- Slides: 22
IPv 6 Security & Security concerns over the switch to IPv 6
� IPv 6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite. � IPsec ◦ ◦ Internet Engineering Task Force (IETF) Encrypts the IP connection between computers Data is encrypted at the packet level The standard for IP encryption
� IPSec provides four major functions: � Confidentiality – The sender can encrypt the packets before transmitting them across the network. If the communication is intercepted, it cannot be read by anybody. � Data Integrity – The receiver can verify whether the data was changed while travelling the internet. � Origin authentication – The receiver can authenticate the source of the packet. � Anti replay protection – The receiver can verify that each packet is unique and not duplicated.
◦ IPsec is a framework of open standards which uses the following three protocols: �Security association �Authentication Header �Encapsulating Security Payload
� Security Association: Handles protocols and algorithms used to generate the encryption and authentication keys used by Ipsec.
� Authentication Header provides connectionless integrity and data origin authentication for IP datagrams.
� Encapsulating Security Payload provides confidentiality, data origin authentication and connectionless integrity.
� IPsec was developed in conjunction with IPv 6 and it is required in all implementations of IPv 6. � Although IPsec was designed for IPv 6 it can be and has been used to secure IPv 4 traffic for some time now.
� Although IPv 6 itself has built in security, the coming change to IPv 6 and away from IPv 4 has raised security concerns over how the change from one protocol to another may be exploited.
� The main catalyst for IPv 6 is the soon to be depleted number of IPv 4 addresses. Some estimates say it may take more than a decade for IPv 6 capabilities to spread throughout the network community.
� During this transition time and even afterwards there will be servers available over IPv 4 only, some will only be available to IPv 6 and some available to both protocols. � Support and security for both of these protocols will be needed for an extended period.
� The security concerns at this early stage deal with the minimal but growing amount of IPv 6 traffic running across IPv 4 networks that are not secure against threats arriving via this IPv 6 traffic.
� Most U. S. organizations have hidden IPv 6 traffic running across their networks. They can have IPv 6 running on their networks and not know it. � Windows 7, Vista, Windows Server 2008, MAC OS X, Linux And Solaris all ship with IPv 6 enable by default.
� The main concern lies with security meant to monitor IPv 4 traffic. This security needs to be updated to include IPv 6. � Firewalls need to be able to distinguish between IPv 4 and IPv 6. If you only have an IPv 4 firewall you can have IPv 6 running between you and the threat.
� Tunneling is another area of concern. IPv 6 traffic can be tunneled over IPv 4 using programs such as Teredo, 6 to 4, or ISATAP. � Typical IPV 4 security devices are not tuned to look for tunneled traffic. Tunneled traffic can be hard to discern and decipher in any case as the following example suggests >> you can tunnel IPv 6 over HTTP over IPv 4.
� Rogue IPv 6 traffic can include attacks such as botnet commands and controls. � One example of an botnet attack using IPv 6 had the IPv 6 protocol hiding itself as IPv 4 through the router. It was then attacking and issuing command controls to a botnet in the far east. Another type of threat has seen illegal file sharing that leverages IPv 6 for peer to peer communications.
� The type 0 routing header is another potential security problem with IPv 6. This feature of IPv 6 allows you to specify in the header what route is used to forward traffic. A hacker could use this to overwhelm a part of the network generating denial-of-service traffic. � RFC 5095 dated December 2007 called for measures to confront this problem. Implemented yet?
� The number of attacks via IPv 6 has been low but this can be attributed to the low amount of IPv 6 traffic and the fact that the vast majority of the prime targets are still using IPv 4.
� Organizations will have to mirror what they have done for IPv 4 security with IPv 6. Until recently IPv 4 was the only protocol used and the only one that network security needed to be concerned with. Now there is IPv 4, IPv 6 and IPv 6 tunneled over IPv 4.
� Companies are now coming out with products to deal with these issues. � Command Information Assure 6 and Mc. Afee Network Security Platform both provide full IPv 6 and tunnel inspection. � Cisco and Juniper offer IPv 6 enabled routers and firewalls.