DOCSLIB.ORG

Network Security Defense

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Network Security Defense Network Security Defense Fernando Gont 8th Regional CaribNOG Meeting Willemstad, Curacao. September 29-October 3, 2014 About... ●I have worked in security assessment of communication protocols for: ●UK NISCC (National Infrastructure Security Co-ordination Centre) ●UK CPNI (Centre for the Protection of National Infrastructure) ●Currently working as a security researcher and consultant for SI6 Networks (http://www.si6networks.com) ●Active participant at the Internet Engineering Task Force (IETF) ●Moderator of LACNIC's security forum ●More information at: http://www.gont.com.ar 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Goals of this Presentation 3 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Goals of this Presentation ●Do a brief introduction of Information and Network Securty ●Walk up the protocol stack ●Discuss vulnerabilities ●Discuss possible mitigation techniques 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Goals of Information Security 5 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Goals of Information Security ●Confidentiality ●Prevent unauthorized use or disclosure of information ●Integrity ●Safeguards the accuracy and completeness of information ●Availability ●authorized users have reliable and timely access to information 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Sometimes these goals conflict ●privacy vs. company (or govt) wants to be able to see what you’re doing ●losing data vs disclosure (copies of keys) ●denial of service vs preventing intrusion ●Source: Radia Perlman's “Network Security Protocols: A Tutorial” (2004) 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Some Information Security Concepts 8 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Access Control ●The ability to permit or deny the use of an object by a subject. ●It provides 3 essential services: ●Authentication (who can login) ●Authorization (what authorized users can do) ●Accountability (what a user did) 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Authentication ●A means to verify or prove a user’s identity ●The term “user” may refer to: ●Person ●Application or process ●Machine or device ●To prove identity, a user must present either of the following: ●What you know (password) ●What you have (token, key, etc.) ●Who you are (biometrics) 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Authorization ●Defines the user’s rights and permissions on a system ●Grants a user access to a particular resource and what actions he is permitted to perform on that resource ● Access criteria based on the level of trust: ●Roles ●Groups ●Location ●Time ●Transaction type 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Accountability ●Security goal that generates the requirement for actions of an entity to be traced uniquely to that entity, e.g.: ●Senders cannot deny sending information ●Receivers cannot deny receiving it ●Users cannot deny performing a certain action 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Integrity ●Security goal that generates the requirement for protection against either intentional or accidental attempts to violate data or system integrity ●Data integrity ●The property that data has when it has not been altered in an unauthorized manner ●System integrity ●The property that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Compartmentalization ●“Limit the damage that can be produced by an event” ●e.g., compartments and watertight subdivision's of a ship's hull: 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Compartmentalization (II) ●Examples: ●Multiple smaller subnets vs. single large subnets ●Single admin account vs. multiple per-service admin accounts 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Vulnerability ●A weakness in security procedures, network design, or implementation that can be exploited to violate a security policy ●Software bugs ●Configuration mistakes ●Network design flaw ●Lack of encryption 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Attack ●The active exploitation of a vulnerability 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Attack types ●Masquerading ● An entity claims to be another entity ●Eavesdropping ●An entity reads information it is not intended to read ●Authorization violation ●An entity uses a service or resource it is not intended to use ●Loss or modification of information ●Data is being altered or destroyed 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Attack types (II) ●Denial of communication acts (repudiation) ●An entity falsely denies its participation in a communication act ●Denial of Service ●Any action that aims to reduce the availability and/or correct functioning of services or systems 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Network Reconnaissance Attacks ●Unauthorized users to gather information about the network or system before launching other more serious types of attacks ●Information gained from this attack is used in subsequent attacks ●Examples of relevant information: ●Names, email addresses ●Nodes' addresses ●Domain names ●Network topology 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Denial Of Service Attacks ●Attempt to make a machine or network resource unavailable to its intended users. ●Methods to carry out this attack may vary ●Saturating the target with external communications requests (such that it can’t respond to legitimate traffic) – SERVER OVERLOAD ●Simply ●Examples: ●SYN flooding ●Reflection attacks ●DDoS attacks are more dynamic and come from a broader range of attackers 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Network Attacks 22 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Introduction ●OSI Reference model: 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Introduction (II) ●DARPA Reference model: OSI layer-7 OSI layer-4 OSI layer-3 OSI layer-1 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Layer-2 Attacks 25 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Introduction ●Layer-2 attacks include: ●Eavesdropping (sniffing) ●ARP Spoofing ●MAC flooding ●DHCPv4/DHCPv6 attacks ●IPv6 ND attacks ●IPv6 SLAAC attacks 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Layer-2 Attacks Eavesdropping 27 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Eavesdropping (sniffing) attacks ●Goal: Gain unauthorized access to information being transmitted over a communications channel ●For “shared media” networks, this can be as simple as running the so- called “protocol analyzers”: ●e.g. Wireshark 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Mitigating Eavesdropping Attacks ●Do not use insecure protocols ●HTTPS vs HTTP ●Telnet vs. SSH ●etc. ●Where possible, prevent unnecessary access (“compartmentalize”) 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Layer-2 Attacks ARP attacks 30 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 ARP attacks ●The Address Resolution Protocol (ARP) maps IP addresses into link- layer addresses ●It works (roughly) as follows: ●Host A wants to send a packet to Host B ●Host A sends an ARP request to all nodes “Who has IP address B?” ●Host B sends an ARP response to Host A: “I have IP address B, and my MAC address is 11:22:33:44:55:66” ●Host A can now send its packets ●Forging ARP response packets can be used for Man In the Middle Attacks 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 ARP attacks mitigation ●ARP cache poisoning prevention ●Static ARP cache entries ●ARP inspection (e.g., Cisco's DAI) ●ARP spoofing detection ●arpwatch 8th Regional CaribNOG Meeting © 2014 SI6 Networks. All rights reserved Willemstad, Curacao. Sept 29-Oct 3, 2014 Static ARP entries ●Add a static entry In Linux: ●arp -i INTERFACE -s IP_ADDRESS
Load more

Recommended publications
  • Ipv6 Address Space Best Practice Document
    IPv6 Address Space Best Practice Document Produced by the CESNET-led working group on IPv6 (CBPD116) Author: Tomáš Podermański August 2011 © Original version 2011 © English translation TERENA 2011 All rights reserved Document No: GN3-NA3-T4-CBPD116 Version / date: 1 August 2011 Original language: Czech Original title: “IPv6 Mýty a skute čnost, díl II. - Adresový prostor” Original version / date: 1 of 1 August 2011 Contact: [email protected] This translated version is based on the Czech v ersion published in the electronic journal, Lupa.cz , on 17 February 2011. Parts of the report may be freely copied, unaltered, provided that the original source is acknowledged and the copyright preserved. The translation of this report has received funding from the European Community's Seventh Framework Programme (FP7/2007-20 13) under grant agreement n° 238875, relating to th e project 'Multi -Gigabit European Research and Education Network and Associated Services (GN3)'. 2 Table of Contents Table of Contents 3 Executive Summary 4 1 IPv6 address scheme 5 2 Address types 7 2.1 Link-Local 7 2.2 Broadcast 8 2.3 Unique-Local, Site-Local 8 2.4 Multicast, Anycast 9 2.5 Global 9 3 The network part of global addresses and network structure 10 3.1 Home networks 11 3.2 Multihoming 12 4 End-user networks 13 4.1 The host part of the address – Host ID, Interface ID 13 4.2 IPv6 addresses EUI-64 13 4.3 Mapping the IPv6 EUI-64 addresses 14 4.4 Privacy Extensions 14 4.5 Manual IPv6 configuration and other options 17 5 Conclusion 19 6 List of Figures 20 3 Executive Summary This document describes network structure, the ways of creating IPv6 addresses in end-user networks, and the methods used to connect home, corporate and campus networks.
    [Show full text]
  • Ipv6 Security.Pdf
    IPv6 Security Scott Hogg, CCIE No. 5133 Eric Vyncke Cisco Press Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA ii IPv6 Security Scott Hogg and Eric Vyncke Copyright© 2009 Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without writ- ten permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America First Printing December 2008 Library of Congress Cataloging-in-Publication Data: Hogg, Scott. IPv6 security / Scott Hogg, Eric Vyncke. p. cm. Includes bibliographical references and index. ISBN-13: 978-1-58705-594-2 (pbk.) ISBN-10: 1-58705-594-5 1. Computer networks—Security measures. 2. TCP/IP (Computer network protocol) I. Vyncke, Eric. II. Title. TK5105.59.H637 2009 005.8—dc22 2008047255 ISBN-13: 978-1-58705-594-2 ISBN-10: 1-58705-594-5 Warning and Disclaimer This book is designed to provide information about the security aspects of the IPv6 protocol. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have nei- ther liability nor responsibility to any person or entity with respect to any loss or damages arising from the informa- tion contained in this book or from the use of the discs or programs that may accompany it.
    [Show full text]
  • George Kargiotakis [email protected] Berlin, RSS 2013
    Are you ready for IPv6 insecurities ? v1.1 George Kargiotakis [email protected] Berlin, RSS 2013 whois $ id uid=1000(kargig) gid=1000(sysadmin) groups=1(HELLUG),2(HTFv6),3(Hackerspace.gr),4(DLN.gr) $ last kargig GRNET – System Administration Gennet – Linux-based broadband CPEs (IPv6 capable) University of Ioannina – System Administration $ apropos kargig iloog – Greek gentoo-based livecd GrRBL – Greek AntiSpam Blacklists Greek AdBlock Plus filter – self-explanatory void.gr – My Blog 21/01/2013 Are you ready for IPv6 insecurities ? 2 Moment of truth How Many of you ● know what IPv6 is ? ● have used/are using IPv6 at work/home ? ● know what SLAAC is ? ● have used/are using transition mechanisms ? ● have deployed services over IPv6 ? ● are using native IPv6 ? ● are using native IPv6 and have applied IPv6 specific security policies on servers/routers ? 21/01/2013 Are you ready for IPv6 insecurities ? 3 Topics ● Fast IPv6 crash course (still needed) ● Main Dish 21/01/2013 Are you ready for IPv6 insecurities ? 4 Fast IPv6 crash course Embrace the new ● 128-bit addr – 340.282.366.920.938.463.463.374.607.431.768.211.456 IPs ● Multiple IPs (w/ different scopes) per Interface ● Lots of Multicast (no more broadcast!) ● Network Discovery Protocol → Address Auto-configuration ● Simpler Header (definitely good!) + Extension Headers (sounds promising!) + Header Daisy Chaining (interesting!) == a complete mess 21/01/2013 Are you ready for IPv6 insecurities ? 5 Fast IPv6 crash course Extension Header Daisy Chaining Extension header examples ● Destination
    [Show full text]
  • Network Working Group W. Kumari Internet-Draft Google Intended Status: Informational I
    Network Working Group W. Kumari Internet-Draft Google Intended status: Informational I. Gashinsky Expires: July 11, 2012 Yahoo! J. Jaeggli Zynga January 8, 2012 Neighbor Discovery Enhancements for DOS mititgation draft-gashinsky-6man-v6nd-enhance-00 Abstract In IPv4, subnets are generally small, made just large enough to cover the actual number of machines on the subnet. In contrast, the default IPv6 subnet size is a /64, a number so large it covers trillions of addresses, the overwhelming number of which will be unassigned. Consequently, simplistic implementations of Neighbor Discovery can be vulnerable to denial of service attacks whereby they attempt to perform address resolution for large numbers of unassigned addresses. Such denial of attacks can be launched intentionally (by an attacker), or result from legitimate operational tools that scan networks for inventory and other purposes. As a result of these vulnerabilities, new devices may not be able to "join" a network, it may be impossible to establish new IPv6 flows, and existing ipv6 transported flows may be interrupted. This document describes possible modifications to the traditional [RFC4861] neighbor discovery protocol for improving the resilience of the neighbor discovery process as well as an alternative method for maintaining ND caches. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time.
    [Show full text]
  • Evaluation of Intrusion Detection Systems in Ipv6 Networks
    Evaluation of Intrusion Detection Systems in IPv6 Networks Max Schrotter¨ 1, Thomas Scheffler2 and Bettina Schnor1 1Operating Systems and Distributed Systems, University of Potsdam, Potsdam, Germany 2School of Engineering - Energy and Information, Hochschule fur¨ Technik und Wirtschaft Berlin, Berlin, Germany Keywords: IDS, IDSv6, Benchmark, IPv6. Abstract: This paper introduces a benchmark suite for the evaluation of intrusion detection systems in IPv6 environ- ments. We use this benchmark to evaluate the prominent intrusion detection systems Snort, Zeek and Suricata. Further, an IPv6 Plugin Suite is presented and evaluated which enhances Snort by stateful attack detection. The results of our evaluation demonstrate the current abilities to detect IPv6 link-local attacks. 1 INTRODUCTION This leads to a third approach, that focuses on network monitoring and anomaly detection. Work Relatively early after the finalization of the IPv6 stan- started with (Beck et al., 2007), which introduced the dard, it became apparent, that the automatic host con- host-based tool ndpmon that listens to all NDP mes- figuration mechanism defined in the protocol did not sages in order to detect NDP anomalies and report work well with the proposed IPsec security mech- them. Another suitable approach is based on the ex- anisms and that the Neighbor Discovery Protocol tension of Intrusion Detection Systems (IDS) with ad- (NDP) (Narten et al., 2007) suffered from similar se- equate protocol support for the detection of specific curity problems as the Address Resolution Protocol IPv6-attacks. The authors of (Schutte¨ et al., 2012) (ARP) in IPv4 (Arkko et al., 2002). developed an IPv6 Plugin Suite for the well known IDS Snort 2.
    [Show full text]
  • Securing BGP Sessions the Border Gateway Protocol Version 4 (BGP4) Protocol Has Been in Existence Since 1994 and Has Been Updated Several Times Over the Past 15 Years
    ii IPv6 Security Scott Hogg and Eric Vyncke Copyright© 2009 Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without writ- ten permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America First Printing December 2008 Library of Congress Cataloging-in-Publication Data: Hogg, Scott. IPv6 security / Scott Hogg, Eric Vyncke. p. cm. Includes bibliographical references and index. ISBN-13: 978-1-58705-594-2 (pbk.) ISBN-10: 1-58705-594-5 1. Computer networks—Security measures. 2. TCP/IP (Computer network protocol) I. Vyncke, Eric. II. Title. TK5105.59.H637 2009 005.8—dc22 2008047255 ISBN-13: 978-1-58705-594-2 ISBN-10: 1-58705-594-5 Warning and Disclaimer This book is designed to provide information about the security aspects of the IPv6 protocol. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have nei- ther liability nor responsibility to any person or entity with respect to any loss or damages arising from the informa- tion contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc.
    [Show full text]
  • Segurança E Ipv6 O Ipv6 É Mais Seguro Que O Ipv4? Web [ Bruno Bogaz Zarpelão ]
    Olá, eu sou o DevMan! Desta página em diante, eu estarei lhe ajudando a compreender com ainda mais facilidade o conteúdo Sumário desta edição. Será um prazer contar com sua companhia! Confira abaixo o que teremos nesta revista: 06 – Prepare-se para as certificações LPI Infra A certificação Linux mais procurada na atualidade [ Leonardo Afonso Amorim ] 12 – Soluções com o Windows PowerShell Infra Uma poderosa ferramenta para automatização [ Leandro Marcos ] Infra, Segurança, 19 – Segurança e IPv6 O IPv6 é mais seguro que o IPv4? Web [ Bruno Bogaz Zarpelão ] 26 – Detectando e prevenindo intrusos com Snort Segurança Ferramentas de detecção de intrusão adicionam uma nova camada de segurança à rede [ Renato Carneiro Pacheco ] 35 – Salve seus dados com Bacula Segurança , Infra Configuração e instalação – Parte 2 [ Flávio Alexandre dos Reis e Eduardo Pagani Julio ] 45 – Acesso Remoto e Seguro também nas Pequenas e Médias Empresas Segurança, Infra A importância das soluções de VPN [ Roberto Henrique de Sousa ] 51 – Supercomputação e virtualização Infra A utilização de processadores com múltiplos núcleos no suporte à virtualização [ André Leon S. Gradvohl ] [Infra] Artigo que apresenta tecnologias relacionadas a ques- [Segurança] Artigo dentro do contexto de Segurança: redes, [Web] Artigos sobre ou que envolvam tecnologias de infraestru- tões de Infraestrutura. servidores, sistemas operacionais, infraestrutura em geral. tura para WEB. Editorial anter uma rede segura e sem dores de cabeça é o sonho de todo administrador. Infelizmente, por diversos motivos, muitas pessoas acabam tomando atitudes Mque visam prejudicar o funcionamento da rede de uma empresa. Por causa disso, precisamos estar preparados para os problemas que possam surgir.
    [Show full text]
  • Ipv6 Networks” Taught During the DEEPSEC 2011 Conference
    Copyright notice This slideware is © 2011 by SI6 Networks Permission to use this slideware is granted only for personal use Permission to distribute this slideware is granted only without any modifications to the slides set For any other uses, please contact: [email protected] www.si6networks.com Contents This slideware contains part of the materials used for the training “Hacking IPv6 Networks” taught during the DEEPSEC 2011 Conference. More inforamation available at: www.hackingipv6networks.com www.si6networks.com Hacking IPv6 Networks Fernando Gont DEEPSEC 2011 Vienna, Austria. November 15-16, 2011 About I have worked in security assessment of communication protocols for: UK NISCC (National Infrastructure Security Co-ordination Centre) UK CPNI (Centre for the Protection of National Infrastructure) Currently working for SI6 Networks (http://www.si6networks.com) Member of R+D group CEDI at UTN/FRH Involved in the Internet Engineering Task Force (IETF) More information at: http://www.gont.com.ar Agenda (I) Objectives of this training Motivation for IPv6, and current state of affairs Brief comparision between IPv6 and IPv4 IPv6 Addressing Architecture IPv6 Header Fields IPv6 Extension Headers IPv6 Options Internet Control Message Protocol version 6 (ICMPv6) Neighbor Discovery for IPv6 IPv6 Address Resolution Stateless Address Auto-configuration (SLAAC) Agenda (II) IPsec Multicast Listener Discovery Dynamic Host Configuration Protocol version 6 (DHCPv6) DNS support for IPv6 IPv6 firewalls Transition/co-existence technologies (6to4, Teredo, ISATAP, etc.) Network reconnaissance in IPv6 Security Implications of IPv6 on IPv4-only networks IPv6 deployment considerations Key areas in which further work is needed Some conclusions Brief introduction to IPv6 So..
    [Show full text]
  • Network Working Group F. Gont Internet-Draft SI6 Networks / UTN-FRH Intended Status: Informational R
    Network Working Group F. Gont Internet-Draft SI6 Networks / UTN-FRH Intended status: Informational R. Bonica Expires: April 25, 2014 Juniper Networks W. Liu Huawei Technologies October 22, 2013 Security Assessment of Neighbor Discovery (ND) for IPv6 draft-gont-opsec-ipv6-nd-security-02 Abstract Neighbor Discovery is one of the core protocols of the IPv6 suite, and provides in IPv6 similar functions to those provided in the IPv4 protocol suite by the Address Resolution Protocol (ARP) and the Internet Control Message Protocol (ICMP). Its increased flexibility implies a somewhat increased complexity, which has resulted in a number of bugs and vulnerabilities found in popular implementations. This document provides guidance in the implementation of Neighbor Discovery, and documents issues that have affected popular implementations, in the hopes that the same issues do not repeat in other implementations. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. This document may not be modified, and derivative works of it may not be created, and it may not be published except as an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 25, 2014.
    [Show full text]
  • Security Implications of the Internet Protocol Version 6 (Ipv6)
    Security Implications of the Internet Protocol version 6 (IPv6) Fernando Gont UTN/FRH BSDCan 2010 Ottawa, ON, Canada, May 13-14, 2010 Agenda Ongoing work on IPv6 security at UK CPNI Brief comparision of IPv4 and IPv6 IPv6 addressing Fragmentation and Reassembly Internet Control Message Protocol version 6 (ICMPv6) Address Resolution State-less autoconfiguration Personal Rant on IPv6 security Questions and (hopefully) answers Ongoing work on IPv6 security at UK CPNI (or “what we’re doing on v6 security”) Ongoing work on IPv6 security at CPNI The UK CPNI (Centre for the Protection of National Infrastructure) is currently working on a security assessment of the IPv6 protocol suite Similar project to the one we carried out years ago on TCP and IPv4: Security assessment of the protocol specifications Security assessment of common implementation strategies Production of assessment/Proof-Of-Concept tools Publication of “best practices” documents Currently cooperating with vendors and other parties If you’re working on a IPv6 implementation, I’d like to hear from you Brief Comparision of IPv4 & IPv6 (or “what the small differences are”) Brief comparision of IPv4 and IPv6 (I) IPv4 and IPv6 are very similar in terms of functionality IPv4 IPv6 Addressing 32 bits 128 bits Auto-configuration DHCP & RS/RA ICMPv6 RS/RA & DHCPv6 (opt) Address resolution ARP ICMPv6 IPsec support Optional Mandatory Fragmentation Both in hosts and routers Only in hosts Brief comparision of IPv4 and IPv6 (II) Header formats: IPv6 addressing (or “the actual motivator
    [Show full text]
  • Hacking Ipv6 Networks” During the Hack in Paris 2012 Conference
    Copyright notice This slideware is © 2012 by SI6 Networks Permission to use this slideware is granted only for personal use Permission to distribute this slideware is granted only without any modifications to the slides set For any other uses, please contact: [email protected] www.si6networks.com Hack In Paris 2012 © 2012 SI6 Networks. All rights reserved Paris, France. June 18-20, 2012 Contents This slideware contains part of the materials used for the training “Hacking IPv6 Networks” during the Hack In Paris 2012 conference More information available at: www.hackingipv6networks.com www.si6networks.com Hack In Paris 2012 © 2012 SI6 Networks. All rights reserved Paris, France. June 18-20, 2012 Hacking IPv6 Networks Training Fernando Gont Hack in Paris 2012 Paris, France. June 18-20, 2012 About... ● I have worked in security assessment of communication protocols for: ● UK NISCC (National Infrastructure Security Co-ordination Centre) ● UK CPNI (Centre for the Protection of National Infrastructure) ● Currently working as a security researcher for SI6 Networks ( http://www.si6networks.com) ● Member of R+D group CEDI at UTN/FRH ● Involved in the Internet Engineering Task Force (IETF) ● More information at: http://www.gont.com.ar Hack In Paris 2012 © 2012 SI6 Networks. All rights reserved Paris, France. June 18-20, 2012 Agenda ● Objectives of this training ● Motivation for IPv6, and current state of affairs ● Brief comparision between IPv6 and IPv4 ● IPv6 Addressing Architecture ● IPv6 Header Fields ● IPv6 Extension Headers ● IPv6 Options ● Internet Control Message Protocol version 6 (ICMPv6) ● Neighbor Discovery for IPv6 ● IPv6 Address Resolution ● Stateless Address Auto-configuration (SLAAC) Hack In Paris 2012 © 2012 SI6 Networks.
    [Show full text]