IPv6 Transition : Why a new security

mechanisms model is necessary?

Abidah Hj Mat Taibabidah@perlis.uitm.edu.my

abidah@nav6.org

Universiti Teknologi Mara, Perlis Malaysia

Outline

Transition / coexistence Security Threats Threats due to Transition Mechanisms Current Security Mechanisms Current IPv4 Security Model New Security Model Conclusion

Transition .. coexistence?

IPv4 IPv6

IPv6 Specific Protocol

Security Considerations

IPv6 Deployment

Transition Mechanisms

Threats due to Transition Mechanisms -- Dual stack

Applications on device can be subject to attack on both IPv4 and IPv6.

Need parallel filtering/detection rules for IPv4 and IPv6 packets.

Server Server Server

InternetInternal network

IPv4 IPv6

Security Threats Similar threats in IPv4 & IPv6 networks. Reconnaissance

- exploit the site scope multicast address – flooding -- DoS Misuse of routing headers – packets spoofed & redirect attacked

packets to initiate DoS Fragmentation related attacks Misuse of ICMPv6 and multicast

ICMPv6 Stateless Auto-Configuration Route Implanting with ICMPv6 Redirects (use fake Echo Request) Smurf IPv6 – source is target, destination is local multicast

address. Generates lots of local traffic that is sent to source) Autoconfiguration and Neighbor Discovery Vulnerabilities

Threats due to Transition Mechanisms -- Tunneling

Injection packet Exploiting the tunnel interface Bypassing ingress filtering checks Complexity for configuring devices as well as

logging and monitoring the traffic IPv4 firewall has to open for protocol 41

(IPv6) and protocol 58 (ICMPv6) at the remote end of the tunnel.

Tunneling Mechanisms Security IssuesTunneling Threats

Configured Tunnel Potential injecting IPv6 in IPv4 packet to the tunnel decapsulator – must check the source of the tunnel.

Tunnel Broker If the administrator is unaware of TB is used by the users, he may not apply any guard against potential security holes.

6to4 Attacks with Neighbor Discovery message.

Spoofing traffic to 6to4 nodes.

Reflecting traffic from 6to4 nodes.

Local IPv4 broadcast attacks.

ISATAP Spoofing attack – bogus IP protocol 41 packets are injected: into an ISATAP link from outside, from within an ISATAP link by a node pretending to be a router.

Toredo Bypassing security controls, reducing defense in depth, allowing unsolicited traffic, laundering DoS attack from IPv4 to IPv4, IPv4 to IPv6, IPv6 to IPv4.

Current Security MechanismsMitigation Techniques

Challenges

Firewalls Lots of different ext. headers – hard for a firewall to filter correctly and get it right not to buffer overflow or DoS.

IPsec Not always a valid security option due to bootstrapping problem.

Logging/ Auditing

Most are implemented using IPv4 transport – need IPv6 transport to successfully log and audit dual stack network infrastructure

Intrusion Detection

Lack of signature database

Current IPv4 Security Model : network-based

INTERNET

Internal NetworkStateful

Firewall

Edge Router

IDS

Current IPv4 Network-based Security Scheme

Peer – firewall – Internet – firewall – peer Security policy enforced by firewalls

Blocking attackers from outside BUT no firewall blocking attack coming from the same LAN segment

Lack of secure end-to-end IDS – to find potential security problems and

to detect unauthorized intrusion and misuse of network resources.

Current IPv4 Network-based Security Scheme .. cont…Perimeter defense

IP firewalls, HTTP/HTTPS firewalls, content analysis: antivirus, anti spam, etc

Defense in depth and network segmentation DMZ, layered architecture

TLS/SSL based business application and VPNs for remote access

Revised Model - Host-based Security

IDS

IDSIDS

INTERNET

Internal Network

Perimeter Firewall

Edge Router

IDS

LAN-1

LAN-2

LAN-3

IDS

IDS

IDS

IDS

Host-based firewalls / IDS

New Security Model -Distributed mechanisms

IDS

IDSIDS

INTERNET

Internal Network

Perimeter Firewall

Edge Router

IDSLAN-1

LAN-2

LAN-3

IDS

IDS

IDS

IDS

Host-based firewalls / IDS

Centralized Security Policy Repositories

New Security Model

End-to-End IPsec Distributed security with the communicating hosts

providing the policy enforcement for their own communication. Creating specific policies for securing comm. based on

currently running appl. Rather than having a central enforcement point try and provide a single group-based policy.

Possible to create more dynamic security policies which can vary over time based on changing trust relationships.

Distributed security endpoints

Consists of host-resident firewalls, intrusion detection, security patching, and security status monitoring – can be accomplished by kernel-mode processes within an OS.

A managed distributed host-based firewall system utilizing end-to-end IPsec can implement separate multi-level security policies with fine granularity.

Using end-to-end model, it is possible to divide users and servers into various trust groups and interest communities to implement separate security rules.

Conclusion

To design a new security mechanisms model In depth understanding of IPsec Define optimum security policies associated to

network requirements Build a comprehensive distributed firewalls to

counter security issues in IPv4 as well as IPv6 As well as IDS and IPS, logging/auditing

Security test using available attacking tools

Bibliographies• Kaeo, et. al., 2006, IPv6 Network Security Architecture 1.0,

NAv6tf, www.nav6tf.org.• Van Hauser, The Hackers Choice, 2006, http://www.thc.org .• J. Mohacsi, IPv6 Security:Threats and Solutions,

http://www.6net.org/events/workshop-2005/mohacsi.pdf• P. Nikander, J. Kempf, and E. Nordmark, “IPv6 Neighbor

Discovery (ND) Trust Models and Threats”, RFC3756, May 2004.• E. Davies, S. Krishnan and P. Savola, “IPv6 Transition/Co-

existence Security Considerations”, draft-ietf-v6ops-security-overview-06.txt (work in progress), Oct 2006.

• Alvaro Vives and Jordi Palet, IPv6 Distributed Security: Problem Statement, Proceedings of the 2005 Symposium on Applications and the Internet Workshops (SAINT-W’05), IEEE, 2005.

THANK YOU

Q & A