DOC PREVIEW
U of I CS 498 - IPv6 SECURITY

This preview shows page 1-2-3-4-5-6-45-46-47-48-49-50-51-91-92-93-94-95-96 out of 96 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 96 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

1© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3IPv6 SECURITYSESSION SEC-2003222© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Introduction•Discussions around IPv6 security have centered on IPsecThough IPsec is mandatory in IPv6, the same issues with IPsec deployment remain from IPv4:Configuration complexityKey managementMany IPv6 stacks do not today support IPsecTherefore, IPv6 will be deployed largely without cryptographic protections of any kind•Security in IPv6 is a much broader topic than just IPsecEven with IPsec, there are many threats which still remain issues in IP networking•This presentation will cover the rest of the things you should understand to consider the security implications of v6 on your network333© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Considerations•IPv6 security is a fairly new area, many of the best practices in this presentation could change as new realities with IPv6 security are uncovered by the communityBest practices presented here should be viewed as candidates•This presentation is focused on IPv6 as a technology, not Cisco’s implementation of IPv6 security features (we’re security geeks, not product managers) •This presentation assumes that IPv4 security is very familiar to you•MIPv6 security is not addressed specifically in this presentation444© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Agenda•IPv4 Best Practices Summary and Attack Example•IPv6 Protocol Summary (Quick, Promise!)•Types of Threats•IPv6 and IPv4 Threat Comparisons (The Meat)•IPv6 Topology and BP Summary•v6/v4 Dual-Stack Attack Example555© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Edge Router Stateful FirewallISP RouterPublic ServersTraditional IPv4 Edge Security Design•This design can be augmented with NIDS, application proxies, and a range of host security controls•The 3-interface FW design as shown here is in use at thousands of locations worldwide•Firewall policies are generally permissive outbound and restrictive inbound•As organizations expand in size, the number of “edges” and the ability to clearly identify them becomes more difficultInternetInternal Network666© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Edge Router Stateful FirewallPublic ServersIPv6 Attack Against IPv4IPv4 InternetIPv4 Internal NetworkIPv6 Internet6to4 GatewayRogue Dual Stack Host1. Rogue Device Establishes 6to4 Tunnel to IPv6 Internet2. Firewall PermitsOutbound IP Protocol 413. Attacker Compromises Rogue Host over IPv64. Compromised System Attacks Internal Network over IPv4ISP RouterNote That This Tunneling Can Be Benign in Origin WhereasOther Tunnels (Like GRE) Tend to Require an Active ParticipantInside and Outside777© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Agenda•IPv4 Best Practices Summary and Attack Example•IPv6 Protocol Summary (Quick, Attend RST-1305 for More)•Types of Threats•IPv6 and IPv4 Threat Comparisons (The Meat)•IPv6 Topology and BP Summary•v6/v4 Dual-Stack Attack Example888© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Payload LengthPayload LengthTraffic Traffic ClassClassHop LimitHop LimitDestination Address Source AddressNext Next HeaderHeaderFlow LabelFlow LabelVersionProtocolProtocolType of Type of ServiceServicePaddingPaddingHeader ChecksumHeader ChecksumFragment Fragment OffsetOffsetTotal LengthTotal LengthOptionsOptionsDestination AddressSource AddressTime to LiveTime to LiveFlagsFlagsIdentificationIdentificationIHLIHLVersionIPv4 Header IPv6 Header—Field’s Name Kept from IPv4 to IPv6—Fields Not Kept in IPv6—Name and Position Changed in IPv6—New Field in IPv6LegendIPv4 and IPv6 Header Comparison999© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Address Allocation Policy•The allocation process is under reviewed by the registries: IANA allocates 2001::/16 to registriesEach registry gets a /23 prefix from IANAFormerly, all ISP were getting a /35With the new policy, Registry allocates a /32 prefix to an IPv6 ISPThen the ISP allocates a /48 prefix to each customer (or potentially /64)ftp://ftp.cs.duke.edu/pub/narten/ietf/global-ipv6-assign-2002-06-26.txt20010DB8ISP PrefixSite PrefixLAN Prefix/32 /48 /64Registry/23Interface ID101010© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Address Types•UnicastGlobalLink-localSite-local (deprecated)/local unicastCompatible (IPv4, IPX, NSAP)•Multicast (one to many)•Anycast (one to nearest)•Reserved111111© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3IPv6 Addressing per Device•In IPv4, devices were restricted to one IPv4 address per interface •In IPv6, devices have multiple addresses per interface Ethernet0/1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::201:96FF:FE5B:E161 Global unicast address(es): 2001:0DB8:DEEE:19::1, subnet is 2001:0DB8:DEEE:19::/64 Joined group address(es): FF02::1 “All nodes link local multicast”FF02::2 “All routers link local multicast”FF02::9 “All RIP routers link local multicast”121212© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3IPv6 Privacy Extensions (RFC 3041)•Temporary addresses for IPv6 host client application, e.g., web browserInhibit device/user tracking but many organizations want to do the trackingRandom 64-bit interface ID, run DAD before using itRate of change based on local policyImplemented on Microsoft Windows XPRecommendation: use privacy extensions for external communication but not for internal networks2001 0DB8/32 /48 /64/23Interface ID131313© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Next HeaderIPv6 Header Format: Next HeaderTraffic Class Flow LabelPayload LengthSource AddressVersionHop LimitDestination AddressExtension Header info32 bitsData PortionNext Header40 Octets Variable Length141414© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Extension HeadersIPv6 Basic Header (40 Octets)Any Number of Extension HeadersData (Ex. TCP or UDP)IPv6 Packet Ext Hdr DataExt Hdr DataExt Hdr LengthExt Hdr LengthNext HeaderNext Header151515© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3IPv6 Header Options (RFC 2460)•Processed only by node identified in IPv6 destination address field => much lower overhead than


View Full Document

U of I CS 498 - IPv6 SECURITY

Documents in this Course
Lecture 5

Lecture 5

13 pages

LECTURE

LECTURE

39 pages

Assurance

Assurance

44 pages

LECTURE

LECTURE

36 pages

Pthreads

Pthreads

29 pages

Load more
Download IPv6 SECURITY
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view IPv6 SECURITY and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view IPv6 SECURITY 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?