ipv6 workshop in taiwan, 2006 - wiborne inc
TRANSCRIPT
Role of IPv6 to Secure Wireless Sensor-Update IPv6 Workshop in Taiwan, 2006 Date: 10/26/06 [email protected]
We boost airborne wireless: innovative, reliable, and secure.
Year 2004 – IPv6 Seminar Our Direction Security – Wired and WirelessWiFi CitywideIPv6 and RFIDQ & A
Agenda
IPv6 IPSec Routers (Yr 2004)
• 6WIND• FreeBSD/KAME (www.kame.net)
Hiroshi Esaki, Fujitsu, Hitachi, NEC, Yamaha, Toshiba
• OpenBSD/ISAKMPD – WiBorne’s Wireless AWG-60
• IOS – Cisco IPv6 Router• JUNOS – Juniper Networks• Linux – FreeS/WAN (www.freeswan.org),
USAGI/Japan (www.linux-ipv6.org)
• etc.
• Our efforts emphasize portability, standardization, correctness, proactive security and integrated cryptography
• IPv6 from release 2.6 to latest 3.9• Complete IPv6 since 2.7
• comfortable and constant operation over all WiBorne products
• extensive and identic feature set over all WiBorne products
• Webconfig – configuration via browser, SSH, console, terminal
• free, regular software updates• firmsafe – backup for remote
software updates
WiBorne OS for Appliance Products: OpenBSD- the Ultra Secure OS
• OpenBSD = Security• Stateful Packet Filter (pf)• IPSec/AES• OpenSSH• HostAP• IPv6 since 2.6 to 3.9
• FreeBSD = Stability• More drivers
• Linux = Embedded• SoHo Applications• Commercial
Only one remote hole in the default install, in more than 10 years!
/sbin/route add -inet6 default 3ffe:b00:c18:1fff:0:0:0:2d9
WiBorne Wireless Management Tools
• extensive, user friendly set for the administration of WiBone products and solutions
• simple configuration and controlling of the products
• usability in look-and-feel design
• simultaneous manangement of several hardware
• security relevant data on demand
• Accounting information (cost control) on demand
• free, regular software updates
Wireless IPv6 IPSec Router (AWG-60, 2004)
The AWG-60 facilitates IPSec-based VPN-over-broadband with next generation Internet Protocol version 6 (IPv6) infrastructure solutions. It is capable of fulfilling future demands on address space, encryption, authentication, and mobility. This allows full, unconstrained IP connectivity for today's IP-based machines as well as upcoming mobile devices like PDAs and wireless phones – all will benefit from full IP access through GPRS and UMTS.
Key features include:• AES, DES, 3DES encryption• Dual Stack for both IPv4 and IPv6 IPSec tunnels, IKE/ISAKMP protocols.
Configurable site-to-site or site-to-clients VPN.• VLAN Technology• Dynamic routing performance• Security policies can be set on a per-host or per-network basis, not per
application/service. • BGP4, RIP, RIP2, RIPng, OSPF (v4/v6)• Single Sign-On with external authentication servers (Kerberos, LDAP, and RADIUS)• OS fingerprinting with packet frame captured to small footprint database • Comprehensive firewall for wired and wireless subnets• QoS (packet shaping functions)• SSH remote configuration, console mode.
The only potential client: Tinker AFB, OK (www.tinker.af.mil)
Wireless Sensors - Security Threads
Year 2004 Seminar• Digital signatures for authentication are impractical for sensor networks: improved by
SPINS and µTESLA (the micro version of the Timed, Efficient, Streaming, Loss-tolerant Authentication protocol)
• Assume individual sensors are untrusted, compromising the base station can render the entire sensor network to be useless.
• Insertion of malicious code – spread to all nodes• Interception of the messages containing the physical locations of sensor nodes allows an
attacker to locate the nodes and destroy them.• an adversary can observe the application specific content of messages including message
IDs, time stamps and other fields.• inject false messages that give incorrect information about the environment to the user.• Inter-router authentication prior to the exchange of network control information• Spoofed, altered, or replayed routing information• Selective forwarding• Sinkhole attacks• Sybil attacks• Wormholes• Denial of Service (DoS), such as HELLO
flood attacks• Acknowledgement spoofing
www.tinyos.net
Wireless Sensors - Secure It!
Year 2004 Seminar• Security mechanisms: depends on network applications and
environmental conditions.• Resources of sensor nodes (CPU, memory, battery) make it
impractical to use secure algorithms designed for powerful workstations.
• Standard security: availability, confidentiality, integrity, authentication, and non-repudiation
• Wireless sensors: message freshness, intrusion detection, intrusion tolerance, or containment exists.
• Security policies defined by admin of sensor nodes. Define the system architecture and the trust requirements.
• SPINS: Security protocols for sensor networks.• 802.15.4/ZigBee with 128-bit AES encryption.
Vuln. In RFID – Year 2006
• Vulnerabilities in First-Generation RFID - Enabled Credit Cards: New York Times / ABC News 10/23/2006 • Names in the clear• Payment fraud (skimming)• Johnny Carson attacks
• Fixes: stronger data protections and cryptography (IPv6?)
http://www.rfid-cusp.org/blog/blog-23-10-2006.html
Vuln. In RFID – Year 2006
• Texas Instruments (TI) DST passive tag - ExxonMobil SpeedPass system
• More than 700M cryptographically - enabled keychain tags accepted at 10,000 locations worldwide.
• 40-bit key encryption in the early 1990's by TI
• when given the same challenge and key as an actual tag, would compute the same response. The 16-way parallel cracker, field programmable gate array (FPGA), was able to recover all 5 keys in well under 2 hours
• Fixes: AES, or better HMAC-SHA1 (IPv6?)
http://www.rfid-analysis.org
P O S I T I O N I N G
innovative & secure communication solutionsfor the special business requirements consideration of customer requirements
technological authority by our own R & Dcomfortable & uniform operation of all productssimple configuration & maintenance
protection of investmentperformance reliabilityservice & support
S O L U T I O N S A N D P R O D U C T S
Wireless Access Controllers:
for enterprise or hot zone: security,
network, and billing
Long Range Wireless SolutionsWISPers, Tenders /
Projects Deployment
W-RFID Solutions
Enterprises SMB WISP
Short Range Wireless Solutions
Wireless RFID, Real Time Location
System
Solutions and Products
Applications
Wireless Internet from WiBorne
WWAN (3G, 3.5G)
Low throughput, short range
WLAN (WiFi)
WPAN
WMAN (WiMAX)
RFID(802.11, ZigBee)
High throughput, short range
Low throughput, Long range
IPv6
Hotspot Gateway Wireless Switch IPv6 Router
Model No: HSG-200/HSG-1000• Authentication (Kerberos, LDAP, MAC authentication with anti-spoofing of MAC)• Authorization with Firewall • Accounting/Billing for instant Hotspot• Seamless IP roaming • Remote configuration with associated Access Points (APs)• Multiple platforms • Large number of APs• Up to 250 simultaneous users • Clientless (Bypass VPN) option • Guest/Role accounts
Model No: AWG-1000• Secures 802.11 WLANs (a, b, g), VoIP• Intrusion Detection / Prevention Systems (IDS/IPS)• Clients supported: 1000 clients• IPSec and SSL/TLS for strong client- to-gateway VPN and VLAN Security. • Centralized management f or any brands of associated Access Points, secure admin remotely.• Quality of Service (QoS) functions.• Secure single sign-on integrated with local and domain authentications (Kerberos, RADIUS, and LDAP).• 802.1x port-based authentication includes EAP, PEAP, TLS, TTLS, and MD5• comprehensive stateful packet filter• WLAN DHCP, NAT, DNS
Model No: AWG-60• AES, DES, 3DES encryption. •Both IPv4 and IPv6 IPSec tunnels, IKE/ISAKMP protocols. Configurable site-to-site or site-to-clients VPN. •VLAN Technology. •Dynamic routing performance •Security policies can be set on a per- host or per-network basis, not per application/service. •BGP4 •RIP, RIP2, RIPng •OSPF (v4/v6) •OS fingerprinting with packet frame captured to small footprint database •Comprehensive firewall for wired and wireless subnets •QoS (packet shaping functions) •SSH remote configuration, console mode.
WiBorne Products – Wireless Access Controllers
The “Old Net” (1980+) The “New Net” (10 GHz) – Internet 2 IPv6
P2PHomeland Security Advisory System
U.S. Homeland Security – The “Old Net” vs. The “New Net”
Cyberspace and physical space are becoming one
Critical Infrastructure Challenges – Reason for IPv6•Agriculture and Food
• 1.9 million farms• 87,000 food processing plants
•Water• 1,800 federal reservoirs• 1,600 treatment plants
•Public Safety & Health• 5,800 registered hospitals• 6,500 Emergency Operation Centers (911)
•Chemical Industry• 66,000 chemical plants
•Telecomm• 2 billion miles of cable
•Energy• 2,800 power plants• 300,000 production sites
•Transportation• 120,000 miles of railroad• 590,000 highway bridges• 2 million miles of pipeline• 300 ports
•Banking and Finance• 26,600 FDIC institutions
•Postal and Shipping• 137M delivery sites
•Key Assets• 5,800 historic buildings• 104 nuclear power plants• 80K dams• 3,000 government facilities• 460 skyscrapers
What the Watchdogs Tell Us
• CERT – Computer Emergency Response Team http://www.cert.org, http://www.cert.org.tw
• US-CERT – The U.S. Government’s version of CERT http://www. us-cert.gov
• CIS – Center for Internet Security http://www.cisecurity.org
• SANS – Internet Storm Center http://isc.incidents.org
• TrendMicro – World Map of Virus Attacks http://www.trendmicro.com/map
• OSVDB – Open Source Vulnerability Database http://www.osvdb.org/
Cyber Electronic Warfare
www.attrition.orgAttack Plan:• use a system vulnerability detected• gain the authorization level required• achieve the objectives• remove all the cluesDefense:Physical securityLogical security• Encryption• Network / System / Application security• Security monitoring / auditingOrganizational security
The most wanted Hacker Kevin Mitnick
Firewalls - Layered Defense
Internet
DB Server Office Server
Web ServerFTP Server E-Mail Server
DMZ
Back Office
Simple IPv6 firewall rules (OpenBSD packet filter)
extif = "xl0"intif = "xl1"extip6 = "fec0:2029:f001:128::20"intip6 = "fec0:2029:f001:192::1"intnet6 = "fec0:2029:f001:192::/64"ispdns6 = "{ fec0:2029:f001:1::1, fec0:2029:f001:128::3 }"admin_machines6 = .{ fec0:2029:f001:192::10, fec0:2029:f001:192::11 }.antispoof for lo0antispoof for xl0 inetantispoof for xl1 inetblock in log allblock return-rst in log on $extif inet6 proto tcp from any to any port = 113pass out on $extif inet6 proto udp from { $extip6, ::1, $intnet6 } to $ispdns6 port = 53 keep statepass out on $extif inet6 proto tcp from { $extip6, ::1, $intnet6 } to any port = 25 keep statepass out on $extif inet6 proto ipv6-icmp all ipv6-icmp-type { 128, 136 } keep statepass in on $extif inet6 proto ipv6-icmp all ipv6-icmp-type { 134, 135, 136 }pass in log on $intif inet6 proto tcp from $intnet6 to $intip6 port = 22 keep statepass in on $intif inet6 proto tcp from $intnet6 to any port { 80, 443, 110, 143, 993, 25 }pass out on $extif inet6 proto tcp from $intnet6 to any port { 80, 443, 110, 143, 993, 25 } keep statepass in on $intif inet6 proto ipv6-icmp all ipv6-icmp-type { 128, 129, 135, 136 }pass in on $intif inet6 proto udp from $intnet6 to $ispdns6 port = 53pass in on $intif inet6 proto tcp from $admin_machines6 to $intip6 port = 22
IDS Sensor Placement
Internet
DB Server Office Server
Web ServerFTP Server E-Mail Server DMZ
Back Office
Sniffer Servermonitoring/analysis
Sniffer Servermonitoring/analysis
Sniffer Servermonitoring/analysis
• IPv6 IDS systems in their infancy• No official support in free Snort (yet)• Available from NFR, ISS
• Some new attack types in IPv6• Due to new header format and protocols• In dual-stack/transitioning networks too• IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation
WLAN – Features for IDS
• Intelligent Analytical Engine• Performance & Infrastructure Monitoring• Security Monitoring• Wireless LAN Administration• Site Survey• Troubleshooting Connections• Packet Capture & Decodes• Windows XP SP2 and Windows 2003 SP1: limited
(in very few features) IPv6 support for Windows Firewall.
• Bypassing ISA Server 2004 with IPv6: http://www.securityfocus.com/archive/1/431593/30/ 0/threaded
WLAN IDS Signatures
• Spoofed MAC Address Detected• Device Probing With NULL SSID• Dictionary Attack in EAP Methods• Abnormal Authentication Failures• Denial of Service Attacks• Association Flood• Authentication Flood• EAPOL logoff• EAPOL start• EAPOL ID Flood• EAPOL Spoofed Success• Deauthentication Broadcast• Deauthentication Flood• Dis-association Broadcast• RF Jamming
Detects 16 Threats
• Life of IPv6 worms is harder for address-space scanners – Code Red / Slammer.
• worm can determine the address of other existing nodes in the same LAN via v6’s Neighbor Discovery
http://www.cs.columbia.edu/~smb/papers/v6worms. pdf
Ahmedabad WiFi Project (AWP) Potential IPv6 Town
2-D Navigation
3-D Navigation
Scope of Works:
• Suggesting and Providing Cost Effective Wireless Solution for Ahmedabad for an area of almost 500 sq. kms. Covering about 1 lac probable customers including the existing Network of AMC.• Networking Solution using latest WiFi technology and Hardware Requirement• Implementation proposal and Maintenance of this wireless Network for minimum three year.
• The company should have installed similar project elsewhere using the latest technology and expertise.• The company will be responsible for setting up the infrastructure and O&M of the same for three years. Day to day operations and trouble shooting will be responsibility of the company.
Proposal Solution for AWP Alpha Bee – a Micro Cell Design
Benefit:
• Logical design – depends on users density, simply increase or decrease the size of individual cell for optimal coverage
• Data Rate for backhaul is 24 to 54 Mbps, depends on terrain
• Dense micro cell coverage which eliminate the need and costs for site surveys and on- going RF management.
• Met the technical and budgetary requirements and fit the needs of cost-effective approach.
•Each color presents not only area, but also specific channel which can be repeated at optimal channel separation
•Center of each area is the point of origination, and others depict spreading of coverage in logical methodology
Automated Meter Reading (AMR) IPv6 Applications
Electronic sensors paired with AWP wireless networks can collect meter data and send it instantly to the utility data center:• 130 Million wireless tags for 20KM squared of range• Reduce costs associated with manual meter reading• Reduce human error in data entry and collection• Perform quicker analysis on utility consumption• Set threshold limits that cannot be exceeded, avoid revenue loss• A single IPv6 subnet maps the entire RFID space whole community• Each RFID tag becomes addressable in the IPv6 network
(sample photos)
• An RFID tag is a transponder• It is a microchip that can receive and respond to RF
queries from an RFID transceiver• A smart bar code
• Components includes tags, readers, processing software (RTLS, Logistics, Middleware), and servers.
• Tags can be active, semi-passive, or passive• Passive: very small since there is no battery• Semi-passive: power for environment, RF from reader• Active: larger due to the internal battery
• Operate on multiple frequencies and provide different reading ranges
RFID Technology
WLANWireless Switch
WLAN (802.11), RFID frequencies Communication
WLAN / RFIDAccess Ports
Asset Tracking & Location Software
Wi-Fi, UHF Tracking
Tags
Middleware for Error
Reduction
The solution combines Wireless LAN technology with location information to enable location-based applications for both
outdoor and indoor facilitiesLOC-100 could directly communicate with tagged devices
from anywhere within the IPv6 network
Secure Internet / Intranet
High Power W-RFID Tag for Outdoor
Tracking
WiBorne Products – LOC-1000 802.11 Active RFID
WiBorne Products – LOC-1000 802.11 Active RFID (cont)
RF-Locate Intelligent Software• continuous persecutions in both outdoor and indoor areas• real long range of tracking area for Wi-Fi Citywide • limitation of damage tough control of objects and high grade goods• integrated with Google Earth to present users at their exact position • workload optimization • improvement of resource availabilities • visualization and establishment of animation profiles• high investment-security through cross-platform open interface to video- monitoring
CAP-2409R Long-Range Wi-Fi CPE and ReaderCombines an 802.11 b / g RFID reader with a long-range CPE – Occurring disruptions can be compensated by the new model and the high accuracy is assured.
RF-T24 Asset Tags• continuously the measured WLAN-signal values to RF-locate• different energy modes• panic button• range of RF-T series tags, hundreds meters ~ 2 – 3 kilometers.• extensibilities: external antenna, belt, additional sensors,
customized PC board…
Each RFID tag becomes addressable in the IPv6 network - The reachable scope is defined by the IPv6 prefix used
• Accuracy • Integrity- issue alarm
in case of large estimation errors
• Availability (Coverage)• Continuity of service
(Location Estimation response time)
Requirements of positioning for indoor navigation (RTLS):
W-RFID Location Tracking
TRACK PDAs
TRACK Laptops
TRACK Voip Phones
TRACK Barcode/RFIDscanners
TRACK hospital wireless equipment
TRACK WiFi TAGs
Tracking Software (RTLS)
Tracking Wireless Tags and WLAN Enabled Devices
RFID + Access Control From RFID, Physical, Logical, Identity, Financial Access to Network
ACC
BPID™ Security Device
Wireless Radio Frequency ID (W-RFID) Information on MedicalAssets and LocationFor Collection in Combined ACCs/WiFiAsset Manager AccessPoint/Internet Servers(AP/ISs)
• RFID and Bluetooth
• Fingerprint sensing without centralized biometric database for privacy
• devices support physical (biometric) and logical (network) access
• Replacement of driver license, password, government or military IDs and other credentials
RFID RTLS and Tags
Horse Tracking
AirportOld Ages, Health Care
Military
Harbor
Hi Rise Buildings City Wide Communication
Entertainment
Construction Transportation
Law EnforcementMining
WiBorne W-RFID: Other Applications
RFID Code Structure
Header: identifies the EPC version number – allows for different lengths or types of EPC: Type I, Type II, Type III, Type IV.
EPC Manager: the manufacturer of the product the EPC is attached to: e.g. Coca Cola
Object Class: exact type of product, most often the SKU (Stock Keeping Unit): e.g. Diet Coke US Version
Serial Number: unique id to the item tells exactly which Diet Coke
EPC Manager Serial NumberObject ClassHeader
28 36248Bits
Element
• IPv6• IPv6 addresses are 128 bits in length• The first 64 bits are the subnet portion • This is how routers determine location• The last 64 bits are the interface ID portion • This uniquely identifies a device on a subnet• 64-bits = ~18 quintillion unique devices
• RFID • Tags are 96 bits in length (Type 1)• Company-specific data (unique identity) is 60 bits• a 28 bit object class and a 32 bit serial number• only ~1.1 quintillion unique identities available
• Migration: powerline communication, WiFi, WiMAX, ZigBee, Unlicensed Mobile Access(UMA)
Integration for IPV6 and RFID Long-Term Solutions
The Integrated Address• The RFID Object Class and Serial Number become the
IPv6 Interface ID• The local router assigns one or (likely) more IPv6
prefixes for local, site, global, and multicast reachable • The address formats fit nicely together without conflicts
or loss of functionality• IP addresses can be a bad choice as an ID: like URLs
they are not stable, whereas, using a code (like an EPC) persistently identifies a given object.
• in complex RFID applications, different instances or states of an object would require multiple IP addresses.
H EPC Manager Object Class Serial Number
Network/Subnet Host/Device
Unique IDRFID Tag (EPC)
IPv6 Address
• A single IPv6 subnet maps the entire RFID space for a company. That subnet would be a wireless subnet that stretches wherever
• Each RFID tag becomes addressable in the IPv6 network. The reachable scope is defined by the IPv6 prefix used
• Location computation software could directly communicate with tagged devices from anywhere within the IPv6 network
• Disclaimer: Although active and passive RIFD tags will coexist in the future, many of the currently passive RFID tags will subsequently evolve towards active tags, which have networking capabilities. This will mean that a large number of tags will need network addresses for communications. IPv6 will play an important role here. But tags themselves do not necessarily have be equipped with IPv6 addresses until needed
Integration Mapping
Pros & Cons from IPv6 with RFID
Pros • More suitable for higher density, More efficient air interfaces and spectrum use,
much higher bit rates, ubiquitous coverage• No NAT necessary (adds extra cost to the cost prohibitive WSN)• Possibility of adding innovative techniques such as location aware addressing• Increases scalability - Connect a trillion of devices including machine-to-machine
(M2M) and sensor networks• All-IP coverage and beyond, can accept a range of IP addresses• Wireless devices that Eliminate the need for SSIDs (own unique IPs, No NAT)• Minimizes hackers/crackers ability to penetrate networksCons • Larger address width (Having efficient address compression schemes may alleviate
this con)• Complying to IPv6 node requirements (IPSec is mandated)• Cost of Change Over - Current infrastructure cannot be used unless it is already IPv6
compliant, New hardware required• Network Changes - Re-addressing of current IPv4 hardware/clients. Compatibility
with existing wireless infrastructure• www.6lowpan.org battery power. limited packet size – compress IPv6 headers
Conclusion
• An IP address on a RFID device makes it reachable - require implementation of an entire network stack
• Sensor networks and RFID may be the final impetus to push adoption of IPv6
• Roadmap for RFID/IPv6: Mid-2008 / 2009
Resource: IT Roadmap Toward 2010, Noruma Research Institute, Japan.