Upload
w3dev
View
216
Download
0
Embed Size (px)
Citation preview
8/14/2019 Hope2012 Ipv6 Klein Final
1/26
Joe Klein
8/14/2019 Hope2012 Ipv6 Klein Final
2/26
!!IPv6 is now a MUST, not a should or might.!This is NOT meant to scare or frighten butinstead it is focused on educating you on
common pitfalls.
!This presentation is vender neutral --- Allvenders will be praised or demonized in due
time.!Jim Bound, wanted me to think evil about
IPv6, then contribute to the solution --- and Ido.
8/14/2019 Hope2012 Ipv6 Klein Final
3/26
! ~ 5.5 billion devices > 4 billion IPv4 addresses! 2.2 billion people: currently only 32.7% are online! +50 billion unique addresses by 2020! Impact:
Stop-gaps i.e. NAT, CIDER, RFC 1918 Security :
" More addresses, 3+ per device" Blacklists problems
! Reference: http://agbeat.com/real-estate-technology-new-media/number-of-devices-
connected-to-the-web-exceeds-the-total-population-of-earth/ http://www.internetworldstats.com/stats.htm
8/14/2019 Hope2012 Ipv6 Klein Final
4/26
! IANA, final delivery of IPv4 addresses on 03-Feb-2011 to the 5 Regional Internet Registries (RIR)
! Impact: Internet is now based on the RIRs! Reference : http://tinyurl.com/8rpsvp, http://www.potaroo.net/tools/ipv4/
8/14/2019 Hope2012 Ipv6 Klein Final
5/26
! All IPv4 addresses are estimated to be depleted by: Asia Pacific (APNIC) : 19-Apr-2011 Europe (RIPENCC) : 30-Jul-2012
8/14/2019 Hope2012 Ipv6 Klein Final
6/26
! Many ISPs and US businesses are not ready forIPv6 18 Transition mechanisms
! Impact: ISP Business Security
! References:
8/14/2019 Hope2012 Ipv6 Klein Final
7/26
! US Federal Government Timeline Procurement: December 10, 2009 Internet Facing: End of FY 2012 Internal: End of FY 2014
! Impact: USG leading ISP and corporate world Security: Early vulnerabilities?
! Reference: FAR: http://edocket.access.gpo.gov/2009/pdf/E9-28931.pdf DFAR: http://www.acq.osd.mil/dpap/dars/closedcases/archive/FAR_FY_2010.pdf Internet/Internal: http://usgv6-deploymon.antd.nist.gov/govmon.html Internet Facing Scorecard: http://fedv6-deployment.antd.nist.gov/cgi-bin/generate-gov
8/14/2019 Hope2012 Ipv6 Klein Final
8/26
! The vast majority of IT and security staff are unawareof the methods to secure, monitor and test this newprotocol
! Impact: Admins Audits, Assessments, and Penetration testers Monitoring tools
! References: DISA STIG: http://tinyurl.com/6zmb565 Juniper: http://tinyurl.com/6wts3so Cisco: http://tinyurl.com/dyyvlzy Microsoft: http://tinyurl.com/884es6z
8/14/2019 Hope2012 Ipv6 Klein Final
9/26
8/14/2019 Hope2012 Ipv6 Klein Final
10/26
|------------------ Local Segment ----------------||--------------- Network Segment --------------|
64 Bits 64 Bits
IANA
Regional Internet Registry (RIR) | ARIN, APNIC, AfriNIC, RIPE NCC, LACNIC
End User
End User/Small Business
/3
/64
/56
Large Business/Organization
End Users
National Internet Registry + Local Internet Registry + ISP
National Internet Registry (NIR) + Internet Service Provider (ISP)
Local Internet Registry (LIR) + Internet Service Provider
National Internet Registry or Local Internet RegistryNetwork Provider
|---------------------------------------------------- 128 Bits ------------------------------------------------------|
/12 to /23
/19 to /32
/48
Provider-independent address spaceMin /48
RFC: 3177
8/14/2019 Hope2012 Ipv6 Klein Final
11/26
Large Business/Organization
End Users
End Site Assignment have changed
Why? about premature IPv6 depletion !!
1. No /1282. No Fixed boundary or hard coded3. End sites come in different shapes and sizes;4. NAT66 is possibleJustification:
1. Easer to obtain the right size of address2. Simplify address management3. Better support network growth
/32 - 64
Provider-independent address spaceMin /48
8/14/2019 Hope2012 Ipv6 Klein Final
12/26
! Programmers are mostly clueless IPv6
! Impact: Security
! References: http://web.nvd.nist.gov/view/vuln/search-
results?query=IPv6&search_type=all&cves=on
8/14/2019 Hope2012 Ipv6 Klein Final
13/26
! How is the system addressallocations?
! Number of AddressesAllocated?
8/14/2019 Hope2012 Ipv6 Klein Final
14/26
! How to you enter an IPaddress?
! How do you validate it? IPv4: Dotted Quad
IPv6: 8, 4 Hexadecimalcharacters with :separators
8/14/2019 Hope2012 Ipv6 Klein Final
15/26
! How are networksrepresented? IPv4: NetMask,
CIDER across thecomplete address
" 255.255.255.128 IPv6: CIDER only
across the first 64
bits" 2001:ABCD:EF12:345
6:7890:ABCD:EF12:3456
8/14/2019 Hope2012 Ipv6 Klein Final
16/26
! How are networksrepresented?
8/14/2019 Hope2012 Ipv6 Klein Final
17/26
! How is DNSAssigned? Order
8/14/2019 Hope2012 Ipv6 Klein Final
18/26
! How do you readan IP address?
8/14/2019 Hope2012 Ipv6 Klein Final
19/26
! Security operations is unaware of the impact ofdeviceASIC, memory on ACLs
! Impact: Slow Down - If IPv6 is unable to be processed in ASIC,
the supporting operating system must perform theprocessing slower self created DOS?
Memory size limitations! References:
Theory v. Hardware - Are Current ASICs up to theChallenge, SANS 2012 IPv6 Summit, Richard Porter
8/14/2019 Hope2012 Ipv6 Klein Final
20/26
Participated:Akamai, Comcast, Free Telecom, KDDI, Time Warner Cable, AT&T, D-Link,Google, Cisco, Facebook, Internode, Limelight, XS4ALL, Microsoft BING,Yahoo! And more http://www.worldipv6launch.org/
Resources:
! 1.1% of Alexa 1 million sites are IPv6 enabled - http://www.alexa.com/ 5.35% (8.26%) in Germany 4.88% (3.23%) Russia 0.10% (4.66%) Spain 17.1% (0.01.%) China 0.38% (45.6%) US
Traffic:
! 74,810 hits/sec (6/13/2012) - http://www.akamai.com/ipv6! 27.2 % of all US-based pageviews - http://blogs.cisco.com/news/
ipv6webimpact/! Amsterdam Internet Exchange (AMSIX) - 50% increase, 2 to 3 Gbit/s! IPv6 traffic of all Internet traffic as increasing from 0.024 to 0.041 http://
www.internetsociety.org/ipv6/archive-2011-world-ipv6-day
World IPv6 LaunchJune 6, 2012
8/14/2019 Hope2012 Ipv6 Klein Final
21/26
! Google IPv6 Traffic: 0.67%
8/14/2019 Hope2012 Ipv6 Klein Final
22/26
! Addresses! IPSec! Extension Headers! DHCPv6+! Multicast! DNSSec Integration! Many moreProblem: Requires IPv6 only environments!
8/14/2019 Hope2012 Ipv6 Klein Final
23/26
! Nmap 6.1! THC-IPV6 - van Hauser! Metasploit! IPv6 Toolbox - Fernando Gont
8/14/2019 Hope2012 Ipv6 Klein Final
24/26
! Individual & Interactions of specifications! Implementation of specifications by
venders
! Configuration of implementation! Operational Experience! Training Material and common
misconceptions
! Integration with existing systems! Testing and Monitoring (security and
performance)
! Policies, Procedures, practices and testing
8/14/2019 Hope2012 Ipv6 Klein Final
25/26
! Resiliency to attack! Security Devices and Tools! Education & Training (Hands-on)
8/14/2019 Hope2012 Ipv6 Klein Final
26/26
Joe Klein