IPv6 Security _ Security Issues

Document Sample
IPv6 Security _ Security Issues Powered By Docstoc
					   IPv6 Has built in security via IPsec (Internet
    Protocol Security).
    ◦ IPsec Operates at OSI layer 3 or internet layer of the
      Internet Protocol Suite.
   IPsec
    ◦   Internet Engineering Task Force (IETF)
    ◦   Encrypts the IP connection between computers
    ◦   Data is encrypted at the packet level
    ◦   The standard for IP encryption
   IPSec provides four major functions:
   Confidentiality – The sender can encrypt the
    packets before transmitting them across the
    network. If the communication is intercepted, it
    cannot be read by anybody.
   Data Integrity – The receiver can verify whether
    the data was changed while travelling the
   Origin authentication – The receiver can
    authenticate the source of the packet.
   Anti replay protection – The receiver can verify
    that each packet is unique and not duplicated.
◦ IPsec is a framework of open standards which uses
  the following three protocols:
  Security association
  Authentication Header
  Encapsulating Security Payload
   Security Association: Handles protocols and
    algorithms used to generate the encryption
    and authentication keys used by Ipsec.
   Authentication Header provides
    connectionless integrity and data origin
    authentication for IP datagrams.
   Encapsulating Security Payload provides
    confidentiality, data origin authentication and
    connectionless integrity.
   IPsec was developed in conjunction with IPv6
    and it is required in all implementations of
   Although IPsec was designed for IPv6 it can
    be and has been used to secure IPv4 traffic
    for some time now.
   Although IPv6 itself has built in security, the
    coming change to IPv6 and away from IPv4
    has raised security concerns over how the
    change from one protocol to another may be
   The main catalyst for IPv6 is the soon to be
    depleted number of IPv4 addresses. Some
    estimates say it may take more than a decade
    for IPv6 capabilities to spread throughout the
    network community.
   During this transition time and even
    afterwards there will be servers available over
    IPv4 only, some will only be available to IPv6
    and some available to both protocols.
   Support and security for both of these
    protocols will be needed for an extended
   The security concerns at this early stage deal
    with the minimal but growing amount of IPv6
    traffic running across IPv4 networks that are
    not secure against threats arriving via this
    IPv6 traffic.
   Most U.S. organizations have hidden IPv6
    traffic running across their networks. They
    can have IPv6 running on their networks and
    not know it.
   Windows 7, Vista, Windows Server 2008, MAC
    OS X, Linux And Solaris all ship with IPv6
    enable by default.
   The main concern lies with security meant to
    monitor IPv4 traffic. This security needs to be
    updated to include IPv6.
   Firewalls need to be able to distinguish
    between IPv4 and IPv6. If you only have an
    IPv4 firewall you can have IPv6 running
    between you and the threat.
   Tunneling is another area of concern. IPv6
    traffic can be tunneled over IPv4 using
    programs such as Teredo, 6to4, or ISATAP.
    Typical IPV4 security devices are not tuned to
    look for tunneled traffic. Tunneled traffic can
    be hard to discern and decipher in any case
    as the following example suggests >> you
    can tunnel IPv6 over HTTP over IPv4.
   Rogue IPv6 traffic can include attacks such as
    botnet commands and controls.
   One example of an botnet attack using IPv6
    had the IPv6 protocol hiding itself as IPv4
    through the router. It was then attacking and
    issuing command and controls to a botnet in
    the far east. Another type of threat has seen
    illegal file sharing that leverages IPv6 for peer
    to peer communications.
   The type 0 routing header is another
    potential security problem with IPv6. This
    feature of IPv6 allows you to specify in the
    header what route is used to forward traffic.
    A hacker could use this to overwhelm a part
    of the network generating denial-of-service
   RFC 5095 dated December 2007 called for
    measures to confront this problem.
    Implemented yet?
   The number of attacks via IPv6 has been low
    but this can be attributed to the low amount
    of IPv6 traffic and the fact that the vast
    majority of the prime targets are still using
   Organizations will have to mirror what they
    have done for IPv4 security with IPv6. Until
    recently IPv4 was the only protocol used and
    the only one that network security needed to
    be concerned with. Now there is IPv4, IPv6
    and IPv6 tunneled over IPv4.
   Companies are now coming out with products
    to deal with these issues.
   Command Information Assure 6 and McAfee
    Network Security Platform both provide full
    IPv6 and tunnel inspection.
   Cisco and Juniper offer IPv6 enabled routers
    and firewalls.

Shared By: