architectural risks and mitigations in ipv6

2006-05-10 (DRAFT) Presentation Title 1

Architectural Risksand

Mitigationsin IPv6

James R LindleyCISSP-ISSAP/ISSEP/ISSMP, CISA, CHS-III

Senior Computer Engineer(Security Architectures)

IRS IT Security Architectures & Engineering

04/22/23 Features and Security Considerations for IPv6 2

Disclaimers

• Information scope is limited, additional readings required

• Presentation Organization:

• A SHORT review of the IPv6 Protocol Suite

• Architectural Insecurities

• Possible Mitigations


Features of Network Layer Protocols

•Logical Addressing•Route Discovery•Quality of Service•Packet Header Structures•Fragmentation Methods•Supporting Protocols


65,535@484,294,967,295@32

18,014,398,509,481,983@5418,446,744,073,709,551,615

potential hosts

IPv4 with Subnet Mask

32 bits - fixed

Very few huge networks (255.0.0.0)

Lots of small networks

(255.255.255.0)

Subnets and Hosts from the same 32 bit pool

How to Use 128 Bits

•We really don’t get 3.3*1038

32-bits = 4,294,967,295

IPv6 Address Space

/48/32/1

SubnetNetwork

/8 /64

64 bits - Host

A /16 = 281,474,976,710,655 networks


IPv6 Address Types

• Unicast • Address of a single interface • One to one delivery to single interface

• Multicast • Address of a set of interfaces • One to many - delivery to all interfaces in the set

• Anycast • Address of a set of interfaces • One to one-of-many - delivery to the closest single interface

in the set

• No more broadcast addresses


Unicast IPv6 Addresses

• Aggregatable Global Unicast Addresses (AGUA)

• Link-local addresses

• Site-local addresses (not SLA – see later) (deprecated)

• Unique Local Addresses (replaces Site-local)

• Special addresses

• Compatibility addresses

• NSAP addresses (Network Service Access Point)


IPv6 Address Summary

•Global• Typically begins with 2 or 3 (ARIN = 2600::0)• Unique for the entire IPv6 Internet

•Link-local• Begin with FE80• Unique for a single link

•Site-local (deprecated)• Begins with FEC0

•Local• Begin with FD00

•Multicast• Begin with FF00


Multiple Addresses on a Node

•Unlike IPv4, an IPv6 node always has multiple addresses •Link-local, site-local, global, etc.

•It is the job of the node’s protocol stack to decide most efficient address to use to reach the destination

•Greatly simplifies routing


Assigning Interface Addresses

•Two ways to assign addresses• Static assignment• Automatic assignment

• via DHCP (stateful)• via autoconfiguration (stateless)

•Static assignment will be challenging because of the address size

•Automatic assignment will be much more common


Six Paths to an IPv6 Interface ID (Address)

• Extended Unique Identifier (EUI-64) address

• Randomly generated value (SeND)

• A value assigned by a stateful address configuration protocol such as DHCPv6

• Expanded IPv4 Address

• A manually configured value

• A value assigned during the establishment of a Point-to-Point Protocol connection


Extended Unique Identifier (EUI-64) address

•Derived from IEEE MAC-48 address

•Privacy considerations in host ID

•MAC-48 structured address architecture makes range scanning easier


Randomly generated value (SeND)

• RGV = Randomly Generated Value

• Sometimes AKA Cryptographically Generated Address (CGA)

• Greater privacy (RGV also used in EUI-64 privacy extensions)

• Maximum range scanning difficulty due to unstructured address architecture

• Loss of administrative address control


IPv6 Interface ID Configuration –

DHCPv6•Value assigned by a stateful address

configuration protocol (i.e., DHCPv6)

•Requires router Managed Address parameter configuration

•Requires DHCPv6 server and administration

•May result in address assignment patterns that make range scanning easier



eXIPv4•Expanded IPv4 Address

•Used with 4to6 and 6over4 and ISATAP tunneling

•May reveal IPv4 use and address

•May make U-Turn Attacks easier



Manual/PPP•Manually configured value

• More labor required• Pattern establishment possible• Does not make best use of dynamic and

automatic IPv6 address assignment tools

•Value assigned during the establishment of a Point-to-Point Protocol connection• Used only with PPP• Found only with MODEM dialup connections


Stateless Autoconfiguration

•Hosts generate IP address automatically by combining link information with Interface ID• EUI-64• Privacy Extensions

•Link information is retrieved via Router Solicitations (RS) or Advertisements (RA)


Router Advertisements

• RA/RSs are a subset of Neighbor Discovery (ND) protocol

• All routers send RAs every 5 minutes from each defined link local address to FF02::1 (All-nodes-on-link)

• If the Default Router field has a non-zero time listed, it may be used as a default router

• RAs have a Managed Address flag – if set, it means host must contact DHCP server to generate Global Unicast Addresses (Stateful configuration mandated)


Quality of Service

• IPv4 Type of Service header field has been renamed Traffic Class in IPv6 with identical bit assignment and processing

• IPv4 has no mechanism for recognizing data streams, focuses on “guarantees” of delivery and TOS field

• IPv6 has a Flow Control header field that routers use to prioritize data stream processing• Integrated Services (RFC 1633) prioritization without

Transport Layer data inspection• Requires Resource Reservation Protocol (RSVP) [RFC 2205]• Eliminates redundant route resolution processing• No standard definition of FC field values• Introduces a potential “DOS” vulnerability


Packet Header Changes

• IPv4 has variable length packet header• Many fields unused• Use of options add to variability• Variability led to integrity check calculation

processing requirement• Options limited in complexity

• IPv6 has fixed length packet header• All fields used• Options are well-defined• No requirement for integrity check processing• Multiple options may be “stacked”


IPv6 Header (Fixed length, 40 bytes) RFC 2460

Version (RFC2780)

4 bitsTraffic Class (RFC 2474)

1 ByteFlow Label (RFC 3697)

20 bits

Payload Length2 Bytes

Next Header1 Byte

Hop Limit1 Byte

Source Address4 Bytes




Destination Address4 Bytes





IPv6 Header Detail: Flow Control

• Defined in RFC 3697

• Size is 20 bits (2.5 bytes)

• A random number selected by the sending host used to specify a particular ‘flow’ of data

• Not fully defined yet, but has the potential to reduce processing latency for a ‘flow’ of data, even if it comes from different applications

• Routers keep track of flows and once received, do not have to reprocess routing information for additional packets in that flow


IPv6 Header Detail: Next Header

• Size is 1 byte

• Was called Protocol Type field in v4

• Specifies what type of header is coming next in the packet (TCP/UDP/ICMPv6, etc)

• If extension headers are used, the type of extension header is listed here

• Common values: 6 (TCP), 17 (UDP), 58 (ICMP6)


IPv6 Extension Headers

IPv6 HeaderNext Header = 6 (TCP)

TCP Segment

IPv6 HeaderNext Header = 43 (Routing)

TCP SegmentRouting HeaderNext Header = 6 (TCP)

Authentication HeaderNext Header = 6 (TCP)

IPv6 HeaderNext Header = 43 (Routing)

Routing HeaderNext Header = 51 (AH)

TCP Segment


Extension Headers – Intermediate Nodes

•Hop-by-Hop Options Header• Jumbo Payload option• Router Alert option – Router must process

the datagram

•Destination Options header• Used by intermediate nodes when

Routing header is present

•Routing header• Used for source routing and MobileIP


Extension Headers – Destination Node

•Fragment header• Used only by the source and destination

nodes

• IPSec specific headers• Authentication header (AH)• Encapsulating Security Payload (ESP) header

•Destination Options header • Used only by destination node when Routing

Header is not present• Used by MobileIP


IPv4 Fragmentation Control

• Maximum Transmission Unit (MTU) defines the largest amount of data in octets that a device can send or forward in a single datagram

• Path MTU (PMTU) is the smallest MTU of all the devices between a source and destination host

• IPv4 has no PMTU discovery mechanism and sends packets at the size defined in the source host configuration

• An IPv4 intermediate node receiving a packet larger than the node’s MTU divides a packet into several smaller packets before forwarding the new, smaller packets

• This introduces latency and increased traffic into the network


IPv6 Fragmentation Control

• Before sending a packet, IPv6 sends a test packet sized to the source host’s pre-defined MTU to the destination

• IPv6 listens for ICMP “Packet too large” messages and, if one is received, sends progressively smaller packets until a “Packet too large” message is not returned

• IPv6 resizes the “real” packets to match the discovered PMTU

• IPv6 requires ICMPv6 to pass thru firewalls


IPSec for IPv6

• Mandatory inclusion in implementation• Three User Options

• No Use• Gateway-Gateway (Available in IPv4)• Peer-Peer

• Use Requires a Security Association• IKE – RFC 2409• PKI/PKM (static keying is possible but problematic)

• Two Modes• Transport (Peer-Peer)• Tunnel (VPN Gateway-Gateway)• Modes can be combined

• Two Header Options• Authenticated Header (AH)• Encapsulating Security Payload (ESP)• Options can be combined


IPSec for IPv6

•Authentication Header (AH)•RFC 2402•Whole packet integrity•Source authentication•Replay protection

•Does NOT Encrypt, Uses Checksum

•Does NOT provide Confidentiality


IPSec for IPv6

• Encapsulating Security Payload (ESP)• RFC 2406)• Confidentiality• Integrity of the Encapsulated Packet• Authentication of the source• Anti-replay protection

• Encrypts

• Has more limited integrity check than AH

• Encapsulating Packet is NOT protected


DHCPv6•RFC 3315

•Totally rewritten protocol

•Required for Managed Address systems

•“Stateful” Configuration

•Automatic Address Assignment


DHCPv6

•Many benefits:• Uses multicast instead of broadcast• Verifies that client is on-link (only supplies

addresses from link-local addresses)• Relay agent is simplified since it doesn’t

need a list of DHCPv6 servers – just sends to All-DHCP-servers address

• Server can ‘push’ an update when changes occur

• Address “Lease” Lifetime is infinite – when changes occur, they are pushed – less traffic


Neighbor Discovery (ND) Protocol

•Neighbor Discovery has two main subsets• Router Solicitation/Router Advertisement (RS/RA) to

communicate with Routers• Neighbor Solicitation/Neighbor Advertisements (NS/NA) to

communicate with hosts on link

•The ultimate job of ND is to allow a node that knows an IPv6 address to determine the MAC address of the on-link recipient node

•Very similar to ARP in IPv4, but uses multicast rather than broadcast


Why Neighbor Discovery?

• Doesn’t an IPv6 address advertise the MAC address?

• No, it advertises the EUI-64 address, from which one can determine the MAC address

• The EUI-64 isn’t guaranteed to be accurate:• It could have been randomly entered by the node owner• It could be randomly changing to protect privacy• The Layer 2 might not require MAC addresses (Frame Relay)

• Therefore ND is always performed (unless already cached)

• Next slide explains IEEE EUI-64 & MAC-64


EUI-64: IEEE Extended Unique Identifier–64 bits

• To facilitate the creation of globally unique node addresses using the network adapter’s Media Access Code (MAC) number, the IEEE established 2 new standards: EUI-64 and MAC-64.

• Both MAC-64 and EUI-64 split the current EUI-48 & MAC-48 bit numbers into two 24-bit sections and then insert either FFFF (MAC-64) or FFFE (EUI-64) between the two sections

• MAC-64 is meant to be used with network adapters, but the IPv6 specification writers used the EUI-64 standard instead


Solicited Node Multicast Address

(SNMA)• SNMA is used to avoid duplicate IPv6 addresses

• Created by adding FF + (last 24 bits of Interface ID) onto FF02::1

• Client’s IPv6 address is 3001:B00:0:1:212:6BFF:FE3A:9E9A

• Take the last 24 bits 3001:B00:0:1:212:6BFF:FE3A:9E9A

• Prepend FF onto 3A:9E9A

• Append the result to the SNMA Prefix FF02::1:FF3A:9E9A

• Host listens on the SNMA corresponding to each assigned IPv6 address


Duplicate Address Detection (DAD)

•As a function of ND, when a node generates (or receives) a IPv6 address, it automatically sends a NS packet to the SNMA that it is configuring

•If a NA is received, node knows that address is in use and address is not used


Secure Neighbor Discovery (SeND)

• Requires each node to have a “trusted router certificate” list

• List different for each network segment

• Uses Cryptographically Generated Addresses (CGA) (RFC 3972) to verify neighbor’s address ownership

• Solves “router trust” security problems in IPv6 “Neighbor Discovery” node address configuration

• No IPv6 “automatic” method for creating or updating host and router certificate lists


ICMPv6

• In IPv4, the Internet Control Messaging Protocol (ICMP) was used for some utilities such as ping and tracert

• Many organizations block in/out ICMP at the firewall

• In IPv6, Neighbor Discovery utilizes ICMPv6, and ND is mandatory for delivering packets

• Path MTU discovery is ICMPv6 based

• Therefore, ICMPv6 is mandatory in IPv6 and *cannot* be shut off completely at the firewall


DNSv6• Same functionality as DNS in IPv4

• IPv6 uses “AAAA” records, IPv4 uses “A”

• DNS queries return AAAA before A records

• Some implementations will not return an IPv4 address if an IPv6 address exists for the host

• DNS server with faked IPv6 record for IPv4-only box will refer all traffic to IPv6 site

• DNS Server discovery mechanisms still a work in progress


MobileIP

•Present in IPv4 (RFC 3344), difficult to use

•MobileIPv4: •Mobile Node•Home Agent•Foreign Agent•UDP-based•Home Agent-(Server) centric


MobileIP

• “Visited” networks must open their firewalls to special IPv6 packets

• IPv6 Modes• Bi-directional Tunneling (Home Agent

centric)• Route Optimization (Peer-to-Peer)

• You can do Binding Updates with any correspondent to establish a direct path, but ONLY after establishing a security association with the home agent or correspondent.


MobileIP

•Do not confuse “MobileIP” with “Mobile Telephony”, which concerns ISO Layers 1 & 2 devices.

•MobileIP is ISO Layer 3•Requires a functioning Layer 1 & 2

network infrastructure•Requires a way to establish security

associations (PKI?)


Key Risk Considerations

• Each network layer has characteristic types of attacks

• Internet Protocol is an address management and traffic delivery protocol suite

• Characteristic attacks and activities at the IP level are Address Manipulation, Denials of Service, and supporting activities (reconnaissance, etc.)

• Some attacks utilize upper layer protocols that support IP functionality (ICMP, TCP, UDP, etc.)

• Almost all IPv6 security enhancements require a way to establish a security association (PKI?) (SeND, IPSec, etc.)


Key Considerations

• IPv6 address management suite• Neighbor Discovery / Router Identification• Autoconfiguration• Domain Name Service• Dynamic Host Control Protocol• ICMP

•Packet Header Changes

•Supporting Activities


Neighbor Discovery

•Key concerns• Neighbor Solicitations / Advisories• Router Solicitations / Advisories• ICMP messages• Secure ND requires trust lists• IPv6 = IPv4 (NDAC = ARP, etc.)

•Attacks• DoS• Redirects• Configuration Attacks


Neighbor Discovery

• Neighbor Solicitation and Advertisement (NS/NA) Spoofing

• N3 sends an NS or NA with N1, N2, or R1 addresses and N3 link-layer address.

• Traffic goes to N3 instead of valid neighbors.


Neighbor Discovery

• Fake on-link Prefix

• N3 executes NA/NS Spoofing

• N3 sends RA with invalid prefix identified as on-link

• Off-link traffic to the prefix is either denied or sent to N3


Neighbor Discovery

• Neighbor Unreachability Detection (NUD) Denial of Service

• N3 sends NA responding to NUD NS messages of all or some of others on network

• NUDed nodes are now considered unreachable by other nodes, who cease sending


Neighbor Discovery

•Router Flood

•N3 sends randomly addressed packets

•R1 sends NS messages that are never answered


Neighbor Discovery

•Default Router Disabling

•N3 sends RA with R1 address and a lifetime of zero

•R1 is dropped as the default router by other nodes


Neighbor Discovery

• Router/DHCPv6 Masquerade

• N3 sends RA with a DHCPv6 configuration that points to a DHCPv6 server running on N3

• Nodes obtain addressing information from N3


Neighbor Discovery

• Default Router Masquerade

• N3 sends RA as Default Router

• Other nodes start sending traffic to N3

• N3 becomes “Man in the middle.”

• N3 can also DoS net by sending RA with an invalid network renumbering scheme


Neighbor Discovery

• Duplicate Address Detection (DAD) Denial of Service

• N3 responds to every DAD NS message by claiming to already have that address

• Nodes are never able to configure an address


Neighbor Discovery

• Prefix Spoofing

• N3 sends RA with invalid network prefix for autoconfiguration

• Autoconfigured nodes send traffic with invalid prefix

• Nodes never receive misdirected response traffic


Neighbor Discovery

•Prefix Flooding

•N3 sends an RA flood with randomly selected invalid prefixes

•Nodes eventually drop valid prefixes


Neighbor Discovery

• ICMP Redirect

•N3 sends R1-spoofed ICMP redirect message

•Nodes send traffic to N3


Neighbor Discovery

•NDAC uses Multicast

• IPSec uses IKE

• IKE has no mechanism for a “group” key

• IKE does not support Multicast Security Associations

• IPSec does not easily support Multicast


Autoconfiguration

•Well-known addresses

•EUI-64 creation

•“Privacy” extensions (Randomization)


Autoconfiguration

•Well known multicast addresses•All routers at FF05::2•All DHCP servers at FF05::1:3•All nodes at FF02::1

•Human pattern issues remain (pattern in choice of key server addresses)


Autoconfiguration

•EUI-64 address creation•Exposes Layer 2 address•Privacy Issues

•“Privacy extensions (Randomization)•Loss of tracking ability


Domain Name Service

•Default Action with AAAA vs A records

•Public servers still public

•DNSv6 attacks still similar to IPv4 (Zone Transfers, dynamic DNS, etc.)


ICMP

•ICMP message control requirements more granular

•ICMP attacks can reach layers above IP

•IPSec/IKE does not “secure” ICMP


Packet Header Changes

•Fragmentation attacks still possible

•Flow Control field manipulation can cause router overflow conditions

•Header chaining can create overflow conditions


Supporting Activities

• Reconnaissance• More difficult, not impossible• Minus for both attackers and vulnerability assessors

• Source routing still available for Man-in-Middle

• SYNFloods and other DoS/DDoS still available for complex or “Mitnick”-type attacks

• Smurf may still be possible using ICMP Packet too large and Parameter problem messages


Technology Support and

Transition Strategy•There are three pieces to the IPv6 transition:

• Infrastructure transition• Host transition• Application transition

• Coexistence during transition

• The transition from IPv4 to IPv6 will take years

• Some hosts will use IPv4 indefinitely

• Transition is the long term goal, coexistence in the interim


Infrastructure Transition

There are two main ways of providing IPv6 connectivity to your users:

A. Upgrade all layer 3 devices to support IPv6 and ensure routing tables reflect new IPv6 routes *this is the ultimate goal

B. Use a transition technology to provide IPv6 connectivity to users in the absence of A.


ISATAP

• Intra-Site Automatic Tunnel Addressing Protocol

• Provides unicast IPv6 connectivity between IPv6 hosts across a IPv4 intranet

• Can use private IPv4 addresses

• Prefix FE80:0000:0000:0000:0000:5EFE ends with the IPv4 address in hex form

• One dual stack ISATAP router per site relays data

• Benefit: allows scoped deployment of IPv6 services across without upgrading infrastructure


6to4

•Similar to ISATAP, but requires a public IPv4 address


Tunnel Broker

• Both ISATAP and 6to4 provide access to IPv6 resources based on the IPv4 address

• An unauthorized user could change their IP address and gain access to IPv6 services

• Tunnel Brokers add an additional layer of authentication into the process by leveraging a IAS server

• This can be especially helpful for externally facing 6to4 relays


Teredo

• ISATAP and 6to4 rely on a translation server in the local subnet

• Home users will not have this option, and they are behind a NAT

• Teredo was designed to allow home users access to IPv6 services by tunneling IPv6 through an IPv4 NAT

• Microsoft does not recommend the use of Teredo in the Enterprise


Routing Transition Technologies

• ISATAP or 6to4 provides connectivity between dual stacked and native v6 clients *within* your network

• *IF* you choose to install an ISATAP/6to4 router or enable BGP/OSPF IPv6 routing, then IPv6 will be routed into/out of your network

• IPv6 PACKETS CANNOT LEAVE THE LOCAL SUBNET UNTIL THEY ARE ROUTED OUT!

• This is nothing different from IPv4


Host Transition• Ideal Transition Stages

• Native IPv4• Dual Stack or Dual IP• Native IPv6

• Dual stack will be preferred for many years

• Very few IPv6 application issues on dual-stack/dual IP machines

• Dual stack gives you the advantages of IPv6 without requiring that every application be fully tested

• Microsoft Vista is NOT dual-stack!


Application Transition

• Wouldn’t be necessary in a perfect world.

• Maintains operation for older software, leverages power of v6 for new software

• Software with embedded IPv4 addresses can operate without alteration in a dual stack environment

• New or upgraded software should rigorously enforce OSI layer separation – no “embedded” addresses or URLs


Technical Transition Criteria

• Existing IPv4 hosts can be upgraded at any time independent of the upgrade of other hosts or routers

• New hosts using only IPv6 can be added at any time without dependencies on other hosts or routing infrastructure

• Existing IPv4 hosts with IPv6 installed can continue to use their IPv4 address and do not need additional addresses

• Little preparation is needed to upgrade existing IPv4 nodes to IPv6 or to deploy new IPv6 nodes


Regulatory Environment

•Non-technical environment doesn’t change

•For federal government, FISMA, NIST SP 800-53, etc. don’t go away

•Legal system definitions and requirements will have a significant impact on IPv6 technical implementations


Some Security Practices Must

Change• Protecting system boundaries becomes more difficult

• Network Address Translation (NAT) may gradually disappear

• IPv6 subnet size makes net scanning more difficult for both protector and attacker

• Firewalls – border and personal – will flourish

• Host IDS will become more important

• Combination security devices may become more common

• Firewalls must perform very granular control of ICMPv6


IPv6 Security

•Ask a lot of people about security in IPv6 and you’ll hear one thing – IPsec

• IPsec is important, but there is more to Security than a single protocol

•The most important thing to do is test

• IRS IPv6 transition should be “lab tested”


Work, Work, Work!

• Firewall rules will need to be redone from scratch• Broadcasts may be gone, but there are many new multicasts

to be filtered• Protocol types are more important than ever

• Implement Microsoft Active Directory based Server and Domain Isolation

• Implement ingress filtering of packets with IPv6 multicast source addresses

• Many of the security recommendations of IPv4 are still in IPv6


Transition Security Recommendations

•General Principles•Security Tools•Windows Domain Management•Tunneling•Flow Control• IPSec•MobileIP•Applications•Databases


General Considerations

• IPv6 is a Work In Progress. Vulnerabilities, attack vectors, and security requirements will change as the protocol suite is further defined.

• An IPv6 feature or improvement may not be relevant to your current or future business needs or in a federal environment.

• As a general goal, IPv6 transition should not cause a redefinition of the logical security boundaries of previously certified and accredited (C&A) systems.

• Any IPv6 capabilities that differ from IPv4 should be used only in response to clearly stated business requirements.

• Realizing the full benefits of IPSec and SEND will require a previous installation of both PKI and MS Active Directory.


General Considerations

• Security costs will increase due to the need to secure two network access protocols and the interactions between them

• “Technology Refresh” purchase schedules may result in IPv6-capable systems being procured “out of phase” with same-network IPv6-capable security devices. “Interior” IPv6 capabilities should not be implemented without adequate traffic control and security by IPv6-capable network and perimeter control and security devices.

• The possibility of “U-Turn” attacks must be considered when opening internal to external channels


Security Tools

• Routing devices (routers, firewalls, etc.) should deny passage of any externally-generated IPv6 traffic that uses User Datagram Protocol (UDP) to bypass firewalls or other security tools.

• Intrusion detection or prevention systems (IDS/IPS) should have the ability to perform analysis of tunneled IPv6 traffic without regard to the number of tunnel layers.

• IDS/IPS should have the ability to analyze packet headers that exceed 512 octets.

• Firewalls should have the ability to analyze both IPv4 and IPv6 ICMP traffic and to permit or deny access to such traffic based on type and message content.


Windows Domain Management

•Windows Active Directory should be implemented to support Domain and Server Isolation.

•All Domains and Servers should be isolated IAW Microsoft recommendations.

•Active Directory should be combined with PKI


Tunneling

•No automatic tunnels.

•No tunnels based on UDP (e.g., Toredo).


Flow Control

•Devices* that respond to Flow Control in any fashion should be thoroughly tested for response to out-of-bound conditions.

•*“Device” is meant to refer to hardware or software or any combination thereof that works as a logical machine.


IPsec

• IPSec should be implemented in a G2G mode that honors current C&A logical system boundaries except (potentially) in the following cases.• Where considerations of data confidentiality on untrusted

networks require end-to-end IPSec implementation.• Where IPSec communication is between member servers

of the Trusted Computer Base (TCB).

• IPSec Security Associations required for P2P use IKE. P2P mode is best served in a PKI environment.

• Irrespective of IPSec mode implementation, all MS-based systems should be placed in isolated domains.

• Full use of IPSec requires implementation of PKM/PKI.


MobileIP

•“Visited” networks must open their firewalls to special IPv6 packets•IPv6 in IPv6 packets•IPv6 packets with mobility headers•IPv6 packets with home address

destination option•ICMPv6 mobility packets•IPv6 packets with routing headers


Applications• Ideally, applications should have no awareness of IP

layer protocols.

• Applications with a network layer component should be tested for compatibility with IPv4, IPv6, and/or whichever 4to6 and 6to4 tunneling mechanisms are implemented.

• Applications that capture IP addresses should correctly process input of the various legal address format permutations and store and display such addresses in an enterprise-wide standard format.

• Applications with embedded IPv4 addresses may have to be recoded depending on any network renumbering during the transition.

• Note: There is no current standard data field description for IPvX addresses.


Databases

•Databases containing network layer addresses should be capable of storing both IPv4 and IPv6 addresses in an enterprise-wide standard format.

•Network-capable DBS should be tested for compatibility with IPv4, IPv6, and/or whichever 4to6 and 6to4 tunneling mechanisms are implemented by the IRS.


End of Presentation

•Questions?

•Thanx for your attention and time.

•[email protected]


BLANK SLIDE

•This slide purposely left blank.


Extra Slides

•Following slides are examples of some of the items covered in the main presentation.


Features of Network Layer Protocols

•Logical Addressing• IPv6 Address Space and Syntax• IPv6 Address Types and Uses• IPv6 Interface Address Configuration

•Route Discovery•Quality of Service•Packet Header Structures•Fragmentation Methods•Supporting Protocols


Aggregatable Global Unicast

Addresses (RFC 3513)•Refers to the ability to collapse or

“aggregate” these addresses in a routing table

•Used for• Top-Level Aggregation ID (TLA ID) • Next-Level Aggregation ID (NLA ID) • Site-Level Aggregation ID (SLA ID)

(deprecated) • Interface ID


Aggregating The /48• Address scope is the entire IPv6 Internet

• Equivalent to public IPv4 addresses

• Known as a /48 since 48 bits denote the routing prefix

• This is the standard (smallest) IANA allocation

• Permits 65,532 subnets

Interface ID

64 bits45 bits

Subnet ID001 Routing Prefix (from ISP)

16 bits


Local-Use Unicast Addresses

• Link-local Unicast • Used between on-link neighbors• Equivalent to IPv4 APIPA addresses • Single subnet, Routers will not forward• Neighbor Discovery & Autoconfiguration (NDAC)

• Link-Local Unicast Address Format:• Prefix is 1111 1110 10 or FE80::/64

• Site-local addresses (deprecated)• Used between nodes in the same site

Interface ID1111 1110 10 000 . . . 000

10 bits 64 bits54 bits


Site-Local Unicast• Address scope is a single site

• Equivalent to private IPv4 addresses (RFC 1918)

• Prefix Format: 1111 1110 11 • FEC0::/10 prefix for site

• Used for local site only

• Deprecated, but may be seen64 bits54 bits10 bits

Interface ID1111 1110 11 Subnet ID


Unique Local Addresses (RFC 4193)

• Private to an organization, yet unique across all of the sites of the organization

• Depends on Router Filtering to maintain locality

• FD00::/8 prefix

• Replacement for site-local addresses

• Global scope within the site, no router zone ID required 64 bits16 bits40 bits7 bits

1111 110 Interface IDGlobal ID Subnet IDL


Special IPv6 Addresses

•Unspecified address (new thing!) • 0:0:0:0:0:0:0:0 or ::

•Loopback address • 0:0:0:0:0:0:0:1 or ::1

•DNS server is normally at: • FEC0:0:0:0:FFFF::1• FEC0:0:0:0:FFFF::2, or • FEC0:0:0:0:FFFF::3


Compatibility Addresses

• Used to create tunneling or IPv4-derived IPv6 addresses

• IPv4-compatible address: 0:0:0:0:0:0:w.x.y.z or ::w.x.y.z

• IPv4-mapped address: 0:0:0:0:0:FFFF:w.x.y.z or ::FFFF:w.x.y.z

• 6over4 address: Interface ID of ::WWXX:YYZZ

• 6to4 address: Prefix of 2002:WWXX:YYZZ::/48

• ISATAP address: Interface ID of ::0:5EFE:w.x.y.z


NSAP Addresses (RFC 1888)

•NSAP or Network Service Access Point is an OSI IP (not IPv4) addressing scheme which may become popular in the future, so was made fully compatible with IPv6

•Currently unused


Multicast Addresses• Replaces IPv4 “broadcast” addressing

• First byte is always FF

• Lifetime (4 bits): 0 if permanent, 1 if temporary

• Scope (4 bits): 2 = link, 5 = site, 8 = organization, E = global

• Some IANA defined multicast (group) addresses• FF02::1 (All nodes on the link)• FF02::2 (All routers on the link)• FF05::1:3 (All DHCP servers in the site)

32 bits80 bits4 bits4 bits8 bits

1111 1111 Group IDTime Scope 000 … 000


Anycast Address

• Used to send a packet to a group of hosts and the closest host will respond

• A Unicast address assigned to more than one interface/host

• “Last Hop” Routers are configured with a full 128-bit route

• Routers must join the “All routers on link” Anycast group

• Now a host can send a packet to discover the closest available Default Gateway

• Can also be used for clustering server solutions

• Anycast still undergoing definition


EUI-64 Example

Host has a MAC-48 address of 00-AA-00-3F-2A-1C

1. Convert MAC address to EUI-64 format by inserting Hex FF FE between the Manufacturer’s ID and the Adapter Serial Number• 00-AA-00-FF-FE-3F-2A-1C

2. Complement the 7th bit of first byte• The first byte in binary form is 00000000. When the seventh bit is

complemented, it becomes 00000010 (0x02). • 02-AA-00-FF-FE-3F-2A-1C

3. Convert to colon hexadecimal notation and suppress leading zeros• ::2AA:FF:FE3F:2A1C

• Link-local address for node with the MAC address of 00-AA-00-3F-2A-1C is FE80::2AA:FF:FE3F:2A1C


EUI-64 Privacy Extensions

• Since the EUI-64/MAC address doesn’t change, there are privacy concerns

• RFC 3041 “Privacy Extensions” defines how the Interface ID can be randomly generated and changed “often” to protect privacy

• Leverages “preferred” and “valid” lifetimes - 24 hours preferred, 6 days valid

• Privacy Extensions make internal tracking and scanning more difficult


Router Solicitations

•When a host boots, it cannot wait for 5 minutes for configuration data

•Host will send a Router Solicitation (RS) to FF02::2 (All-routers-on-link)


Boot Sequence Address Configuration

1. Host generates a link-local address using Local-Link prefix + Interface ID

2. Host checks for address collision (Duplicate Address Detection)

3. Host sends Router Solicitation to FF02::2

4. Router sends Router Advertisement

5. If RA Managed Address field=1, host contacts DHCP for Global Unicast address (FF02::1:2 or FF02::1:5 if no response)

6. If RA Managed Address field =0, host combines link prefix with Interface ID to create Global Unicast Address


MobileIP

•RFC 3775•Components

• Mobile Node• Home Agent (Transfer agent)• Home Address (HA) (“Permanent Address”)• Care-of-Address (CoA) (“Hosting Net Address”)

•uses Packet Extension Headers

•Can be P2P with route optimization

architectural risks and mitigations in ipv6

Documents