IPv Implementation - The Naked Truth By Dr. Omar Amer Abouabdalla IPv6 Global Sdn. Bhd. omar@ipv6global.my
Things to Connect to Internet
Why IPv6??? No more room in IPv4 Quite empty in IPv6
IPv6 Implementation to to Where to start??? CORE CORE to to EDGE EDGE
Core to Edge Edge to Core • • Core devices usually More difficult. • the safest to add IPv6. Relies more on • Address more difficult tunneling. • issues such as security Faster when need to and management. connect endpoints to • Gain operational Data Centers and experience before apps that are IPv6- going to the edge. enabled. • • Consider the best when When older devices using dual stack in core cannot strategy. support IPv6.
Talking Behind My Back? Within the confines of your network, many devices may be communicating over IPv6 , even if they are not sending packets to and from the Internet!
Unfamiliarity Causes Misconfigurations
Automatic Addressing May Pose Privacy Concerns Stateless Address 1. MAC Address: 90-3A-2B-06-2C-D1 Autoconfiguration SLAAC 2. Split in half: 90-3A-2B 06-2C-D1 could automatically 3. Insert FFFE: 90:3A:2B:FF:FE:06:2C:D1 Change 7 th bit to 1: 9 2 :3A:2B:FF:FE:06:2C:D1 4. created a EUI-64 address. However, this makes your MAC public, which you may consider a privacy issue. • Privacy Enhanced Addresses [RFC 3041] There are options to • Cryptographically Generated Addresses rectify this issue: (CGA) [RFC 3972]
IPv6 Security Controls Lagging Hacking Arsenal/Tools Attackeralready have many IPv6 capable tools: • THC-IPv6 Attack Suite THC-IPv6 Attack Suite TCPDump Imps6-tools Unfortunately, IPv6 Nmap COLD Relay6 Alive6 Fake_mld6 security controls and Fake_Advertiser6 Parasite6 Wireshark Spak6 6tunnel products seems to be SendPees6 Redir6 a bit behind. Multi-Generator (MGEN) Isic6 Hyenae NT6tunnel DNSDict6 Fake_Router6 Detect-New-IPv6 Trace6 IPv6 Security Scanner (vscan6) SendIP VoodooNet Flood_Router6 DoS-New-IPv6 Halfscan6 Packit Scapy6 Flood_Advertise6 Smurf6 rSmurf6 Strobe Fuzz_IP6 4to6ddos Metasploit (etc.) TooBig6 etc… Netcat6 6tunneldos Web Browsers (XSS & SQLi) Fake_MIPv6
IPv6 Tunnels Concerns • Tunnels often interconnect networks over areas supporting the “wrong” version of protocol. • Tunnel traffic often not anticipated by the security policies. • It may pass through firewall systems due to their inability to check two protocols in the same time.
Dual-stack (RFC 4213) • Dual stack nodes interoperate directly with both IPv4 and IPv6 nodes. • Must provide a DNS resolver library capable of dealing with the IPv4 A records as well as the IPv6 AAAA records.
Dual Stack
IPv6 Dual Stack Implementation • The primary concerns are in hardware and software . • Hardware must be evaluated in the network infrastructure to see if there is proper memory for route tables and the switch forwarding tables to handle IPv6 routes and packets. • Software on the network infrastructure must support IPv6 configuration and routing protocols, while operating systems on the host side must also be IPv6 capable.
IPv6 Dual-Stack Implementation Requirements • Maintaining the same service-level and security posture for the dual-stack environment (IPv4 and IPv6) at the same level as for IPv4 alone • Keeping costs down. • Scheduling equipment and software upgrades. • Making sure that Internet service providers and software vendors (for monitoring, content distribution, and more) could work with IPv6.
IPv6 Dual-Stack Implementation The • Do we have the skill and knowledge? • Do we need to build a non-production IPv6 network with dual-stack servers?
Risks of Dual-stack Configurations • Device simultaneously supports IPv4 and IPv6. • Network management tools designed for an IPv4 network may not work the same way in an IPv6 environment. • Many existing host and network security and administration tools may not provide full-fledged support for IPv6. • Firewall rule sets and other security controls that stop unwanted IPv4 traffic are unlikely to be effective at stopping any IPv6 traffic. • Need parallel security rules to address IPv6 traffic.
IPv6 ACLs are different • IPv6 supports only extended ACLs. • No wildcard masking in IPv6 ACLs. • To prevent subnet A from reaching subnet B over IPv4. deny 192.168.12.0 0.0.0.255 • To prevent subnet A from reaching subnet B over IPv6. deny ipv6 2001:db8:0:12::/64 any
Other Problems with Dual-stack • Manage and monitor 2 layer 3 stacks. • Every interface requires both an IPv4 address and an IPv6 address. • It does not make sense in environments where IPv6 is being implemented specifically because IPv4 addresses cannot be acquired. • The router contains two independent routing tables. • One for IPv4 addressing, the other for IPv6 addressing.
IPv6 Dual-Stack Implementation The • Most effective transition mechanism. • Allows for migrating devices on a more gradual basis, rather than all at once.
What is good about Dual-stack? • Implementation of IPv6 using dual stacks is the simplest approach. • The change is driven by DNS. • At the upper protocol layers, an application can use either IPv4 or IPv6 to communicate. • Both IPv4-only and IPv6-only devices can communicate with a dual stacked node. • Is simplest approach to adding IPv6 support to a group of interconnected routers . • Integrated routing protocol (IS-IS and BGP). • Version-specific routing protocols (OSPF).
What is good about Dual-stack? Cont.. • The approach is transparent to the end users. • Fewer pieces of equipment need to be converted. • In this approach, only the backbone or core routers need to be converted first. • No tunneling mechanisms in the internal network are required, nor are the headaches that can occur when using them.
The Big IPv6 Security Question
4 Steps for Proper Migration IPv6 Deployment Implementation Readiness Conformance Strategy & Implementation Assessment Audit Framework Deployment Post-deployment Pre-deployment
Recommend
More recommend