IPv6 IPv6

The Threats, Challenges & Opportunities

Whats this thing about?

IPv6 has been cool since the 80s The next revision of IP
Fundamentally changes addressing Change in style of perimeter

Little adoption outside closed networks Most compelling to ISP & Telco, mostly hidden end user benefits

New Features
Massive expansion in the address space
Which can be good!

Detailed performance enhancements (eliminate the primary needs of NAT) Subnet size had been standardized Protocol includes IPSec (mandate) Mobile IP with triangular routing (Skype) Autoconf services for transparent addressing Islands and less structured connectivity

IPSEC

Security Risks
Vulnerabilities in the protocol/app stacks Security delivery model changes Deployment chaos

IPv6 Vulnerabilities
Vulnerabilities in the protocol stack

IPv4 had such problems when first released and really tested Lots of work gone in to IPv6 to prevent this, but a noteworthy risk

Already happened a few times, such as the DoS attack through additional of IPv6 headers additional of IPv6 headers

Network devices with embedded, slow to update firmware!

Vulnerability in application handling

Most services abstracted by the OS but a surprising number of applications that will need to handle more directly. How educated and responsive are vendors going to be to emerging IPv6 threats?

Delivery model changes

Thus far, its only academic. Serious threat to network security inspection
De-perimiterization Encryption Islands and casual connectivity

The bad guys are doing it now

Multiple examples of Mal/Hack using IPv6 transport for C&C

Deployment Chaos
Were all going to deploy it wrong
Trying to make it look like NAT for example!

Horrific mass of transition mechanisms enabled to expand surface area and confuse (3 type of tunneling):
Teredo (RFC 4380) 6-4, 4-6 ISATAP etc

Complexity is the enemy of security.

Security Risks/Opportunities

Forces endpoint centric strategy there is no in or out Creates a big enough pool of IPs the bad guys can rotate very fast reputation services very hard.

Can allow greater control of reputation & deperimiterized definition of who you trust.

Key Principles
1. 2. 3. 4. 5.

Adopt it for specific hosts and services. Blacklist approach. Consider security to be endpoint centric, not transport or infrastructure layer. or infrastructure layer. Minimise the available extensions to IPv6, keep it as simple as possible. DO NOT try to rebuild your IPv4 network using IPV6 go back to basics. IPv6 can compromise your IPv4 stability have a segmentation or recovery strategy

Key Principles
1.

2.

3. 4. 5.

Take advantage of some of the existing, available policy in key operating systems (certificate deployment, point to point encryption) Ensure you have a robust and responsive strategy to update hardware and network infrastructure as lessons are update hardware and network infrastructure as lessons are learned. Build a strategy for authorisation, network access and resource allocation upfront. Ensure your network and endpoint security teams to learn about IPV6 implication. Implement IPv4 best practices to include timely patching, host antivirus, and early detection followed by perimeter blocking

Additional Information

RFC 4942 - IPv6 Transition/Co-existence Security Considerations RFC 4864 - Local Network Protection for IPv6

Sophos Strategy

1. Restrict to allowed areas first 2. Enable updating & key services 3. Include concept in analysis/detection engine 4. with greater granularity 4. with greater granularity 5. Include advanced Firewall policy support for tunnelling services 6. Complete infrastructure transition for all components

Sophos Strategy - Gateway

Process message in mixed IPV4/IPV6 enviroment Presentation of report in IPV6 Full IPV6 system Enforce policy in IPV6 address Enforce policy in IPV6 address Reputation and intelligence for IPV6 address

David Chow David Chow

E-mail: david.chow@sophos.com