Hope2012 Ipv6 Klein Final

8/14/2019 Hope2012 Ipv6 Klein Final

1/26

Joe Klein


2/26

!!IPv6 is now a MUST, not a should or might.!This is NOT meant to scare or frighten butinstead it is focused on educating you on

common pitfalls.

!This presentation is vender neutral --- Allvenders will be praised or demonized in due

time.!Jim Bound, wanted me to think evil about

IPv6, then contribute to the solution --- and Ido.


3/26

! ~ 5.5 billion devices > 4 billion IPv4 addresses! 2.2 billion people: currently only 32.7% are online! +50 billion unique addresses by 2020! Impact:

Stop-gaps i.e. NAT, CIDER, RFC 1918 Security :

" More addresses, 3+ per device" Blacklists problems

! Reference: http://agbeat.com/real-estate-technology-new-media/number-of-devices-

connected-to-the-web-exceeds-the-total-population-of-earth/ http://www.internetworldstats.com/stats.htm


4/26

! IANA, final delivery of IPv4 addresses on 03-Feb-2011 to the 5 Regional Internet Registries (RIR)

! Impact: Internet is now based on the RIRs! Reference : http://tinyurl.com/8rpsvp, http://www.potaroo.net/tools/ipv4/


5/26

! All IPv4 addresses are estimated to be depleted by: Asia Pacific (APNIC) : 19-Apr-2011 Europe (RIPENCC) : 30-Jul-2012


6/26

! Many ISPs and US businesses are not ready forIPv6 18 Transition mechanisms

! Impact: ISP Business Security

! References:


7/26

! US Federal Government Timeline Procurement: December 10, 2009 Internet Facing: End of FY 2012 Internal: End of FY 2014

! Impact: USG leading ISP and corporate world Security: Early vulnerabilities?

! Reference: FAR: http://edocket.access.gpo.gov/2009/pdf/E9-28931.pdf DFAR: http://www.acq.osd.mil/dpap/dars/closedcases/archive/FAR_FY_2010.pdf Internet/Internal: http://usgv6-deploymon.antd.nist.gov/govmon.html Internet Facing Scorecard: http://fedv6-deployment.antd.nist.gov/cgi-bin/generate-gov


8/26

! The vast majority of IT and security staff are unawareof the methods to secure, monitor and test this newprotocol

! Impact: Admins Audits, Assessments, and Penetration testers Monitoring tools

! References: DISA STIG: http://tinyurl.com/6zmb565 Juniper: http://tinyurl.com/6wts3so Cisco: http://tinyurl.com/dyyvlzy Microsoft: http://tinyurl.com/884es6z


9/26


10/26

|------------------ Local Segment ----------------||--------------- Network Segment --------------|

64 Bits 64 Bits

IANA

Regional Internet Registry (RIR) | ARIN, APNIC, AfriNIC, RIPE NCC, LACNIC

End User

End User/Small Business

/3

/64

/56

Large Business/Organization

End Users

National Internet Registry + Local Internet Registry + ISP

National Internet Registry (NIR) + Internet Service Provider (ISP)

Local Internet Registry (LIR) + Internet Service Provider

National Internet Registry or Local Internet RegistryNetwork Provider

|---------------------------------------------------- 128 Bits ------------------------------------------------------|

/12 to /23

/19 to /32

/48

Provider-independent address spaceMin /48

RFC: 3177


11/26

Large Business/Organization

End Users

End Site Assignment have changed

Why? about premature IPv6 depletion !!

1. No /1282. No Fixed boundary or hard coded3. End sites come in different shapes and sizes;4. NAT66 is possibleJustification:

1. Easer to obtain the right size of address2. Simplify address management3. Better support network growth

/32 - 64

Provider-independent address spaceMin /48


12/26

! Programmers are mostly clueless IPv6

! Impact: Security

! References: http://web.nvd.nist.gov/view/vuln/search-

results?query=IPv6&search_type=all&cves=on


13/26

! How is the system addressallocations?

! Number of AddressesAllocated?


14/26

! How to you enter an IPaddress?

! How do you validate it? IPv4: Dotted Quad

IPv6: 8, 4 Hexadecimalcharacters with :separators


15/26

! How are networksrepresented? IPv4: NetMask,

CIDER across thecomplete address

" 255.255.255.128 IPv6: CIDER only

across the first 64

bits" 2001:ABCD:EF12:345

6:7890:ABCD:EF12:3456


16/26

! How are networksrepresented?


17/26

! How is DNSAssigned? Order


18/26

! How do you readan IP address?


19/26

! Security operations is unaware of the impact ofdeviceASIC, memory on ACLs

! Impact: Slow Down - If IPv6 is unable to be processed in ASIC,

the supporting operating system must perform theprocessing slower self created DOS?

Memory size limitations! References:

Theory v. Hardware - Are Current ASICs up to theChallenge, SANS 2012 IPv6 Summit, Richard Porter


20/26

Participated:Akamai, Comcast, Free Telecom, KDDI, Time Warner Cable, AT&T, D-Link,Google, Cisco, Facebook, Internode, Limelight, XS4ALL, Microsoft BING,Yahoo! And more http://www.worldipv6launch.org/

Resources:

! 1.1% of Alexa 1 million sites are IPv6 enabled - http://www.alexa.com/ 5.35% (8.26%) in Germany 4.88% (3.23%) Russia 0.10% (4.66%) Spain 17.1% (0.01.%) China 0.38% (45.6%) US

Traffic:

! 74,810 hits/sec (6/13/2012) - http://www.akamai.com/ipv6! 27.2 % of all US-based pageviews - http://blogs.cisco.com/news/

ipv6webimpact/! Amsterdam Internet Exchange (AMSIX) - 50% increase, 2 to 3 Gbit/s! IPv6 traffic of all Internet traffic as increasing from 0.024 to 0.041 http://

www.internetsociety.org/ipv6/archive-2011-world-ipv6-day

World IPv6 LaunchJune 6, 2012


21/26

! Google IPv6 Traffic: 0.67%


22/26

! Addresses! IPSec! Extension Headers! DHCPv6+! Multicast! DNSSec Integration! Many moreProblem: Requires IPv6 only environments!


23/26

! Nmap 6.1! THC-IPV6 - van Hauser! Metasploit! IPv6 Toolbox - Fernando Gont


24/26

! Individual & Interactions of specifications! Implementation of specifications by

venders

! Configuration of implementation! Operational Experience! Training Material and common

misconceptions

! Integration with existing systems! Testing and Monitoring (security and

performance)

! Policies, Procedures, practices and testing


25/26

! Resiliency to attack! Security Devices and Tools! Education & Training (Hands-on)


26/26

Joe Klein

Documents

Hope2012 Ipv6 Klein Final