IPv6 (cont.) · 2019-09-30 · hard for humans to remember regardless of representation ... Anycast...
Transcript of IPv6 (cont.) · 2019-09-30 · hard for humans to remember regardless of representation ... Anycast...
IPv6 (cont.)
Example: IPv6 Next Header
Extension Headers:
Example: IPv6 Next Header Codes
IPv6 (cont.)
Example: IPv6 Extension Headers (cont.)
IPv6 (cont.)
(e.g., router alert)
(and routers in Routing option)
IPv6 (cont.)
Example: IPv6 Extension Headers (cont.)
IPv6 Addressing• IPv4 address = 32 bit sequence
typically represented in dotted decimal notation, which iseasier for humans to remember
• IPv6 address = 128 bit sequence hard for humans to remember regardless of representation typically represented in colon hexadecimal notation (8 16-bit
blocks), which is easier to convert to binary than decimal
16-bit block
IPv6 Addressing (cont.)
Example: Converting between binary and hexadecimal
IPv6 Addressing (cont.)
• IPv6 Address Compression Rules Rule 1: Zero Suppression – leading zeros in any 16-bit
segment can be omitted
→ only a single contiguous string of all-zero segments can berepresented with a double colon!
Rule 2: Zero Compression – a contiguous sequence of 16-bit blocks set to 0 can be compressed to double-colon (::)
https://www.slideshare.net/NadiaBENCHIKHA/ipv6-foundations
IPv6 Addressing (cont.)
Example: Shortening in IPv6 address space
IPv6 Addressing (cont.)
Example: Shortening in IPv6 address space
https://www.slideshare.net/NadiaBENCHIKHA/ipv6-foundations
IPv6 Addressing (cont.)
Example: Shortening in IPv6 address space (cont.)
https://www.slideshare.net/NadiaBENCHIKHA/ipv6-foundations
IPv6 Addressing (cont.)
Example: Shortening in IPv6 space examples
IPv6 Addressing (cont.)
• IPv6 Address Structure
Can be a privacy problem!!!
IPv6 Addressing (cont.)
• IPv6 Address Categories
https://kasiviswanathanblog.wordpress.com/2017/03/18/ipv6-address-types-and-the-rest/
IPv6 Addressing (cont.)
http://www.steves-internet-guide.com/ipv6-guide/
IPv6 Addressing (cont.)
IPv6 Addressing (cont.)
Example: IPv6 anycast
https://www.netactuate.com/anycast/anycast-for-ipv6/
Anycast is a type of IPv6 network communication in which IPv6 datagrams from a source are routed to the nearest device (in terms of routing distance) from a group servers which provide the same service. Every nodes which provide the same service are configured with same Anycast destination address.
IPv6 Security Vulnerabilities• Vulnerability 1: Tracking Identity of IPv6 Users
when using IPv6 address auto-configuration, the MACaddress of a network card is used to make this card’sIPv6 address→ privacy concern for mobile devices
because when they access the Internet from different locations, their MAC based IPv6 identifier stays the same, so device can be tracked across different networks
→ SOLUTION: RFC 4941 – privacy extensions for Stateless Address Auto-configuration (SLAAC) interface identifier is derived from MAC initially, but then
passed through a 1-way hash algorithm, … cons: complicates network debugging, security/audit RFC 7217 offers further improvements
https://techglimpse.com/ipv6-stateless-autoconfiguration-in-packet-tracer-simulator/
IPv6 Security Vulnerabilities (cont.)
Example: IPv6 stateless configurationThe stateless mechanism allows a host to generate its own addresses using a combination of locally available information and information advertised by routers. This mechanism does not require the establishment of a server to delve out address space. The IPv6 stateless autoconfiguration mechanism requires no manual configuration of hosts, minimal (if any) configuration of routers, and no additional servers. This method uses the MAC address of the device to create an IPv6 address with the 2000:: prefix set in the router.
The stateless approach is used when a site is not particularly concerned with the exact addresses hosts use, so long as they are unique and properly routable. Stateful and Stateless Autoconfiguration may be used simultaneously.
Example: IPv6 privacy addressing
https://www.usenix.org/system/files/login/articles/105438-Barrera.pdf
IPv6 Security Vulnerabilities (cont.)
• Vulnerability 2: Easy Network Reconnaissance IPv6 has introduced some specialized site-local and
link-local multicast addresses
IPv6 Security Vulnerabilities (cont.)
→ reconnaissance is greatly simplified, as certain select groupsof devices can be probed/scanned at once
→ multicast addresses also enable simple blind attacks on groupsof critically important nodes (e.g., routers, DHCP servers, …)
→ SOLUTION: perform ingress filtering of multicast packets;though this will not work against ‘insider attacks’
Example: IPv6 fixed scope multicast addresses
https://www.edn.com/Home/PrintView?contentItemId=4014403
IPv6 Security Vulnerabilities (cont.)
IPv6 Security Vulnerabilities (cont.)
• Vulnerability 3: Packet Fragmentation Abuse in IPv6 packet fragmentation by intermediary nodes is NOT
allowed – only the end hosts are allowed to create andreassemble fragments
→ this can be used by attackers to hide their attacks (e.g.) by splitting‘attack payload’ over multiple smaller packets (routers/firewalls thatdo not correlate subsequent packets would not ‘catch’ the attack)
→ only node performing deep packet inspection would be able todetect such attacks
AT T A CK
AT T A CK
IPv6 Security Vulnerabilities (cont.)
• Vulnerability 4: Extension Headers Abuse an IPv6 can have an arbitrary (large) number of extension
headers combined with Hop-by-Hop & Routing EH→ someone could create an IPv6 packet that meets the protocol
specification and has an unlimited number of EHs→ packet like that could cause a DoS of intermediary systems along
the transmission path or the destination system
IPv6 Security MythsMyth 1:I’m not running IPv6 so I don’t have to worry about IPv6 security!
→ IPv6 is enabled by default in modern hosts, servers, devices.→ Thus, even in a network where no one has intentionally deployed
IPv6, it is quite likely that devices are sending IPv6 packets and have IPv6 sockets open.
Myth 2:IPv6 has security designed in so I do notneed to worry about security!
→ IPv6 was developed in the late 1990’s – many of today’s securitythreats were not known.
→ IPSec is what makes IPv6 secure – must be actively used!!!
IPv6 Security Myths (cont.)
Myth 3:IPv6 has no NAT; global addresses used.I am exposed to attacks from the Internet!
→ While the NAT may provide a bit of obfuscation, by hiding yourinternal addresses, it is really the statefull firewalls that protectyour network from unwanted intrusion (so you should use them).
Myth 4:IPv6 are too big to scan. Hackers will havehard time finding devices in my network!
→ IPv6 tend to clump up in certain IPv6 address ranges. Hence,scanning IPv6 networks is not impossible because there areshortcuts available ...
IPv6 Security Myths (cont.)
IPv6 Security Myths (cont.)
Myth 5:IPv6 is too new to be attacked!
→ IPv6 was designed 20 years ago.→ IPv6 hardware and software bugs and other vulnerabilities are well
known and widely published, and there are many available IPv6test/attack tools.
https://www.internetsociety.org/blog/2015/03/ipv6-security-myth-10-deploying-ipv6-is-too-risky/