnever forwarded
to the IPv4 Internet. Default route traffic from ISATAP hosts on the IPv4
portion of your
network should be forwarded to an ISATAP router, which is connected toboth the IPv4
and IPv6-capable portions of your intranet. The default route on theISATAP router should point to the IPv6-capable portion of your intranet.
v If your ISATAP router and edge firewall is the same device, ensure thatthe devices
default route for IPv6 traffic points to the IPv6-capable portion of yournetwork,
not to the IPv4 Internet.
8/2/2019 IPV6 Security Consideration
14/16
5
/5/12
Recommendations
v If the ISATAP hosts on your intranet must communicate with
hosts on theIPv6 Internet, upgrade your edge firewall between your intranetand the IPv6
Internet to support stateful IPv6 firewalling.
8/2/2019 IPV6 Security Consideration
15/16
5
/5/12
8/2/2019 IPV6 Security Consideration
16/16
5
/5/12
Understanding IPv6 2nd Edition - Microsoft Press
