1 advanced ipv6 residential security draft-vyncke-advanced-ipv6-security-00.txt mark townsley...
TRANSCRIPT
1
Advanced IPv6 Residential Securitydraft-vyncke-advanced-ipv6-security-00.txt
Mark Townsley [email protected]
Eric Vyncke [email protected]
November 2009
draft-vyncke-advanced-ipv6-security-00.txt> 2
V6OPS Simple-Security for Residential Networks
1. Embedded (Static) Policy Definition (e.g., from draft-v6ops-simple-security.…)
2. Ports are either opened implicitly via outbound flows, or explicitly via policy switches.
Otherwise, all imbound traffic is dropped….
Most Incoming flows are “Guilty until proven innocent”Mimics the current low-end IPv4 home gateways/routers
X3. Troubleshooting: Typically, little to no feedback to user on what traffic is dropped and why
4. User/Application control: Policy knobs via UI or protocols (NAT-PMP, UPnP) to interact with FW settings
draft-vyncke-advanced-ipv6-security-00.txt> 3
“Large Enterprise” network with a large number of global IP
addresses
Typical Residential
IPv6 Network
Basic Idea
Observation: large global addressing in IPv6 allows any residential network to resemble an enterprise network with a large IPv4 global address block
draft-vyncke-advanced-ipv6-security-00.txt> 4
Security Features
“Large Enterprise” network with a large number of global IP
addresses
Typical Residential
IPv6 Network
Basic Idea
V6ops is in the process of defining what residential IPv6 security should look like, so perhaps we should examine security features that are used in enterprise networks today and see how they might apply in a residential security setting
draft-vyncke-advanced-ipv6-security-00.txt> 5
Security Features
“Large Enterprise” network with a large number of global IP
addresses
Typical Residential
IPv6 Network
Basic Idea
These techniques are not IPv6-specific per se, but we were discussing them within the context of IPv6 in v6ops.
draft-vyncke-advanced-ipv6-security-00.txt> 6
Overview
7 policies are identified in the -00. These are largely based on features which are commonly available in “advanced” security gear for enterprises today
Home edge router is not something that is purchased and thrown away when obsolete. Instead, it is actively updated like many other consumer devices are today (PCs, iPods and iPhones, etc.)
Business model may include a paid subscription service from the manufacturer, a participating service or content provider, consortium, etc.
draft-vyncke-advanced-ipv6-security-00.txt> 7
Advanced Security
User Feedback
User control
IPS
Dynamic Policy & Signatures
Update
On-line Access to IP Address Reputation
draft-vyncke-advanced-ipv6-security-00.txt> 8
Why is this important to IPv6?
Security policy can be adjusted to match the threat as attacks arrive
We don’t break end-to-end IPv6, unless we absolutely have to
While providing arguably better security, troublehooting, etc. than we would otherwise
draft-vyncke-advanced-ipv6-security-00.txt> 9
Default Security Policy
1. RejectBogon: • including uRPF checks
2. BlockBadReputation: • for in/outbound traffic
3. AllowReturn:• and apply IPS on
in/outbound traffic
4. AllowToPublicDnsHost• Allow inbound traffic to
inside host with a AAAA & reverse-DNS
5. ProtectLocalOnly:• Block all inbound traffic to inside which
never transmitted to the outside (à la full-cone)
6. CrypoIntercept:• Intercept all inbound SSL/TLS
connection, present (self-signed) cert, decrypt and re-encrypt
• Goal is to apply IPS
7. ParanoidOpeness:
• Allow ALL inbound traffic by default
• See more next slide
draft-vyncke-advanced-ipv6-security-00.txt> 10
More on Paranoid Openness
All other inbound flow is permitted
Rate limit (SYN & plain data)To protect low-bandwidth residential links
Basic protection against host scan
If authenticated flow (e.g. HTTP)Perform dictionary attack on credential and reject too obvious ones (or default ones)
Goal is to force user to select good credentials
IPS must be appliedIf protocol unknown, then flow MAY be permitted
If attack is detected, then flow MUST be denied
draft-vyncke-advanced-ipv6-security-00.txt> 11
Conclusion
“simple-security” as is being defined now, is not the only possible residential gateway security model
“Advanced” security methods can provide adaptable and robust security that can better track threats as attacks appear on IPv6…
….giving us the chance for more open policies with respect to end-to-end connectivity
draft-vyncke-advanced-ipv6-security-00.txt> 12
Our Ask to V6OPS as of TuesdayPossible Next Steps…
Nothing, continue with simple-security as is
See what modern security methods we might be able to bring into simple-security, while keeping the “static” mode of operation it assumes now
Define an “advanced security” mode that includes dynamic tracking of threats as attacks arrive, and adjusts policies accordingly
draft-vyncke-advanced-ipv6-security-00.txt> 13
Consensus at V6OPS
Very nice proposal
Incorporation of some parts in simple-security I-D
Propose a BoF for AnaheimPotentially move to HOMEGATE WG ?
Several other people interested in working on this