02 ipv6-cpe-panel security
Post on 25-May-2015
371 Views
Preview:
TRANSCRIPT
1
IPv6 residential gateway security
Eric Vyncke Cisco Systems CTO/Consulting Engineering evyncke@cisco.com
draft-vyncke-advanced-ipv6-security-00.txt> 2
The Security Questions when adding IPv6 to a RG/CPE
Is IPv6 more or less secure than IPv4? Roughly equivalent (lack of knowledge makes IPv6 less secure for now)
Which security policy for IPv6? Same as for IPv4? (including the ‘NAT security’) Same as in 2000 when IPv4 CPE were designed?
How congruent must be the IPv* policies?
draft-vyncke-advanced-ipv6-security-00.txt> 3
Typical IPv4 Security
Apply spoofing anti-spoofing (and anti-bogons)
Allow all traffic inside to outside
Only allow traffic outside to inside if it matches an outbound flow
Drop the rest
Specific TCP/UDP ports could be blocked (such as 445/TCP) or opened
Often co-located with the NAT function (cfr iptables)
draft-vyncke-advanced-ipv6-security-00.txt> 4
IPv6 Changes a Few Things
Link-local / ULA are completely isolated from ‘bad’ Internet
Good for security
Home device are globally reachable Perhaps less good for security
draft-vyncke-advanced-ipv6-security-00.txt> 5
CPE to CPE Communication IPv4 vs. IPv6 SP want to see all user to user traffic
IPv4 WAN addresses must communicate Usually in the same layer 2 domain… tricks to force traffic to BNG
IPv6 WAN addresses have no reason to communicate IPv6 LAN addresses must communicate (easy: this is routed)
SP BNG
Ole’s CPE Eric’s CPE
2001:db8:café::/64 2001:db8:bad::/64
2001:db8:bad::/64
192.2.0.0/24
192.168.1.0/24 192.168.1.0/24
draft-vyncke-advanced-ipv6-security-00.txt> 6
IPv6 Simple Security
An IETF work item from James Woodyatt, Apple
Advices a security policy for IPv6 which is mostly congruent with the IPv4 one:
Basic anti-bogons/spoofing Outbound permitted Inbound permitted
Benefits: Guidelines for the CPE implementers Technically doable & easy Congruent with IPv4 (easier for user)
Cons: Break the open host to host promise of IPv6
draft-vyncke-advanced-ipv6-security-00.txt> 7
What has changed between v4 & v6?
IPv4 CPE designed pre-2000 Hosts were weak, vulnerable CPE were CPU and memory constraints NAT prevents any easy & direct host to host communication Security technique: mainly firewall
IPv6 CPE are designed in 2010 IPv6 hosts are much stronger and resistant CPE have more CPU and memory Host to host communication is possible New security techniques: Intrusion Prevention System, reputation of IP addresses, centralized & automatic updates
Humm… Wishful
thinking for sensors,
webcams and other small/
embedded OS
draft-vyncke-advanced-ipv6-security-00.txt> 8
Proposal: less simple security
Why not use modern techniques for IPv6 CPE? IPS Automated updates (policies & engines) Address reputation Cloud computing …
Individual I-D: draft-vyncke-advanced-ipv6-security
draft-vyncke-advanced-ipv6-security-00.txt> 9
Overview
7 policies are identified. These are largely based on features which are commonly available in “advanced” security gear for enterprises today
Home edge router is not something that is purchased and thrown away when obsolete. Instead, it is actively updated like many other consumer devices are today (PCs, iPods and iPhones, etc.)
Business model may include a paid subscription service from the manufacturer, a participating service or content provider, consortium, etc.
draft-vyncke-advanced-ipv6-security-00.txt> 10
Advanced Security
Feedback
User control
IPS
Dynamic Update
draft-vyncke-advanced-ipv6-security-00.txt> 11
Why is this important to IPv6?
Security policy can be adjusted to match the threat as IPv6 attacks arrive
We don’t break end-to-end IPv6, unless we absolutely have to
While providing arguably better security, troubleshooting, etc. than we would otherwise
draft-vyncke-advanced-ipv6-security-00.txt> 12
Conclusion
IPv6 is as (in)secure as IPv4
User education will be key
IPv6@2010 is different than IPv4@2000 More secure hosts More powerful CPE End-to-end connectivity could/should be restored
top related