William Lee 376232_IPv6 Security Features Not Present in IPv4

8/2/2019 William Lee 376232_IPv6 Security Features Not Present in IPv4

1/19

THE FOLLOWING PRESENTATION HAS BEEN APPROVED FOR

TOURO COLLEGEBY THE I.T. ASSOCIATION OF AMERICA

THIS POWERPOINT HAS NOT YET BEEN RATED


2/19

June 1, 2011

William C. Lee


3/19

For more than three decades, this end-to-end model has sufficiently met the needs

of its users.

Since the 80s IPv4 has supportedinternet growth by accommodating over 4

million unique internet addresses givenby Internet Service Providers.


4/19

However the landscape is changing.

Despite its dominance in the industry, it isanticipated that in the near future the usage ofIPv4 will yield to the more current IPv6.

Satisfying the requirements of earliergenerations, IPv4 is no longer considered

sufficient for the needs of the users of today

due to its limited capacity for addressing aswell as its inclination to security threats. IPv6presents certain advantages to those users and

companies who know how to utilize thisprotocol.


5/19

IPv4 : History & FeaturesIPv4 was the first major version of a standardized InternetProtocol.

Initiative begun by ARAPA in 1973 to advance functionality of existingprotocols

By 1981 a final version was published in RFC as a standardized Internet

Protocol

32 bit addressing- designers of IPv4 created a two-level structure foraddressing that would utilize network number and host number eacha 32 bit field. This would allow for the possibility of generating over 4million unique addresses. Initially many considered that this level ofopportunity for volume would suit the needs of internet users however,

it has proven to be a crippling limitation. Today the internet and itsusers have grown so large it has now run out of IP addresses. NetworkAdministrators were able to take precautions to combat this difficultyby implementing NAT or Network Address Translation.

Limited Security features


6/19

Today, the internet hasgrown to be a million-

network network,

which is something withstartling consequences.

Security and addressingbecome more prevalent

issues


7/19

IPv6 : History & FeaturesIPv6 was developed in response to the evolving needsof users and businesses in a more currentenvironment The Internet Engineering Task Force began work on the

ENTIRELY NEW IPv6 in 1991

In 1998 to get the basic standards were agreed upon andimplemented.

128 bit hierarchical addressing- IPv6, with its 128-bit

addresses, provides globally unique and hierarchicaladdressing based on prefixes rather than address classes,which keeps routing tables small and backbone routingefficient.

Built-in security features


8/19

The importance of Security

Today, it has become a very hostile environment. Althoughcertain techniques have been introduced to overcome some ofthe Internets best known security deficiencies (SSL, IPSec,

etc.), they seem to be insufficient

At the time of its design, and keeping up with the original end-to-end model, the Internet was thought as a friendlyenvironment. Therefore, no security was embedded in theoriginal architecture


9/19

IPv4 : Potential Threats Denial of service attacks (DOS) When there is an attempt to make a computer source unavailable to users. A commonmethod is flooding the target hosts with requests, thus preventing valid network traffic to reach the host. Malicious code distribution- These can propagate themselves from one infected host to another.

Man-in-the-middle attacks -An attack is able to read, insert and modify at will messages between two hosts without eitherhosts knowing that their communication has been compromised.

Fragmentation attacks - Different Operating systems have their own method to handle large IPv4 packets and this attackexploits that method. For example the ping of death attacks. This attack uses many small fragmented ICMP packets whichwhen reassembled at the destination exceed the maximum allowable size for an IP datagram which can cause the victim host tocrash, hang or even reboot.

Port scanning and other reconnaissance attacks - this is used to scan for multiple listening ports on a single, multiple or anentire network hosts. Open ports can be used to exploit the specific hosts further. Because of the small address space, portscanning is easy in IPv4 architecture

ARP poisoning and ICMP redirect -ARP poison attack is to send fake, or spoofed, ARP messages to a network. The aim is toassociate the attackers MAC address with the IP address of another node. Any traffic meant for that IP address would bemistakenly sent to the attacker instead.


10/19

IPv6:Security Improvements

Large address space

Built-in IPSec

Authentication Header Encapsulating Security Payload

Transport and Tunnel Modes

Protocol Negotiation and Key ExchangeManagement

Neighbor Discovery and AddressAutoconfiguration


11/19

IPv6: Security ImprovementsLarge address space

Port scanning is used today to listen to specific

services that could be linked to known weaknesses.

To scan ports on IPv4 is very simple because most

addresses only 8 bits are allocated for host

addressing. Scanning a larger address such as the

IPv6, 128 bit encryption becomes more difficult.


12/19

IPv6: Security ImprovementsBuilt-in IPSec

IPSec was an optional feature in IPv4. IPSec is

required in IPv6 protocol, mandated by RFC4301.

IPsec consist of cryptographic protocols that

provide a safe communication and key exchange


13/19

IPv6: Security ImprovementsAuthentication Header

Authentication header (AH) provides the

authentication confidentiality and data integrity.

Authentication header protocol prevents packets

from being changed or modified with.


14/19

IPv6: Security ImprovementsEncapsulating Security Payload

Encapsulation Security Payload does the same as

Authentication header, however also provides

confidentiality. In this header there is a field that

identifies what group of security parameters the

sender is using to secure communications, this is

called security parameter index SPI.


15/19

IPv6: Security ImprovementsTransport and Tunnel Modes IPSec provides two modes of securing traffic :

Transport and Tunnel Mode. Transport mode isintended to provide secure communication

between endpoints by securing only the packets

payload. Tunnel mode is intended to protect the

entire IPv4 packet. However, in IPv6 networks,

there is no need for a tunnel mode


16/19

IPv6: Security ImprovementsProtocol Negotiation and Key Exchange

Management

Key exchange management provides much

functionality to communicate between parties. It

negotiates with other peoples protocols,

encryption algorithms and keys. It can simply

exchange keys as well as changing them.

Additionally, keeps track of all agreements.


17/19

IPv6: Security ImprovementsNeighbor Discovery and Address

Autoconfiguration

IPv6 Neighboring Discovery is a way to give nodes

the ability to discover other nodes link-layer

address on the local link. It can also find routers

on the local link ; this assists in detecting when a

local node becomes unreachable, resolving

duplicate IP address, and for routers to alert other

nodes when another router is needed


18/19

IPv6Though IPv6 addresses many of the deficiencies presentin IPv4 it is by no means a perfected system.

Source trouble through processing all stacks byextension header

Potential for security breeches during transitioningbetween IPv4 and IPv6


19/19

William Lee 376232_IPv6 Security Features Not Present in IPv4

Documents

Transcript of William Lee 376232_IPv6 Security Features Not Present in IPv4