IPv6 Security and Practices (IPv6)

Prerequisites:

It is assumed that participants attending this course:

• Students have a novice-to-intermediate level understanding of computer networking and security including:
• IPv4
• Routing / Switching / Firewalls / Mobile Devices
• Host-based configurations including Windows / Mac / *NIX / Mobile

Students should have fluency in basic computer functions such as web browsing, network configuration, and configuration tuning.

Target Audience:

Course Objectives:

Upon completion of this course, the student will be able to:

• Understand basic security concepts as it pertains to IPv6 Understand the structure of the IPv6 Protocol
• Understand Port Probing and Operating System Security
• Understand unique IPv6 threats: ICMPv6 Protocol Threats, Denial of Services, Extension Header Threats
• Understand how ’dual-stack’ networks introduce additional risks into an enterprise environment
• Understand Firewalls, tunneling, and IPSEC as they related to transition technologies within IPv6 environments
• Concepts, risks, and threat within the Mobile IPv6 environments

Course Outline:

IPv6 Overview

• History
• Impacts of IPv6
• Security Overview
• General Risks/Threats
• Security Triads: CIA/AAA

Security and Cryptography

• Symmetric Key Encryption
• Asymmetric/Public Key Encryption
• Checksum and HASH Functions

IPSEC

• IPSEC Implementation
• Authentication Header (AH)
• Encapsulating Security Payload (ESP)
• Extended Sequence Number (ESN)
• AH and ESP
• IPSEC, IPv6, and Tunneling

Network Security in IPv6 Environments

• IPv4 Device Visibility
• IPv4/IPv6 Stacks
• Countermeasures in Dual-Stack Environments
• Firewalls and Intrusion Detection
• IPv6 and DNS

IPv6 Implementation Headaches

• Immature solutions
• Untested Code

Neighbor Discovery Protocol Issues

• DoS
• ICMPv6
• Solicitation Types
• Additional Attacks

First Hop Security

• Router Advertisement spoofing
• DNS and SEND attacks
• RA Guard
• RA & NDP
• Atomic Fragments & ICMPv6
• SEND & NDP
• IGMP Snooping
• DHCPv6 Guard
• IPv6 Destination Guard

IPv6 Esoteric Vulnerabilities

• Extension Headers
• Commonly used Extension Headers
• Risks and Threats: ACLS, Hop by Hop, DoS
• Fragmentation … is still an issue
• NDP /SEND
• Fragmentation …. Is STILL a problem

Address & Port Scanning

• Protocol specifications & RFC4846
• Defenses against scanning
• NetFlow & NDP cache to track Address scanning
• Port scanning in IPv6
• IDS/IPS able to see this type of scanning?

IPv6 & Multicast

• Directed attacks from flooding to resource starvation
• Define site boundaries
• Management of Nodes in multicast groups

6to4 DOS

• Routers must accept and decapsulate IPv4
• No guarantee of symmetric routing
• Go Native!

Transition and Tunneling issues

• IPv4 is here for the long term
• Tunneling tech necessary for flow between v4 and v6
• Transition zones used as backdoors since at LEAST 2002
• Automatic Tunnels & Filtering
• Transition and 6to4 – NO PROD!
• 6to4 DDoS

Access Control Lists

• What is it? IPv4/v6
• Filtering in IPv6
• IPv6 Extended ACLs
• RACLs (Reflexive ACLs)

IPv6 Firewall Filter Rules

• Dual Stack makes things complicated
• ICMP in dual-stack
• Filtering at perimeter
• Host-based firewalls
• Mobile operations
• RE0
• Layer3 and link-local forwarding

Host-Based Security Controls

• Dual Stack
• Malware targeting IPv6-enabled host
• Patching and filtering
• Spurious tunnels, rogue neighbors, forwarding of IPv6 packets
• Processing of ICMPv6
• Host-based firewalls are more complicated on v6-enabled systems
• Windows, Linux, BSD, and other

Mobile IPv6 AKA MIPv6

• Always on is a challenge
• Threats against devices, connection/network, MITM, Protocol level attacks
• Devices require host-based agent
• Connection Interception
• Mobile Media Security
• Man in the Middle
• Connection Interception and RFC 3775
• MIPv6 Signaling & Communication
• Spoofing
• DoS
• IPSEC with MIPv6
• Filtering: Active & ACLs
• MIPv6 Summary

IPv6 Security Summary

• Philosophy: v4 vs v6
• IPv6 Specific issues
• Short-term and long-term risks