IPv6 Security Topics

©2005 Check Point Software Technologies Ltd. Proprietary & Confidential

IPv6 Security Topics

TAU Security ForumFebruary 2005

Yoni Appel

IPv6 Project Manager

[email protected]

2©2005 Check Point Software Technologies Ltd.

Agenda

Novelties in IPv6– A short overview

IPv6 deployment today– Asia– Cellular industry– U.S Department of Defense– Academia

Security topics with IPv6– New network stacks and logic– Application security– End to end encryption– Transition and tunneling

Gidon Leizer

Mention NokiaAnd Crossbeam


Novelties in IPv6


Novelties in IPv6

Address size is 128 bits– 340,282,366,920,938,463,463,374,607,431,768,211,456 possible

IP addresses– Efficient addressing

Simpler header format, reduced number of fields

Offload computation effort from the router to the end points– Fragmentation handled by the end points– Extension headers

Built in authentication and encryption Address auto configuration

Gidon Leizer



IPv6 deployment today


Security topics with IPv6

Asia Major investment in IPv6 infrastructure is

made by governments and technology vendors

This effort is driven mainly by the shortage of IPv4 addresses

Gidon Leizer




Asia – JapanIn Japan there is a strong collaborative effort to

push IPv6 by government, vendors and service providers

Such collaboration is the key for solving the “Chicken and Egg” problem, which is a main theme for IPv6 – A native IPv6 link is already available for homes in

Japan– NTT/Verio has built a worldwide IPv6 backbone

Gidon Leizer




Asia – Japan cont.

Gidon Leizer




Asia – Japan cont.– Webcam, VoIP and other end point

equipment vendors are adding IPv6 support– 18 M$ allocated by the Japanese

government for IPv6 R&D – IPv6 networks role out during 2005

Gidon Leizer




Asia - China– CNGI – China Next Generation Internet roles

out during 2005– The project will be the core of China’s

infrastructure for 3G and other telecommunication services for the next decades

– 169 M$ will be invested in IPv6 infrastructure by 2010

Gidon Leizer




Asia – additional countries Substantial government investment will

also be done in the next few years in additional Asian countries– 72 M$ in South Korea– 78 M$ in Taiwan

Gidon Leizer




Cellular industry The mobile phone – a killer application for IPv6 Handsets supporting IPv6 are ready 3GPP release 5 introduces IMS –

IP Multimedia Subsystem IMS is based on SIP and will enable advanced

mobile services– Video Streaming – Gaming– Chat

IMS requires usage of IPv6

Gidon Leizer




U.S Department of Defense The DoD plans transition to IPv6 by 2008 The DoD’s efforts are driven by the

needs of the future battle field Intensive industry wide IPv6 testing is

conducted in the Moonv6 interoperability events

The transition will effect DoD partners and major contractors

Gidon Leizer




Academia Universities worldwide are experimenting

with IPv6 Fully active deployments in many

universities

Gidon Leizer






New IP stacks More devices are connected to the web and are

more widely accessible as there is no NAT Low end devices are less flexible and with little

security awareness New IP logic and new IP stack implementation

will result in new vulnerabilities, and tweaks in the old ones

Gidon Leizer




New IP stacks - examples The Rose Attack - incomplete fragments

causing resource exhaustion at the attacked node

Denial of Service attacks – we have witnessed several attacks during the last year where a series of crafted packets caused a crash at the attacked node – both routers and hosts

Many IPv6 stacks may be vulnerable to these kind of attacks

Gidon Leizer




Sweep Scan A worm scans a network to see which nodes

are candidates for it to spread itself to e.g. which nodes are listening to a specific port

The Welchia worm used a ping based sweep scan for its propagation

With IPv6, Sweep scans are less practical as there will be numerous IP addresses on the local network

Sweep scan can be detected before locating a critical mass of possible propagation candidates

Gidon Leizer




Application security Applications that deal extensively with IP

addresses may be vulnerable due to– fast application conversions of legacy code– incorrect buffer handling– incorrect address calculations– different applicative logic related to IPv6

Servers are exposed to application level attacks even in an IPv6 experimentation environment

Gidon Leizer




DNS – An Application Security example

New resource record types have been added for IPv6 – AAAA, A6 and DNAME

The A6 and DNAME resource records support a distributed database containing partial information regarding IPv6 addresses

BitString labels – a new way of representing IPv6 addresses in DNS

IPv6 resource records can pass in IPv4 DNS requests

Gidon Leizer




End to End Encryption IPv6 mandates encryption as an integral

part of an endpoint’s implementation This method has notable advantages

– Prevents eavesdropping inside the LAN– Simplifies the security requirements at the

application layer– Increases interoperability

Gidon Leizer




End to End Encryption End to end encryption implies network and

application security at the endpoints However the endpoint may lack the required

abilities to address security at design and deployment phases– Awareness– Expertise– Responsiveness– Flexibility– Distribution mechanism

Gidon Leizer




Transition Mechanisms There are several transition mechanisms

between IPv6 and IPv4– NAT-PT – translates IPv6 to IPv4 and vice

versa– SIT – Six in Tunnel (several methods)– Teredo – a NAT-friendly IPv4 tunnel (based

on UDP encapsulation)

Gidon Leizer




Transition and tunneling IPv6 in IPv4 may be used by malicious

applications to bypass security inspections

It is best practice to – Block all of these tunnels for IPv4

deployments or– Be the endpoint of these tunnels and make

sure that the encapsulated traffic gets inspected

Gidon Leizer



Questions?

IPv6 Security Topics

Documents