Securing IPv 6 Ken Renard Ware On Earth

Securing IPv 6 Ken Renard Ware. On. Earth Communications, Inc <kdrenard@wareonearth. com> <kdrenard@hpcmo. hpc. mil>

Commercial Security Tools • “IPv 6 support” has a wide spectrum of meaning – “We support IPv 6 and all its components per RFCs” – “If you throw an IPv 6 packet at us, we won’t crash” • IPv 6 is low priority with most vendors • Firewall support has been slow – Major vendors are now stepping up to the plate – Limited tunneling support • VPN products (IPsec-based) – Yet to seen one that supports or even acknowledges IPv 6

Commercial Security Tools • Operating Systems – More Unixes are starting to support IPsec for IPv 6 • Need to perform careful evaluation – Few vendors have practical IPv 6 experience or environment • Products will mature as IPv 6 adoption increases – Obtain practical experience and discover full set of requirements – Prepare yourself for growing pains

IPv 6 Security -- Site Deployment • Most sites set up test bed networks first – Cannot get authorization to run on production networks • Sites have valid security concerns – Political • “My agency requires brand-X firewall -- will it do v 6? ” • Can I get system accredited? – Technical • Want to have full suite of IPv 4 security tools for IPv 6 • Need to monitor and police IPv 6 traffic (Firewalls & IDS)

IPv 6 Security Things to Look Out For. . . • Increased use of tunneling – Transition mechanisms • 6 to 4, Teredo, ISATAP, etc. . . – IPsec (IPv 4, IPv 6, VPN products) – Potential back-door to internal network • May bypass perimeter defenses (firewall, IDS, etc) – Replicate perimeter defenses at tunnel endpoint • Covert Channels – IPv 6 options have a wealth of covert channel opportunities • Neighbor Discovery vulnerabilities – An ARP by any other name. . .

Application Security IPv 6 -enabling Applications • Another Y 2 K exercise? • Larger addresses all the way through – From socket to log file -- make sure there’s enough space! • Access Control Lists – Harder to maintain IP-based ACLs (don’t use IP ACLs) • Increased reliance on DNS – IPv 6 in DNS -- more prone to error? (don’t use DNS ACLs) • Applications may not know about IPsec – User-level security still required

IPv 6 Security On the Increased Availability of IPsec • “IPv 6 is secure” -- most IPv 6 literature – Mostly based on requirement for IPsec – “End-to-End security” at the Network Layer • Departure from popular “perimeter defense” strategy – IPsec is not a silver bullet. IPsec. . . • IPsec is more widely available for IPv 4 today – Are we using it? – Are we using it wisely? • End-to-End security requires. . . – Authentication infrastructure (PKI? ) – Shift from perimeter defense model or re-define perimeter

IPv 6 Security On the Increased Availability of IPsec • IPsec is complex – Policy generation can be tough – IPsec tools are less than intuitive • Vary greatly across OS – Selecting appropriate mechanisms is daunting • Encryption types, authentication types, modes, etc – “Interoperable” implementations are just barely interoperable • IPsec is a node-to-node security mechanism – Do not try to solve user-level security with IPsec – Applications may be unaware of IPsec protection

IPv 6 Security On the Increased Availability of IPsec • IPsec can be very useful. . . – – – For securing routing protocol communication Host-level applications such as NFS Creating enclaves of securely-connected networks Generic remote access solution A “must” for IPv 6 mobility • Recommendations – Authentication is VERY important -- do not ignore – Authorization -- IPsec can bypass perimeter defenses – IKEv 2 promises reduced complexity

IPv 6 Tools in the DREN • Intrusion Detection Systems – Do. D Intrusion Detection made IPv 6 -aware – snort-2. 1. 1 with IPv 6 capabilities • Authentication infrastructure – Kerberos from MIT – Secure Shell & Pu. TTY • Other tools – ssldump, kx 509, libnids, tunnel detection

IPv 6 Security To-Do List • As a community, we need to improve IPv 6 security tools and practices – Product evaluation • Share results and lots of details (http: //www. moonv 6. com/) – IPv 6 -enabling security tools • IDS, firewalls, authentication mechanisms • Security scanners (Nessus, SAINT, etc) – Make IPsec easier to use – Educate ourselves and our people – Refine policies to include IPv 6 and possible shift in security paradigm

IPv 6 Security To-Do List • As a community, we need to improve IPv 6 security tools and practices (continued) – Se. ND -- Secure Neighbor Discovery – Applications Security – Mobile IPv 6 • Authentication Infrastructure – Multicast security

Discussion. . .