cs 265 – project ipv6 security aspects surekha shinde

CS 265 – ProjectIPv6 Security Aspects

Surekha Shinde

IPv6 Security Aspects

Agenda

• Introduction to IPv6• IPv4 and IPv6 Comparison• Current issues in IPv4• IPv6 solutions for IPv4 issues• New issues of new protocol• Hacking Tools• Conclusion

Introduction to IPv6

• Why IPv6

• IPv6 Important features : Wish-list• Faster Packet Processing

• Enhanced QOS

• Improved Security

• Greater protocol Flexibility

• Dual-Stack approach

0 31

Version Class Flow Label

Payload Length Next Header Hop Limit

128 bit Source Address

128 bit Destination Address

4 12 2416

The IPv6 Header 40 Octets, 8 fields

0 31

Ver IHL Total Length

Identifier Flags Fragment Offset

32 bit Source Address

32 bit Destination Address

4 8 2416

Service Type

Options and Padding

Time to Live Header Checksum Protocol

Shaded fields are absent from IPv6 header

The IPv4 Header 20 octets + options : 13 fields, including 3 flag bits

IPv6 Addressing

IPv6 Addressing rules are covered by multiples RFC’s

Architecture defined by RFC 2373 Address Types are :

Unicast : One to One Anycast : One to Nearest Multicast : One to Many Reserved

A single interface may be assigned multiple IPv6 addresses of any type (unicast, anycast, multicast)

No Broadcast Address -> IPv6 Use Multicast

Notation & Abbreviation

Notation

1111110111101100 1111111111111111

128 Bits = 16 bytes = 32 Hex digits

: 7654 3210:: ADBF : BBFF 2922 FFFF:::FDEC BA98

FDEC : BA98 : 0074 : 3210 : 000F : BBFF : 0000 : FFFF

FDEC : BA98 : 74 : 3210 : F : BBFF : 0 : FFFF

Abbreviation

Unabbreviated

Abbreviated

FDEC : 0 : 0 : 0 : 0 : BBFF : 0 : FFFF

FDEC : 00 : BBFF : 0 : FFFF

Abbreviated

More Abbreviated

IPv6 Addressing for IPv4

IPv4-Compatible IPv6 Address format

IPv4-Mapped IPv6 Address format

0 IPv4 Address

96 Bits 32 Bits

0:0:0:0:0:0 192.168.10.10

IPv4 Compatible Address = 0:0:0:0:0:0:192.168.10.10

= ::192.168.10.10

0 IPv4 Address

80 Bits 32 Bits

0:0:0:0:0:0 192.168.10.10

FFFF

16 Bits

IPv4-Mapped Address = 0:0:0:0:0:FFFF:192.168.10.10

IPv6 over IPv4 Tunnels

Tunneling is encapsulating the IPv6 packet in the IPv4 packet Tunneling can be used by routers and hosts

IPv4IPv6 Network

IPv6 Network

Tunnel: IPv6 in IPv4 packet

IPv6 HostA

Dual-Stack RouterB

Dual-Stack RouterA

IPv6 HostB

IPv6 HeaderIPv6 HeaderIPv4 HeaderIPv4 Header

IPv6 HeaderIPv6 Header Transport Header

Transport Header DataData

DataDataTransport Header

Transport Header

Dual Stack Approach & DNS

In a dual stack case, an application that: Is IPv4 and IPv6-enabled Asks the DNS for all types of addresses Chooses one address and, for example, connects to the IPv6 address

DNS Server

IPv4

IPv6

www.sjsu.com = * ?

3ffe:b00::1

3ffe:b00::110.1.1.1

Security Advantages ofIPv6 Over IPv4

IPv4 - NAT breaks end-to-end network security

IPv6 - Huge address range – No need of NAT

IPv4 – IPSEC is Optional

IPv6 - Mandatory in v6

IPv4 - Security extension headers(AH,ESP) – Back ported

IPv6 - Built-in Security extension headers

IPv4 - External Firewalls introduce performance bottlenecks

IPv6 - Confidentiality and data integrity without need for additional firewalls

Security Advantages ofIPv6 Over IPv4 (2)

IPv4 - Security issues related to ICMPV4.

IPv6 - ICMPV6 uses IPSEC authentication and encryption.

IPv4 - No mechanism for resistance to scanning

IPv6 - RTS possible only in IPV6

IPV4 - Doesn’t support Auto configuration

IPv6 - Built in Auto configuration support

Ignorance of network administrator to IPV6 But, Thanks to the transitional efforts of IETF

• IPV4 - Security option field and Optional IPSEC

• IPV6 - IPSEC part of protocol suite-mandatory IPSEC provides network-level security 

• IPSEC uses:- AH ( Authentication Header) ESP( Encapsulating Security Payload) Header

Important Security fields in IPv6

 Authentication Header(AH)

• Data integrity• Data authentication• Anti-replay protection

Next Header Hdr Ext Len

Security Parameters Index (SPI)

Reserved

Sequence Number

Authentication Data

  Fig.- Authentication Header(AH) Packet Format

Authentication Header fields

• SPI:-Security parameter index• Sequence number field :- Anti-replay protection• Authentication data :- ICV-authentication and data integrity• HMAC(Hash message authentication code)+MD5 & HMAC+SHA-1• AH supports several authentication algorithms• Prevents IP spoofing attacks• Prevents DOS attacks 

Encapsulating Security Payload (ESP)

• Data confidentiality • Data integrity• Data authentication• Anti-replay protection• Authentication applied only to data being encrypted• Optional services-select at least one

Payload

Next Header

Security Parameters Index (SPI)Sequence Number

Authentication Data

Padding LengthPadding

ESP Packet Header Format

ESP Packet Header

• ESP header with confidentiality service –

prevents sniffing Ex.TCP dump & Windump

• ESP - symmetric key algorithms like DES, 3DES

and AES

 ESP Header Fields:

• SPI:-Security parameter index

• Sequence number field :- Anti-replay protection

Security issues in IPV6:

• IPSEC Relies on PKI , Not yet fully Standardized

• Scanning possible – If poorly designed

• No protection against all denial of service attack (DoS attacks difficult to prevent in most cases)

• No many firewalls in market with V6 capable

But ??????

By The Way…IPv6 Hacking Tools

•Sniffer/packet capture Analyzer

Snort TCP dump

EtherealWindumpWinPcap

•ScannersIPV6 security scannerHalfscan6 Nmap

•DOS Tools6tunneldos

4to6DDOS Imps6-tools

•Packet forgersSendIP

Packit Spak6

•WormsSlapper

RealSecure & Proventia Tools

Conclusion

‘Black Hats’ Vs ‘White Hats’

Time for ignoring IPV6…..PAST

Time for understanding,recognizing

and deploying it……NOW 

References

• http://www.ipv6.org

• http://www.cisco.com/ipv6/

• http://netscreen.com

• http://www.sans.org

• Computer Networks By Larry Peterson

and Bruce Davie

Questions ?