Download Slide 1

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Extensible Authentication Protocol wikipedia , lookup

Wireless security wikipedia , lookup

Distributed firewall wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Computer security wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Transcript
An Analysis of IPv6 Security
CmpE-209: Team Research Paper Presentation
Presented by: Dedicated
Instructor:
Prof. Richard Sinn
Network security
Department of CmpE Engg
Hiteshkumar Thakker
Jimish Shah
Krunal Soni
Kuldipsinh Rana
Nghia Nguyen
Sajjad Tabib
04/08/2008
CmpE-209 / Spring 2008
1
Agenda

Introduction to IPv6
◦ IPv6 vs IPv4



IPsec Protocol
IPv6 Deployment
IPv6 Security Issues
◦
◦
◦
◦
◦

Recconnaissance
Redirect Attacks
Spoofing Attacks in Tunneling
Dual-Stack Attacks
Teredo Attacks
Summary
CmpE-209 / Spring 2008
2
Introduction to IPv6

What is IPv6 ???
◦ Network layer protocol used for Internet which is replacing IPv4






Why IPv6 ???
Exhaustion of IPv4 Address Pool
Larger Address Space (3.4 x 1038 addresses) for global
reachability and scalability
Simplified header for Routing efficiency and performance
Server-less auto-configuration, easier renumbering, multihoming, and improved plug and play support
Security with mandatory IP Security (IPSec) support
CmpE-209 / Spring 2008
3
Simplified IPv6 Header
CmpE-209 / Spring 2008
4
IPsec
IPsec is a suite of protocols that provide
network layer security.
 What it means to provide network layer
security?

◦ Network Layer Confidentiality
◦ Source Authentication

Main security goals
◦ Confidentiality
◦ Integrity
◦ Authentication
CmpE-209 / Spring 2008
5
IPsec protocols

Two protocols in IPsec that provide
security.
◦ AH: Authentication Header protocol
 Source authentication
 Data Integrity
 No confidentiality
◦ ESP: Encapsulation Security Payload
 Authentication
 Data Integrity
 Confidentiality
Authentication Header Protocol
Procedure
1.
Host establishes Security
Association (SA) with
Destination.
◦
SA is a handshake which
creates a logical connection
between two machines and
establishes a common secret
key to be used for
Host send secure datagrams
to desintation
Destination determines the
SA from SPI field of the
datagram.
Destination authenticates
datagram based on SA and
Authentication data field.
2.
3.
4.
1.
AH usews HMAC for
authentication and integrity on
Authentication data.
AH Protocol Diagram
ESP: Encapsulation Security Payload
Authentication mechanism similar to AH
– Establish SA, etc.
 Provides confidentiality by encrypting the
TCP/UDP segment using DES-CBC.

ESP – Diagram
IPv6 Deployment
Flag Day - x
 Dual-Stack: to allow IPv4 and IPv6 to coexist in the same networks
 Tunneling: IPv6 node on sending side of
tunnel puts its IPv6 datagram in data field
of IPv4 datagram.
 Now more than 15 methods available for
transition.

CmpE-209 / Spring 2008
11
IPv6 Security Issues
Reconnaissance in IPv6
 Neighbor Discovery attacks
 Anycast and Addressing Security
 L3-L4 spoofing attacks in tunneling
 Attacks through teredo
 Routing header type-0 attack
 Attacks through header manipulation and
fragmentation
 Dual-Stack Attack

CmpE-209 / Spring 2008
12
Recconnaissance in IPv6
 264
subnet addresses are in IPv6
 So, harder to scan every address though
scan million packets per second- It will take
years to find the one host on the network.
 It is possible in IPv4 through NMAP, but IPv6
does not support NMAP.
 Pros and cons
CmpE-209 / Spring 2008
13
Other Security Issues



Addressing Security
Effects of self-generated addresses
◦ Addresses can be “stolen” by others [DoS]
◦ Addresses cannot have pre-established IPsec
◦ IPsec hard to set up in advance as It requires SA and destination
address
No authorization mechanism exists for anycast destination addresses
◦ Spoofing is possible

Attacks through Header manipulation and Fragmentation
◦ Routing Header Type - 0 mechanism issue
◦ Fragmentation
◦ Flow label
CmpE-209 / Spring 2008
14
Neighbor Discovery Attacks
Redirect Attacks: A malicious node redirects
packets away from a legitimate receiver to another
node on the link
 Denial of Service Attacks(DoS): A malicious
node prevents communication between the node
under attack and other nodes
 Flooding Attacks: A malicious node redirects
other hosts’ traffic to a victim node creating a
flood of bogus traffic at the victim host
 MIPv6 Challenges

CmpE-209 / Spring 2008
15
Redirect Attacks
CmpE-209 / Spring 2008
16
Spoofing Attacks in Tunneling
CmpE-209 / Spring 2008
17
Solution on the way…
CmpE-209 / Spring 2008
18
IPv6 Dual-stack Attack
CmpE-209 / Spring 2008
19
Prevention using Multiple addresses
CmpE-209 / Spring 2008
20
Attack by Teredo(UDP Port-3544)
CmpE-209 / Spring 2008
21
Precautions to stop attacks
Block protocol 41
Handle Teredo as a “dangerous UDP port”
at IPv4 firewalls
 Look for Router Advertisements and
Neighbor Discovery Packets (SEND)


CmpE-209 / Spring 2008
22
Security Threats similar to IPv4





Sniffing: without IPsec, IPv6 is no more or less likely to fall
victim to a sniffing attack than IPv4
Application Layer Attack: Even with IPsec, the majority of
vulnerabilities on the internet today are at the application
layer, something that IPsec will do nothing to prevent.
Rogue Devices will be as easy to insert into an IPv6
network as in IPv4.
Man-in-the-middle-attacks(MITM): without IPsec, any
attacks utilizing MITM will have the same likelihood in IPv6
as in IPv4.
Flooding attacks
CmpE-209 / Spring 2008
23
Summary






IPv6 makes some things better, other things worse,
and most things are just different, but no more or less
secure
Better: Automated scanning and worm propagation is
harder due to huge subnets
Worse: Increased complexity in addressing and
configuration
Lack of familiarity with IPv6 among operators
Vulnerabilities in transition techniques
Dual-stack infrastructures require both IPv4 and IPv6
security rules
CmpE-209 / Spring 2008
24
Conclusion







Security in IPv6 is very much like in IPv4
IPsec is mandatory for the security of IPv6
IPv6(IP sec) are still emerging technologies
IPv6 is a very complex protocol
Its code is new and Untested, so while testing also
there could be attack on existing network
Research is going on to overcome threats by IETF
Secure Transition is a major goal of IPv6 now.
CmpE-209 / Spring 2008
25
References

http://openloop.com/index.htm/education/classes/sjsu_engr/engr_networksecurity/spring2008/index.
htm

http://www.cs.rpi.edu/academics/courses/spring05/netprog/ipsec.pdf

http://rfc.net/rfc2401.html

http://www.6net.org/events/workshop-2003/marin.pdf

http://technet.microsoft.com/en-us/library/bb726956.aspx

http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf

http://www.darkreading.com/document.asp?doc_id=123506

http://www.seanconvery.com/ipv6.html

http://www.seanconvery.com/v6-v4-threats.pdf

http://www.seanconvery.com/SEC-2003.pdf

http://www.infosecwriters.com/text_resources/pdf/IPv6_SSotillo.pdf

http://www.nav6tf.org/documents/nav6tf.security_report.pdf

http://www.nav6tf.org/documents/arin-nav6tf-apr05/6.IPv6_Security_Update_JS.pdf

http://www.nanog.org/mtg-0405/pdf/miller.pdf

http://www.stindustries.net/IPv6/whitepapers.html

http://paintsquirrel.ucs.indiana.edu/pdf/IPv6_and_Security.pdf
CmpE-209 / Spring 2008
26
Thank You !!
CmpE-209 / Spring 2008
27
Questions ???
CmpE-209 / Spring 2008
28