ipv6 stateless address autoconfiguration balancing
play

IPv6 Stateless Address Autoconfiguration: Balancing Between - PowerPoint PPT Presentation

Nov 17, 2023 •122 likes •330 views

IPv6 Stateless Address Autoconfiguration: Balancing Between Security, Privacy and Usability Ahmad AlSadeh, Hosnieh Rafiee, Christoph Meinel Hasso-Plattner-Institut, University of Potsdam, Germany IPv6 StateLess Address Auto- Configuration

  1. IPv6 Stateless Address Autoconfiguration: Balancing Between Security, Privacy and Usability Ahmad AlSa‘deh, Hosnieh Rafiee, Christoph Meinel Hasso-Plattner-Institut, University of Potsdam, Germany

  2. IPv6 StateLess Address Auto- Configuration (SLAAC) 2 IPv6 Address (128 bits) 64 bits 64 bits Subnet Prefix Interface Identifier ■ Prefix can be ■ Interface ID can be generated □ Link-Local prefix (FE80::/64) □ Based on the MAC address □ Global prefix □ Privacy Extension (2001:DB8:123:/64) □ Cryptographically Generated Addresses (CGA) CGA: Balancing Between Security, Privacy and Usability || Ahmad Alsadeh || October 25, 2012

  3. Outline 3 ■ IPv6 StateLess Address Auto-Configuration □ Security and privacy implications ■ Privacy Extension □ Achieves privacy but not security ■ Cryptographically Generated Addresses (CGA) □ Achieves security but might still be susceptible to privacy related attacks ■ Our Proposed Approach (Modified CGA) □ Setting a lifetime for CGA addresses □ Reducing the granularity of CGA security levels □ Automatic key pair generation ■ Modified-CGA Implementation ■ Coclusion CGA: Balancing Between Security, Privacy and Usability || Ahmad Alsadeh || October 25, 2012

  4. Extended Unique ID (EUI-64) Ethernet MAC Address (48 bits) 4 00 � 90 � 27 � 17 � FC � 0F � 00 � 90 � 27 � 17 � FC � 0F � FF � FE � 64 bit version 00 � 90 � 27 � FF � FE � 17 � FC � 0F � 1 = unique � Uniqueness of the MAC Where X= 000000X0 � 0 = not unique � X = 1 � 02 � 90 � 27 � FF � FE � 17 � FC � 0F � EUI-64 Address IPv6 address Prefix � EUI-64 Security and privacy implication CGA: Balancing Between Security, Privacy and Usability || Ahmad Alsadeh || October 25, 2012

  5. EUI-64: Security Implication 5 ■ Duplicate Address Detection (DAD) DoS attack □ THC-IPv6 Attack Suite http://www.thc.org/thc-ipv6/ □ dos-new-ip6 New Attacker Host Does anyone use this address Yes, I have this address CGA: Balancing Between Security, Privacy and Usability || Ahmad Alsadeh || October 25, 2012

  6. EUI-64: Privacy Implication 6 MAC: 00:0c:29:de:dd:63 IPv6: 2001:456::1: 20c:29ff:fede:dd63 MAC: 00:0c:29:de:dd:63 IPv6: 2001:789::1: 20c:29ff:fede:dd63 Prefix: 2001:678:456:1:/64 Internet Prefix : 2001:789::1:/64 Prefix : 2001:123::1:/64 MAC: 00:0c:29:de:dd:63 IPv6: 2001:123::1: 20c:29ff:fede:dd63 It is possible to track the user based on the Interface ID CGA: Balancing Between Security, Privacy and Usability || Ahmad Alsadeh || October 25, 2012

  7. Privacy Extension 7 History Value (Random) Hash Function Used output bits unused output bits Subnet Prefix Interface Identifier It solves the privacy issue but not the security issue CGA: Balancing Between Security, Privacy and Usability || Ahmad Alsadeh || October 25, 2012

  8. Cryptographically Generated Addresses (CGA): Basic idea 8 Sender Receiver Hash (Kpub, Parameters) Signature Subnet Prefix Interface Identifier Verify CGA ND Out going packet Message Verify Signature CGA: Balancing Between Security, Privacy and Usability || Ahmad Alsadeh || October 25, 2012

  9. CGA: Generation algorithm 0 9 Hash2 Final Subnet Collision Yes 16*Sec leftmost RSA Kpub 16*Sec (112 bits) Modifier prefix Count Hash2 bits =0? (variable) (128 bits) (64 bits) (8bits) must be zero No SHA-1 SHA-1 Increment Modifier 64 bits Hash1 (160 bits) Modifier 0 0 RSA Kpub (128 bits) (64 bits) (8bits) (variable) • Generate/ Obtain an RSA key pair Subnet prefix Sec ug • Pick a random Modifier • Select a Sec value CGA Address • Set Collision Count to 0 1. Set CGA initial values 6. Execute SHA-1 algorithm 2. Concatenate (modifier, 0, 0, Kpub) 7. Form an interface ID 3. Execute SHA-1 algorithm 8. Concatenate ( Prefix, Interface ID) 4. Compare the 16xSec = 0 ? 9. Check the uniqueness of IPv6 address 5. Concatenate ( CGA parameters) CGA: Balancing Between Security, Privacy and Usability || Ahmad Alsadeh || October 25, 2012

  10. CGA – Computation Cost Concerns 10 CPU 2.6 GHz Sec Time 1 ~ 1 Sec 2 ~ 3 hours 3 ~ 12 years ■ Sec (0 to 7), unsigned 3-bit integer , is scale factor □ The address generator needs on average O(2 16xSec ) □ high Sec value may cause unacceptable delay ■ It is likely that once a host generates an acceptable CGA, it will continue to use this address  hosts using CGAs still being susceptible to privacy related attacks. CGA: Balancing Between Security, Privacy and Usability || Ahmad Alsadeh || October 25, 2012

  11. Our proposed approach 11 EUI-64 Security and privacy implication Privacy CGA Extension Security implication Privacy implication Our Approach CGA: Balancing Between Security, Privacy and Usability || Ahmad Alsadeh || October 25, 2012

  12. Modifications to Standard CGA 12 ■ Three main modifications □ Setting a CGA Address lifetime □ Reducing the granularity of CGA security levels □ Automatic key pair generation CGA: Balancing Between Security, Privacy and Usability || Ahmad Alsadeh || October 25, 2012

  13. Setting a Lifetime for Temporary CGA 13 ■ A CGA address has an associated lifetime that indicates how long the address is bound to an interface ■ Once the lifetime expires, the CGA address is deprecated □ The deprecated address should not be used for new connections ■ A new temporary CGA address should be generated: □ When a host joins a new subnet □ Before the lifetime for the in-use CGA address has expired □ When the subnet prefix lifetime has expired □ When the user needs to override the default value CGA: Balancing Between Security, Privacy and Usability || Ahmad Alsadeh || October 25, 2012

  14. Setting a lifetime for CGA 14 ■ The lifetime for a CGA address ( ​"↓$ ) depends on □ ​"↓& : the average time needed for a node to generate a CGA address ​"↓& = (​ 2 ↑ 8× )*+ ¡ × ​"↓ 2 ) + ​"↓ 1 ¡ ¡ ¡ ¡ -. ¡0≤ )*+ ≤7 - ​"↓ 1 : The time needed to compute Hash1 - ​"↓ 2 : The time needed to compute Hash2 □ ​"↓/ : the average time for an attacker to impersonate an address ​"↓/ = {█□​ 2 ↑ 59 × ​"↓ 1 ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ -. ¡ )*+ =0, @​ 2 ↑ 59 × ​"↓ 1 + ​"↓ 2 ) ​ 2 ↑ 8× )*+ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ -. 1≤ )*+ ≤7. □ The user desired settings for security and privacy ■ The lifetime for a CGA is described by the equation 3​"↓& ≤ ​"↓$ ≤ ​"↓/ /5 3 ¡ and 5 ¡ are integers CGA: Balancing Between Security, Privacy and Usability || Ahmad Alsadeh || October 25, 2012

  15. Reducing the Granularity of CGA Security Levels 15 ■ The granularity factor 16 is relatively large □ Sec value 0 or 1 can be used in practice Granularity Sec 16 8 4 1 427 ms 121 ms 117 ms 2 5923857 ms 425 ms 128 ms 3 * 88217 ms 135 ms ■ We choose the granularity factor 8 for the following reasons: □ It is unnecessary to select a high Sec when using a short lifetime □ computation costs of CGA is usually much more important for mobile devices which have limited resources (e.g., CPU, battery, …) □ The multiplication factor of 8 increases the maximum length of the Hash Extension up to 56 bits which is sufficient (59-115 bits total hash length) CGA: Balancing Between Security, Privacy and Usability || Ahmad Alsadeh || October 25, 2012

  16. Automatic Key Pair Generation 16 ■ Setting the keys automatically is better for the following reasons: □ Protects the user's privacy □ The keys are not vulnerable to theft □ Easier for end user □ The key generation is small portion of the total CGA generation time CGA: Balancing Between Security, Privacy and Usability || Ahmad Alsadeh || October 25, 2012

  17. Modified-CGA Implementation 17 ■ We modified the CGA part of our SEND implementation (WinSEND) to include the proposed modifications □ lifetime, granularity, and the automatic key generation ■ The user can override the default parameters CGA: Balancing Between Security, Privacy and Usability || Ahmad Alsadeh || October 25, 2012

  18. Limitations and Deployment Considerations 18 ■ Changing the CGA granularity to 8 requires updating the CGA RFC ■ The other modifications do not affect the CGA algorithm and the way of communicating ■ There are some implications and deployment considerations for the use of changeable addresses □ May cause unexpected difficulties with some applications □ May have performance implication that might impact user experience □ Protecting the users‘ privacy may conflict with the administrative needs □ Deleting the deprecated addresses requires awareness of the upper layers applications CGA: Balancing Between Security, Privacy and Usability || Ahmad Alsadeh || October 25, 2012

  19. Conclusion 19 ■ deployment of IPv6 should be accomplished in a secure way without compromising the Internet users' privacy ■ CGA can be used to prove the ownership of an IPv6 address, but it might be susceptible to privacy related attacks ■ the privacy extensions protect the users' privacy but are of no value to related address spoofing attacks ■ We integrate the privacy extensions into CGA to resolve both privacy and security issues for IPv6 addresses in a practical way CGA: Balancing Between Security, Privacy and Usability || Ahmad Alsadeh || October 25, 2012

Recommend

RouterLab LabCourse SoSe 2016 Worksheet 3: Access Networks with DHCP and IPv6 Stateless Address

RouterLab LabCourse SoSe 2016 Worksheet 3: Access Networks with DHCP and IPv6 Stateless Address

RouterLab LabCourse SoSe 2016 Worksheet 3: Access Networks with DHCP and IPv6 Stateless Address Auto Configuration Prof. Anja Feldmann, Philipp S. Tiesel, Thorben Krger, Apoorv Shukla IPv6 Scoped Address Architecture IPv6 addresses have

679 views • 19 slides
dIVI-pd: Dual-Stateless IPv4/IPv6 Translation with Prefix Delegation X. Li, C. Bao, W. Dec, R.

dIVI-pd: Dual-Stateless IPv4/IPv6 Translation with Prefix Delegation X. Li, C. Bao, W. Dec, R.

dIVI-pd: Dual-Stateless IPv4/IPv6 Translation with Prefix Delegation X. Li, C. Bao, W. Dec, R. Asati, C. Xie, Q. Sun 2011-11-12 Introduction The dIVI-PD is an extension of stateless IPv4/IPv6 translation with address sharing RFC6052:

890 views • 15 slides
IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer

Outline IPv6 IPv6 Header IPv6 Addressing IPv6 Neighbor Discovery Jyh-Cheng Chen Department of Computer Science and IPv6 Autoconfiguration Institute of Communications Engineering National Tsing Hua University jcchen@cs.nthu.edu.tw

783 views • 11 slides
1. IPv6 address (abbreviated representation) 2. IPv6 address (abbreviation and expansion

1. IPv6 address (abbreviated representation) 2. IPv6 address (abbreviation and expansion

1. IPv6 address (abbreviated representation) 2. IPv6 address (abbreviation and expansion practice) 3. IPv6 advantages over IPv4 4. IPv4 address structure 5. IPv6 address structure IPv4 Address 32 bit address (computer stores information

655 views • 53 slides
Deploying IPv6 in OpenStack Environments Shannon McFarland - CCIE #5245 Distinguished Engineer

Deploying IPv6 in OpenStack Environments Shannon McFarland - CCIE #5245 Distinguished Engineer

Deploying IPv6 in OpenStack Environments Shannon McFarland - CCIE #5245 Distinguished Engineer Cloud Platform & Services Group @eyepv6 Agenda General OpenStack + IPv6 Stuff Tenant IPv6 Address Assignment: SLAAC, Stateless

872 views • 51 slides
Introduction to IPv6 - II Building your IPv6 network Alvaro Vives | 27 June 2017 | Workshop on

Introduction to IPv6 - II Building your IPv6 network Alvaro Vives | 27 June 2017 | Workshop on

Introduction to IPv6 - II Building your IPv6 network Alvaro Vives | 27 June 2017 | Workshop on Open Source Solutions for the IoT Contents IPv6 Protocols and Autoconfiguration - ICMPv6 - Path MTU Discovery (PMTU-D) - NDP -

879 views • 32 slides
Source Address Finding (SAF) for IPv6 Translation Mechanisms draft-thaler-ipv6-saf-01.txt Dave

Source Address Finding (SAF) for IPv6 Translation Mechanisms draft-thaler-ipv6-saf-01.txt Dave

Source Address Finding (SAF) for IPv6 Translation Mechanisms draft-thaler-ipv6-saf-01.txt Dave Thaler dthaler@microsoft.com IETF 74 - 6AI BOF 1 UNilateral Self-Address Fixing (UNSAF) 1:1 address mappings (NAT66) avoid most of the issues

545 views • 7 slides
Internet Protocol v6 October 25, 2016 v6@nkn.in Table of Content Why IPv6? Why IPv6?

Internet Protocol v6 October 25, 2016 v6@nkn.in Table of Content Why IPv6? Why IPv6?

Internet Protocol v6 October 25, 2016 v6@nkn.in Table of Content Why IPv6? Why IPv6? IPv6 Address Space IPv6 Address Space Customer LAN Migration Customer LAN Migration Why IPv6? Why IPv6? IPv6 Address Space IPv6

770 views • 58 slides
Address scarcity, NAT, and IPv6 CSCI 466: Networks

Address scarcity, NAT, and IPv6 CSCI 466: Networks

Address scarcity, NAT, and IPv6 CSCI 466: Networks Keith Vertanen Fall 2011 Overview Handling IPv4 address scarcity Address space

766 views • 33 slides
IPv6 Ephemeral Addresses <draft-kitamura-ipv6-ephemeral-address-00.txt> Harmless IPv6

IPv6 Ephemeral Addresses <draft-kitamura-ipv6-ephemeral-address-00.txt> Harmless IPv6

IPv6 Ephemeral Addresses <draft-kitamura-ipv6-ephemeral-address-00.txt> Harmless IPv6 Address State Extension ( Uncertain State) <draft-kitamura-ipv6-uncertain-address-state-00.txt> Hiroshi KITAMURA NEC Corporation

544 views • 33 slides
IPv6 Yourself Jumping Bean What is IPv6? Replacement for IPv4, 128 bit IP address

IPv6 Yourself Jumping Bean What is IPv6? Replacement for IPv4, 128 bit IP address

IPv6 Yourself Jumping Bean What is IPv6? Replacement for IPv4, 128 bit IP address IPv4 allowed for 4.3 billion possible addresses, IPv6 allows for 340 undecillion addresses 3.40E38, 7.9E28 more than IPv4 addresses, ~ 4.8x10

1.07k views • 28 slides
Naming IPv6 address parts IETF 79 L. Donnerhacke R. Hartmann Editors What are we thinking

Naming IPv6 address parts IETF 79 L. Donnerhacke R. Hartmann Editors What are we thinking

Naming IPv6 address parts IETF 79 L. Donnerhacke R. Hartmann Editors What are we thinking about? Find a term to describe precisely : 16 bits of an IPv6 address, separated by colons Useful for daily communication Easy to pronounce

70 views • 6 slides
Stateless automatic IPv4 over IPv6 Tunneling (SA46T) draft-matsuhira-sa46t-spec-00.txt Naoki

Stateless automatic IPv4 over IPv6 Tunneling (SA46T) draft-matsuhira-sa46t-spec-00.txt Naoki

Stateless automatic IPv4 over IPv6 Tunneling (SA46T) draft-matsuhira-sa46t-spec-00.txt Naoki Matsuhira Fujitsu Limited matsuhira@jp.fujitsu.com 77th IETF, March 2010 77th IETF 1 Network Configuration Backbone Network (IPv6 only) SA46T

318 views • 19 slides
IPv6 Address Management The First Five Years 1 #whoami o o www.ernw.de o o

IPv6 Address Management The First Five Years 1 #whoami o o www.ernw.de o o

IPv6 Address Management The First Five Years 1 #whoami o o www.ernw.de o o https://insinuator.net/tag/ipv6/ o 2 Agenda o o o 3 3 Very Quick Stats (1) Source: http://6lab.cisco.com/stats/cible.php?coun try=DE&option=all 4

1.11k views • 48 slides
IPv6, MPLS IPv6 History Next generation IP (AKA IPng) Intended to extend address space

IPv6, MPLS IPv6 History Next generation IP (AKA IPng) Intended to extend address space

IPv6, MPLS IPv6 History Next generation IP (AKA IPng) Intended to extend address space and routing limitations of IPv4 Requires header change Attempted to include everything new in one change IETF moderated Based

775 views • 46 slides
IPv6 Deployment at Monash University John Mann Agenda IPv6 is Coming IPv6 is Already

IPv6 Deployment at Monash University John Mann Agenda IPv6 is Coming IPv6 is Already

IPv6 Deployment at Monash University John Mann Agenda IPv6 is Coming IPv6 is Already Here Monash IPv6 Progress Addressing End Systems Monitoring Network Address Usage Traffic Monitoring Problems IPv6 is Coming

779 views • 41 slides
1 IPv6 Packet Format IPv6 Packet Format 40 Byte minimum 0 8 16 31 Mandatory fields

1 IPv6 Packet Format IPv6 Packet Format 40 Byte minimum 0 8 16 31 Mandatory fields

IPv6 IPv6, MPLS History Next generation IP (AKA IPng) Intended to extend address space and routing limitations of IPv4 Requires header change Attempted to include everything new in one change IETF moderated Based

506 views • 5 slides
Analyzing IPv6 address assignment practices Ramakrishna Padmanabhan, John Rula, Philipp

Analyzing IPv6 address assignment practices Ramakrishna Padmanabhan, John Rula, Philipp

Analyzing IPv6 address assignment practices Ramakrishna Padmanabhan, John Rula, Philipp Richter, Stephen Strowes, Alberto Dainotti Goal: Understand the stability of IPv6 addresses How long do devices retain their IPv6 addresses?

437 views • 20 slides
IPv6 @ Navneet Nagori Network Engineering Why IPv6 IPv4 exhaustion Cost - Buying

IPv6 @ Navneet Nagori Network Engineering Why IPv6 IPv4 exhaustion Cost - Buying

IPv6 @ Navneet Nagori Network Engineering Why IPv6 IPv4 exhaustion Cost - Buying address costly , Provider supported NAT, Abuse Identification, Port exhaustion, User share address New Devices IPTV, Mobile Network, home

528 views • 21 slides
IPv6 Introduction by Harald Welte <laforge@rfc2460.org> IPv6 Introduction What? Why?

IPv6 Introduction by Harald Welte <laforge@rfc2460.org> IPv6 Introduction What? Why?

IPv6 Introduction by Harald Welte <laforge@rfc2460.org> IPv6 Introduction What? Why? What is IPv6? Successor of currently used IP Version 4 Specified 1995 in RFC 2460 Why? Address space in IPv4 too small Routing tables too large

476 views • 19 slides
IPv4 address exhaustion and IPv6 Glen Turner 2008-12-09 AARNet staff meeting aar net

IPv4 address exhaustion and IPv6 Glen Turner 2008-12-09 AARNet staff meeting aar net

IPv4 address exhaustion and IPv6 Glen Turner 2008-12-09 AARNet staff meeting aar net Australia's Academic and Research Network IPv6 policy Going forward, we seek to support IPv6 to the same extent as we support IPv4. Exceptions require

631 views • 52 slides
IAB/IESG Recommendations on IPv6 Address Allocations Jun-ichiro itojun Hagino IIJ research

IAB/IESG Recommendations on IPv6 Address Allocations Jun-ichiro itojun Hagino IIJ research

IAB/IESG Recommendations on IPv6 Address Allocations Jun-ichiro itojun Hagino IIJ research laboratory / KAME Project itojun@{iijlab.net,kame.net} Background IPv6 address space has 128 bit width IETF ipngwg (hence IAB/IESG) recommended /48

89 views • 8 slides
Diurnal and Weekly Cycles in IPv6 Traffic Stephen Strowes Yahoo sds@yahoo-inc.com Motivation

Diurnal and Weekly Cycles in IPv6 Traffic Stephen Strowes Yahoo sds@yahoo-inc.com Motivation

Diurnal and Weekly Cycles in IPv6 Traffic Stephen Strowes Yahoo sds@yahoo-inc.com Motivation Non-trivial IPv6 deployments in access networks impacts capacity planning, peering, DNS load balancing (Also, people kept asking why IPv6 is 2-3%

496 views • 8 slides
At which IPv6 stage are you? Scared The address is too long! All my IP addresses are

At which IPv6 stage are you? Scared The address is too long! All my IP addresses are

At which IPv6 stage are you? Scared The address is too long! All my IP addresses are traceable! Angry It's a conspiriacy there is no IPv4 shortage! As long as I get an IPv4 address I don't care! Nobody is using it anyway! Confused

863 views • 48 slides

More recommend