22-02-2013, 10:38 AM
IPv6 Security Issues
IPv6 Security.ppt (Size: 92.5 KB / Downloads: 115)
New Security Issues in IPv6
Many of the new protocol’s characteristics can be utilized to accomplish attacks to systems and networks
IPv6 deployment calls for deep understanding of the protocol, its requirements and security issues. Careful planning is necessary to lessen the possibility of malicious exploitation
IPv6 Security Characteristics
Based upon IPv4 experiences the new protocol incorporates a number of elements that address known security problems.
Support for some IPsec features:
Authentication headers
Encryption headers
These can be used to implement specific security policies. Separate implementation allows for a degree of flexibility when implementing a particular policy.
Network Reconnaissance
Big number of possible IPs complicates the task of discovery of operating systems and services using host and port scanning
Default network size is 264 IPs – very difficult to cover it by packet probes
Weaknesses:
Usually main systems get assigned “easy to remember” addresses
DNS servers keep system data
IPv6 neighbor-discovery data
Special multicast addresses for various types of network recourses (routers, DHCP servers etc.)
Access Control
One Interface may simultaneously have various addresses
Link local , site local, global unicast
The administrator may enable global unicast addresses only for devices that must access the internet.
Extension Headers in IPv6 may be used to bypass the security policy
E.g. routing headers have to be accepted at specific devices (IPv6 endpoints)
In IPv6 some ICMP and (link-local) Multicast messages are required for the correct operation of the protocol
The firewalls should be appropriately configured only to allow the right messages of these types
The IPv4 ICMP security policy must be appropriately adapted for ICMPv6 messages
ARP and DHCP attacks
Devices are mislead to take wrong IPs, or be configured with malicious settings
IPv6 does not provide any extra security on this issue
The stateless autoconfiguration procedure (based on ICMPv6) automatically assigns addresses. However, DHCP servers could possibly be used in the future to provide extra service information
DHCPv6 is not considered “mature”, yet
The same process (stateless autoconfiguration) can be hijacked
ICMPv6 neighbor discovery replaces ARP, but suffers from the same problems
Mixed environments v4/v6 – 6to4 (2)
One IPv6 network may send attack traffic to an IPv4 system by constructing packet with the appropriate IPv6/6to4 destination address. Corresponding tunnels are implemented dynamically.
The same type of attack may be initiated from an IPv4 system concealing the source. The path is:
System IPv4 - 6to4 router and removal of the IPv4 address – Target IPv4 system (its address described in IPv6/6to4)
DDoS attack posiblitty rather low due to resource limitations at the 6to4 router
It’s possible to use different 6to4 nodes for each direction
The mechanism may also be used for Reflection attacks