SlideShare ist ein Scribd-Unternehmen logo

APNIC Hackathon IPv4 & IPv6 security & threat comparisons

Als PPTX, PDF herunterladen
S
Siena Perry

Presentation from APRICOT 2018

Internet
1 von 31
Presentation on IPV4 VS IPV6 SECURITY AND THREAT COMPARISONS
Group Name • Konda Reddy • Suman KC • Farha Diba • Bikram Shrestha • Rajwinder kaur
IPv6 Address Representation  128 bits.  Represented by 8 colon-separated segments.  Each 16-bit segment written in hexadecimal. EXAMPLE: 3ffe:3700:1100:0001:d9e6:0b9d:14c6:45ee
IPv6 Address Compaction Leading zeroes in a 16-bit segment can be compacted Example: fe80:0210:1100:0006:0030:a4ff:000c:0097 Becomes: fe80:210:1100:6:30:a4ff:c:97
IPv6 Address Compaction All zeroes in one or more contiguous 16-bit segments can be represented with a double colon (::) Example: ff02:0000:0000:0000:0000:0000:0000:0001 Becomes: ff02::1 But…
IPv6 Address Compaction Double colons can only be used once Example: 2001:0000:0000:0013:0000:0000:0b0c:3701 Can be: 2001::13:0:0:b0c:3701 Or: 2001:0:0:13::b0c:3701 But not: 2001::13::b0c:3701
IPv6 Address Types Unicast  Identifies a single interface  Packet sent to a unicast address is delivered to the interface identified by that address Multicast  Identifies a set of interfaces  Packet sent to a multicast address is delivered to all interfaces identified by that address Anycast  Identifies a set of interfaces  Packet sent to an anycast address is delivered to the nearest interface identified by that address (as defined by the routing protocol) IPv6 has no broadcast addresses  IPv6 uses "all-nodes" multicast instead (ff01:0:0:0:0:0:1)
Interface ID  Unique to the link  Identifies interface on a specific link  Can be automatically derived - IEEE addresses use MAC-to-EUI-64 conversion - Other addresses use other automatic means  Can be used to form link-local address  Can be used to form global address with stateless autoconfiguration
MAC-to-EUI-64 Conversion  First three octets of MAC becomes Company-ID  Last three octets of MAC becomes Node-ID  0xfffe inserted between Company-ID and Node-ID  Universal/Local-Bit (U/L-bit) is set to 1 for global scope
MAC-to-EUI-64 Conversion Example  MAC Address: 0000:0b0a:2d51  In binary:  00000000 00000000 00001011 00001010 00101101 01010001  Insert fffe between Company-ID and Node-ID  00000000 00000000 00001011 11111111 11111110 00001010 00101101 01010001  Set U/L bit to 1  00000010 00000000 00001011 11111111 11111110 00001010 00101101 01010001  Resulting EUI-64 Address: 0200:0bff:fe0a:2d51
Using the EUI-64 Interface ID EUI-64 Address: 200:bff:fe0a:2d51 Link-Local Address: fe80::200:bff:fe0a:2d51 Global Unicast Address: 3ffe:3700:1100:1:200:bff:fe0a:2d51
IPv4 vs. IPv6 Header Formats
How IPV6 process start from Host  When a host joins the network, it sends an ICMPv6 Neighbor Solicitation (NS) packet to perform Duplicate Address Detection (DAD) for its link-local address.  After the host determines its link-local address is safe to use, it then sends an ICMPv6 Type 133 Router Solicitation (RS) message to attempt to learn details about the network from the local router.  Upon receiving this RS, the router sends out an ICMPv6 type 134 Router Advertisement (RA) message so that the requesting host, and all others on that LAN segment, will have information about the LAN and how they should go about obtaining their global unicast address.  The router also periodically sends out the RA messages, typically every 200 seconds, to make sure all the nodes on the LAN have the current information about the local IPv6 prefix
How RA works / disable RA  The ICMPv6 Router Advertisement (RA) that the router sends to the IPv6 all-nodes link-local multicast group address (FF02::1) will be received and processed by all the nodes on the LAN. The RA contains a variety of valuable information within it, in addition to guidance to the nodes on the LAN about how they will obtain their IPv6 address. The RA contains several bits that tell the node how it should behave:  Address Auto configuration Flag (A flag) indicates if stateless auto-configuration (SLAAC) should be used.  On-Link Flag (L flag) indicates that the prefix is “on-link” and local to this network.  Managed Address Configuration Flag (M flag) indicates that the nodes should use DHCPv6 to determine their interface identifier.  Other Stateful Configuration Flag (O flag) indicates that other information is available to help the node (e.g. DNS server information).
PATHMTU  IPv6 defines a standard mechanism called path MTU discovery that a source node can use to learn the path MTU of a path that a packet is likely to traverse. If any of the packets sent on that path are too large to be forwarded by a node along the path, that node discards the packet and returns an ICMPv6 Packet Too Big message. The source node can then adjust the MTU size to be smaller than that of the node that dropped it and sent the ICMPv6 message, and then retransmit the packet. A source node might receive Packet Too Big messages repeatedly until its packet traverses all nodes along the path successfully.  Initially, the PMTU value for a path is assumed to be the (known) MTU of the first-hop link. When a Packet Too Big message is received, the node determines which path the message applies to based on the contents of the Packet Too Big message. For example, if the destination address is used as the local representation of a path, the destination address from the original packet would be used to determine which path the message applies to  NOTE: Routing header determine the location of the destination address within the original packet.
Typical IPv6 Security Issues Almost identical to IPv4 security issues • First-hop protocol vulnerabilities • Denial-of-Service attacks • User authentication and authorization • Eavesdropping, session hijacking, DNS spoofing • Routing security  Dual stack exposures.(If enabled IPV6 but missed to enforce polices/firewall filters)
IPV6 similarities with IPV4 The majority of vulnerabilities on the Internet today are at the application layer, even ipsec will do nothing to prevent. Rogue devices will be as easy to insert into an IPv6 network as in IPv4 Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4 Flooding attacks are identical between IPv4 and IPv6 IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4
Reconnaissance  Default subnets in IPv6 have 2 power 64 addresses ie., 10 Mpps  Today there is no known ping sweep tool for IPv6. Nmap, which supports ping sweeping in v4, elected not to support it in IPv6, most likely for some reasons.  Mostly importantly, public servers needs to be dns reachable.  scanning-based attacks will effectively fail. This protection exists if the attacker has no direct access to the specific subnet and therefore is trying to scan it remotely. If an attacker has local access, then he could use Neighbor Discovery (ND) and ping6 to the link-scope multicast ff02::1 to detect the IEEE-based address of local neighbors, then apply the global prefix to those to simplify its search (of course, a locally connected attacker has many scanning options with IPv4 as well).  By compromising hosts in a network, an attacker can learn new addresses to scan  Transition techniques (see further) derive IPv6 address from IPv4 address
More on reconnaissance  The first category of attack is reconnaissance, which also is generally the first attack executed by an adversary. In this attack the adversary attempts to learn as much as possible about the victim network. This includes both active network methods such as scanning as well as more passive data mining such as through search engines or public documents.  Ping sweeps, port scans, Application and vulnerability scans; Some tools such as Nmap can perform elements of all these scan types at the same time.
FHS: First Hop Security  RA guard use-case  IPv6 device tracking  IPv6 snooping logging  IPv6 source guard  IPv6 snooping  PortACL blocks all ICMPv6 RA from hosts  Fake DHCPv6 Replies  Selectively filter ICMP  Disable RH0 .
RA Guard RA Guard is a feature that allows the operator of a Layer 2 switch to predetermine which switch ports are actually router facing. RA guard can also validate the source of the RA, the prefix list, the preference and any other information carried within it. It can validate the cryptographic credentials when provided (as defined in Secure Neighbor Discovery specification, i.e. SeND) to provide nodes that don’t support SeND with a level of security equivalent to those that do support it. How it help with rogue DHCP :permit RAs only if they have the M and O bits set, and enforce that the subsequent DHCP advertised prefix is within the company's range. Enable logging on the network device for auditing
IPv6 snooping  RA guard / DHCP guard  IPv6 address gleaning  IPv6 ND inspection IPv6 snooping included the guard functions, if you enable IPv6 snooping, you do not need to explicitly configure RA guard / DHCP guard on the same port.  IPv6 address gleaning  Address gleaning learns the IPv6 addresses of devices connected to that link and is a prerequisite for more advanced FHS features like Source-Guard. The learning is done by examining information in the ND and DHCPv6 packets, (in particular the addresses carried in them). However, by default the DHCPv6 server messages are dropped - so in order to glean from DHCPv6 messages the guard policy must be applied on the port connecting the valid DHCPv6 server, that allows the DHCPv6 messages.  The FHS code learns the addresses and installs them into the binding table. Each entry contains the source the address was learned from, the address itself, the MAC address, interface, vlan, priority level, age, state and time left.  IPv6 ND inspection  ND inspection verifies the sanity of the ND messages that pass through the device. It can also enforce limits on the number of the addresses per port. This feature enforces the ND process by ensuring that all parties are stepping through all the correct steps in the ND process. The ND inspection process builds the neighbor binding table.
Fake RA Messages  • Traffic interception • DNS IPv6 address injection (DNS interception) • Denial-of-service attack(bogusprefixes)
Fake DHCPv6 Replies  Intruder responds to DHCPv6 requests • DNS IPv6 addressinjection • Denial-of-service attack Solution should be enabling :DHCPv6 guard
Fake Neighbor Advertisement Messages Intruder responds to ICMPv6 Neighbor Solicitation requests • Trafficinterception • Denial-of-serviceattack  Enable DHCPv6 snooping, ND inspection, SEND
ARP spoofing (V4) = NDP spoofing(V6) Dynamic ARP inspection for IPv6 is available Secure Neighbor Discovery (Cryptographic NDP); IPv6 addresses whose interface identifiers are cryptographically generated. Prevent replay attacks by timestamp and nonce options. IPV6 supports all the features Dot1x,private Vlan ,port security
Attacks(Continuation)  Remote Neighbor Discovery Attacks  How to prevent: Tight ingress ACLs(check the forwarding path order-of- operation)  Control-plane policing(CoPP)  ND cache limits (globally and per-box)  Prefixes longer than /64 (extreme measure, use with care)
DAD Attacks  Effectively disables SLAAC  Might interfere with DHCPv6-based address assignment.  IPv6 Extension Headers All networking gear should drop packets with RH0 by default • Firewalls and ACLs should be able to filter on extension headers Firewalls should limit the number of extension headers • Firewalls/ACLs should be able to drop fragmented headers
More on RH0  The IPv6 Type 0 Routing header is similar in function to the Loose Source and Record Route IP options. The IPv6 Routing header is identified by a Next Header (NH) value of 43 in the immediately preceding header.  Attackers can maliciously use IPv6 Type 0 Routing headers to bypass packet filters (IPv6 access-list policies) or anycast addressing and routing. These headers can also be used to perform reflected denial of service (DoS) attacks, spoofing, double spoofing, and amplification attacks (ping-pong attacks that can cause link saturation and potential performance issues through added CPU processing).
Routing Security with IPv6  Challenges and solutions almost identical to IPv4: • Don’t run routing protocols on customer-facing interfaces • Use IPsec with OSPFv3 • Use MD5 authentication with other routing protocols  best practices:  • Network Ingress Filtering (BCP38) for IPv4 and IPv6 • TTL security (BGP) • Route filters in distance- and path vector protocols
Challenge in implementing V6 in DMZ’s  Normally, servers connected to a network device on single NIC or bond(ACTIVE/STANDBY,ACTIVE/ACTIVE)  Switch connected port might be a access vlan or trunk vlan.  If it is access port , then Tag host interface with new external vlan for V6 communication. TASKS: 1. Configure external vlan on firewall 2. Need to tag new vlan to respective switch and change host port config to trunk 3. configure servers port as trunk and test connectivity. Advantages:  No physical movement of host  Logical configuration  Sysops and Network need to work together to test connectivity  Unblock IPv6 implementation to faster rollout

Empfohlen

Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatDigicomp Academy AG
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetSwarup Hait
 
Introduction to IPv6-UoN
Introduction to IPv6-UoNIntroduction to IPv6-UoN
Introduction to IPv6-UoNMwendwa Kivuva
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetjulianlz
 
IPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryIPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryHeba_a
 
I Pv6 Nd
I Pv6 NdI Pv6 Nd
I Pv6 NdRam Dutt Shukla
 
internetworking operation
internetworking operationinternetworking operation
internetworking operationSrinivasa Rao
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Finalmasoodnt10
 

Empfohlen

Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatDigicomp Academy AG
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetSwarup Hait
 
Introduction to IPv6-UoN
Introduction to IPv6-UoNIntroduction to IPv6-UoN
Introduction to IPv6-UoNMwendwa Kivuva
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetjulianlz
 
IPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryIPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryHeba_a
 
I Pv6 Nd
I Pv6 NdI Pv6 Nd
I Pv6 NdRam Dutt Shukla
 
internetworking operation
internetworking operationinternetworking operation
internetworking operationSrinivasa Rao
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Finalmasoodnt10
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetbalamurugan N
 
network security
network securitynetwork security
network securitySrinivasa Rao
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniquesinbroker
 
IPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideIPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideParthiban Nallathambi
 
IPv6
IPv6IPv6
IPv6edgarjgonzalezg
 
IPv6 Neighbor Discovery Problems (and mitigations)
IPv6 Neighbor Discovery Problems (and mitigations)IPv6 Neighbor Discovery Problems (and mitigations)
IPv6 Neighbor Discovery Problems (and mitigations)Juniper Networks
 
WIRELESS NETWORK
WIRELESS NETWORKWIRELESS NETWORK
WIRELESS NETWORKprakash m
 
Copy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackCopy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackVishal Gurujuwada
 
ECET 465 help Making Decisions/Snaptutorial
ECET 465 help Making Decisions/SnaptutorialECET 465 help Making Decisions/Snaptutorial
ECET 465 help Making Decisions/Snaptutorialpinck2329
 
Network interview questions
Network interview questionsNetwork interview questions
Network interview questionsrajasekar1712
 
internet applications
internet applications internet applications
internet applicationsSrinivasa Rao
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
 
Moushumi Maria (071464056)
Moushumi Maria (071464056)Moushumi Maria (071464056)
Moushumi Maria (071464056)mashiur
 
Ccna 4 chapter 2 2011 v4
Ccna 4 chapter 2 2011 v4Ccna 4 chapter 2 2011 v4
Ccna 4 chapter 2 2011 v4Gabriela Martínez
 
6.Routing
6.Routing6.Routing
6.Routingphanleson
 
IPV6 Flow Labels
IPV6 Flow LabelsIPV6 Flow Labels
IPV6 Flow LabelsBinan AL Halabi
 
Computer network (17)
Computer network (17)Computer network (17)
Computer network (17)NYversity
 
About IPv6
About IPv6About IPv6
About IPv6Marco Antonio
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTBangladesh Network Operators Group
 
Ipv6
Ipv6Ipv6
Ipv6maha5960
 
D017131318
D017131318D017131318
D017131318IOSR Journals
 
Security Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksSecurity Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksIOSR Journals
 

Weitere ähnliche Inhalte

Was ist angesagt?

Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniquesinbroker
 
IPv6 Neighbor Discovery Problems (and mitigations)
IPv6 Neighbor Discovery Problems (and mitigations)IPv6 Neighbor Discovery Problems (and mitigations)
IPv6 Neighbor Discovery Problems (and mitigations)Juniper Networks
 
WIRELESS NETWORK
WIRELESS NETWORKWIRELESS NETWORK
WIRELESS NETWORKprakash m
 
Copy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackCopy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackVishal Gurujuwada
 
ECET 465 help Making Decisions/Snaptutorial
ECET 465 help Making Decisions/SnaptutorialECET 465 help Making Decisions/Snaptutorial
ECET 465 help Making Decisions/Snaptutorialpinck2329
 
Network interview questions
Network interview questionsNetwork interview questions
Network interview questionsrajasekar1712
 
internet applications
internet applications internet applications
internet applicationsSrinivasa Rao
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaWardner Maia
 
Moushumi Maria (071464056)
Moushumi Maria (071464056)Moushumi Maria (071464056)
Moushumi Maria (071464056)mashiur
 
Computer network (17)
Computer network (17)Computer network (17)
Computer network (17)NYversity
 

Was ist angesagt? (18)

Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheet
 
network security
network securitynetwork security
network security
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
 
IPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideIPv6_Quick_Start_Guide
IPv6_Quick_Start_Guide
 
IPv6
IPv6IPv6
IPv6
 
IPv6 Neighbor Discovery Problems (and mitigations)
IPv6 Neighbor Discovery Problems (and mitigations)IPv6 Neighbor Discovery Problems (and mitigations)
IPv6 Neighbor Discovery Problems (and mitigations)
 
WIRELESS NETWORK
WIRELESS NETWORKWIRELESS NETWORK
WIRELESS NETWORK
 
Copy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attackCopy of a simple tcp spoofing attack
Copy of a simple tcp spoofing attack
 
ECET 465 help Making Decisions/Snaptutorial
ECET 465 help Making Decisions/SnaptutorialECET 465 help Making Decisions/Snaptutorial
ECET 465 help Making Decisions/Snaptutorial
 
Network interview questions
Network interview questionsNetwork interview questions
Network interview questions
 
internet applications
internet applications internet applications
internet applications
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
 
Moushumi Maria (071464056)
Moushumi Maria (071464056)Moushumi Maria (071464056)
Moushumi Maria (071464056)
 
Ccna 4 chapter 2 2011 v4
Ccna 4 chapter 2 2011 v4Ccna 4 chapter 2 2011 v4
Ccna 4 chapter 2 2011 v4
 
6.Routing
6.Routing6.Routing
6.Routing
 
IPV6 Flow Labels
IPV6 Flow LabelsIPV6 Flow Labels
IPV6 Flow Labels
 
Computer network (17)
Computer network (17)Computer network (17)
Computer network (17)
 
About IPv6
About IPv6About IPv6
About IPv6
 

Ähnlich wie APNIC Hackathon IPv4 & IPv6 security & threat comparisons

Security Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksSecurity Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksIOSR Journals
 
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...Louis Göhl
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6mithilak
 
To setup the simplest IPv6 network you just have to boot up a host o.pdf
To setup the simplest IPv6 network you just have to boot up a host o.pdfTo setup the simplest IPv6 network you just have to boot up a host o.pdf
To setup the simplest IPv6 network you just have to boot up a host o.pdfaptexx
 
ipv6_cheat_sheet.pdf
ipv6_cheat_sheet.pdfipv6_cheat_sheet.pdf
ipv6_cheat_sheet.pdfpradeeppotter
 
Why We Need IPv6
Why We Need IPv6Why We Need IPv6
Why We Need IPv6Netwax Lab
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
10 IP VERSION SIX (6) WEEK TEN notes.pptx
10 IP VERSION SIX (6) WEEK TEN notes.pptx10 IP VERSION SIX (6) WEEK TEN notes.pptx
10 IP VERSION SIX (6) WEEK TEN notes.pptxJoshuaAnnan5
 
IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...
IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...
IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...IOSR Journals
 
IPv6 Addressing Architecture
IPv6 Addressing ArchitectureIPv6 Addressing Architecture
IPv6 Addressing ArchitectureShreehari Dhat
 
Survey on IPv6 security issues
Survey on IPv6 security issuesSurvey on IPv6 security issues
Survey on IPv6 security issuesbathinin1
 

Ähnlich wie APNIC Hackathon IPv4 & IPv6 security & threat comparisons (20)

IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Ipv6
Ipv6Ipv6
Ipv6
 
D017131318
D017131318D017131318
D017131318
 
Security Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksSecurity Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration Networks
 
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6
 
To setup the simplest IPv6 network you just have to boot up a host o.pdf
To setup the simplest IPv6 network you just have to boot up a host o.pdfTo setup the simplest IPv6 network you just have to boot up a host o.pdf
To setup the simplest IPv6 network you just have to boot up a host o.pdf
 
Tech f42
Tech f42Tech f42
Tech f42
 
I pv4 and ipv6
I pv4 and ipv6I pv4 and ipv6
I pv4 and ipv6
 
ipv6_cheat_sheet.pdf
ipv6_cheat_sheet.pdfipv6_cheat_sheet.pdf
ipv6_cheat_sheet.pdf
 
3hows
3hows3hows
3hows
 
Why We Need IPv6
Why We Need IPv6Why We Need IPv6
Why We Need IPv6
 
Ipv6 questions
Ipv6 questionsIpv6 questions
Ipv6 questions
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Ippptspk 3
Ippptspk 3Ippptspk 3
Ippptspk 3
 
10 IP VERSION SIX (6) WEEK TEN notes.pptx
10 IP VERSION SIX (6) WEEK TEN notes.pptx10 IP VERSION SIX (6) WEEK TEN notes.pptx
10 IP VERSION SIX (6) WEEK TEN notes.pptx
 
IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...
IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...
IPv6: Threats Posed By Multicast Packets, Extension Headers and Their Counter...
 
IPv6 Addressing Architecture
IPv6 Addressing ArchitectureIPv6 Addressing Architecture
IPv6 Addressing Architecture
 
Survey on IPv6 security issues
Survey on IPv6 security issuesSurvey on IPv6 security issues
Survey on IPv6 security issues
 
IP Routing on z/OS
IP Routing on z/OSIP Routing on z/OS
IP Routing on z/OS
 

Mehr von Siena Perry

APNIC Hackathon Poke Prefix
APNIC Hackathon Poke PrefixAPNIC Hackathon Poke Prefix
APNIC Hackathon Poke PrefixSiena Perry
 
APNIC Hackathon Tunnel Vision
APNIC Hackathon Tunnel VisionAPNIC Hackathon Tunnel Vision
APNIC Hackathon Tunnel VisionSiena Perry
 
APNIC Hackathon The Lord of IPv6
APNIC Hackathon The Lord of IPv6APNIC Hackathon The Lord of IPv6
APNIC Hackathon The Lord of IPv6Siena Perry
 
APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking Siena Perry
 
APNIC APIX Industry Benchmarking
APNIC APIX Industry Benchmarking APNIC APIX Industry Benchmarking
APNIC APIX Industry Benchmarking Siena Perry
 
DNSSEC Measurement APTLD 71
DNSSEC Measurement APTLD 71DNSSEC Measurement APTLD 71
DNSSEC Measurement APTLD 71Siena Perry
 
Y4 it 2016- Hermoso
Y4 it 2016- HermosoY4 it 2016- Hermoso
Y4 it 2016- HermosoSiena Perry
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOGSiena Perry
 
APNIC Policy Webinar
APNIC Policy Webinar APNIC Policy Webinar
APNIC Policy Webinar Siena Perry
 
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Siena Perry
 

Mehr von Siena Perry (11)

APNIC Hackathon Poke Prefix
APNIC Hackathon Poke PrefixAPNIC Hackathon Poke Prefix
APNIC Hackathon Poke Prefix
 
APNIC Hackathon Tunnel Vision
APNIC Hackathon Tunnel VisionAPNIC Hackathon Tunnel Vision
APNIC Hackathon Tunnel Vision
 
APNIC Hackathon The Lord of IPv6
APNIC Hackathon The Lord of IPv6APNIC Hackathon The Lord of IPv6
APNIC Hackathon The Lord of IPv6
 
APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking APNIC Hackathon CDN Ranking
APNIC Hackathon CDN Ranking
 
APNIC APIX Industry Benchmarking
APNIC APIX Industry Benchmarking APNIC APIX Industry Benchmarking
APNIC APIX Industry Benchmarking
 
DNSSEC Measurement APTLD 71
DNSSEC Measurement APTLD 71DNSSEC Measurement APTLD 71
DNSSEC Measurement APTLD 71
 
Y4 it 2016- Hermoso
Y4 it 2016- HermosoY4 it 2016- Hermoso
Y4 it 2016- Hermoso
 
Introduction to RPKI - MyNOG
Introduction to RPKI - MyNOGIntroduction to RPKI - MyNOG
Introduction to RPKI - MyNOG
 
IPv6 Update
IPv6 UpdateIPv6 Update
IPv6 Update
 
APNIC Policy Webinar
APNIC Policy Webinar APNIC Policy Webinar
APNIC Policy Webinar
 
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
Geoff Huston's presentation on DANE (Keys in the DNS) at the New Zealand Inte...
 

Kürzlich hochgeladen

Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Balliameghakumariji156
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理F
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...kumargunjan9515
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...meghakumariji156
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsMonica Sydney
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 

Kürzlich hochgeladen (20)

Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 

APNIC Hackathon IPv4 & IPv6 security & threat comparisons

  • 1. Presentation on IPV4 VS IPV6 SECURITY AND THREAT COMPARISONS
  • 2. Group Name • Konda Reddy • Suman KC • Farha Diba • Bikram Shrestha • Rajwinder kaur
  • 3. IPv6 Address Representation  128 bits.  Represented by 8 colon-separated segments.  Each 16-bit segment written in hexadecimal. EXAMPLE: 3ffe:3700:1100:0001:d9e6:0b9d:14c6:45ee
  • 4. IPv6 Address Compaction Leading zeroes in a 16-bit segment can be compacted Example: fe80:0210:1100:0006:0030:a4ff:000c:0097 Becomes: fe80:210:1100:6:30:a4ff:c:97
  • 5. IPv6 Address Compaction All zeroes in one or more contiguous 16-bit segments can be represented with a double colon (::) Example: ff02:0000:0000:0000:0000:0000:0000:0001 Becomes: ff02::1 But…
  • 6. IPv6 Address Compaction Double colons can only be used once Example: 2001:0000:0000:0013:0000:0000:0b0c:3701 Can be: 2001::13:0:0:b0c:3701 Or: 2001:0:0:13::b0c:3701 But not: 2001::13::b0c:3701
  • 7. IPv6 Address Types Unicast  Identifies a single interface  Packet sent to a unicast address is delivered to the interface identified by that address Multicast  Identifies a set of interfaces  Packet sent to a multicast address is delivered to all interfaces identified by that address Anycast  Identifies a set of interfaces  Packet sent to an anycast address is delivered to the nearest interface identified by that address (as defined by the routing protocol) IPv6 has no broadcast addresses  IPv6 uses "all-nodes" multicast instead (ff01:0:0:0:0:0:1)
  • 8. Interface ID  Unique to the link  Identifies interface on a specific link  Can be automatically derived - IEEE addresses use MAC-to-EUI-64 conversion - Other addresses use other automatic means  Can be used to form link-local address  Can be used to form global address with stateless autoconfiguration
  • 9. MAC-to-EUI-64 Conversion  First three octets of MAC becomes Company-ID  Last three octets of MAC becomes Node-ID  0xfffe inserted between Company-ID and Node-ID  Universal/Local-Bit (U/L-bit) is set to 1 for global scope
  • 10. MAC-to-EUI-64 Conversion Example  MAC Address: 0000:0b0a:2d51  In binary:  00000000 00000000 00001011 00001010 00101101 01010001  Insert fffe between Company-ID and Node-ID  00000000 00000000 00001011 11111111 11111110 00001010 00101101 01010001  Set U/L bit to 1  00000010 00000000 00001011 11111111 11111110 00001010 00101101 01010001  Resulting EUI-64 Address: 0200:0bff:fe0a:2d51
  • 11. Using the EUI-64 Interface ID EUI-64 Address: 200:bff:fe0a:2d51 Link-Local Address: fe80::200:bff:fe0a:2d51 Global Unicast Address: 3ffe:3700:1100:1:200:bff:fe0a:2d51
  • 12. IPv4 vs. IPv6 Header Formats
  • 13. How IPV6 process start from Host  When a host joins the network, it sends an ICMPv6 Neighbor Solicitation (NS) packet to perform Duplicate Address Detection (DAD) for its link-local address.  After the host determines its link-local address is safe to use, it then sends an ICMPv6 Type 133 Router Solicitation (RS) message to attempt to learn details about the network from the local router.  Upon receiving this RS, the router sends out an ICMPv6 type 134 Router Advertisement (RA) message so that the requesting host, and all others on that LAN segment, will have information about the LAN and how they should go about obtaining their global unicast address.  The router also periodically sends out the RA messages, typically every 200 seconds, to make sure all the nodes on the LAN have the current information about the local IPv6 prefix
  • 14. How RA works / disable RA  The ICMPv6 Router Advertisement (RA) that the router sends to the IPv6 all-nodes link-local multicast group address (FF02::1) will be received and processed by all the nodes on the LAN. The RA contains a variety of valuable information within it, in addition to guidance to the nodes on the LAN about how they will obtain their IPv6 address. The RA contains several bits that tell the node how it should behave:  Address Auto configuration Flag (A flag) indicates if stateless auto-configuration (SLAAC) should be used.  On-Link Flag (L flag) indicates that the prefix is “on-link” and local to this network.  Managed Address Configuration Flag (M flag) indicates that the nodes should use DHCPv6 to determine their interface identifier.  Other Stateful Configuration Flag (O flag) indicates that other information is available to help the node (e.g. DNS server information).
  • 15. PATHMTU  IPv6 defines a standard mechanism called path MTU discovery that a source node can use to learn the path MTU of a path that a packet is likely to traverse. If any of the packets sent on that path are too large to be forwarded by a node along the path, that node discards the packet and returns an ICMPv6 Packet Too Big message. The source node can then adjust the MTU size to be smaller than that of the node that dropped it and sent the ICMPv6 message, and then retransmit the packet. A source node might receive Packet Too Big messages repeatedly until its packet traverses all nodes along the path successfully.  Initially, the PMTU value for a path is assumed to be the (known) MTU of the first-hop link. When a Packet Too Big message is received, the node determines which path the message applies to based on the contents of the Packet Too Big message. For example, if the destination address is used as the local representation of a path, the destination address from the original packet would be used to determine which path the message applies to  NOTE: Routing header determine the location of the destination address within the original packet.
  • 16. Typical IPv6 Security Issues Almost identical to IPv4 security issues • First-hop protocol vulnerabilities • Denial-of-Service attacks • User authentication and authorization • Eavesdropping, session hijacking, DNS spoofing • Routing security  Dual stack exposures.(If enabled IPV6 but missed to enforce polices/firewall filters)
  • 17. IPV6 similarities with IPV4 The majority of vulnerabilities on the Internet today are at the application layer, even ipsec will do nothing to prevent. Rogue devices will be as easy to insert into an IPv6 network as in IPv4 Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4 Flooding attacks are identical between IPv4 and IPv6 IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4
  • 18. Reconnaissance  Default subnets in IPv6 have 2 power 64 addresses ie., 10 Mpps  Today there is no known ping sweep tool for IPv6. Nmap, which supports ping sweeping in v4, elected not to support it in IPv6, most likely for some reasons.  Mostly importantly, public servers needs to be dns reachable.  scanning-based attacks will effectively fail. This protection exists if the attacker has no direct access to the specific subnet and therefore is trying to scan it remotely. If an attacker has local access, then he could use Neighbor Discovery (ND) and ping6 to the link-scope multicast ff02::1 to detect the IEEE-based address of local neighbors, then apply the global prefix to those to simplify its search (of course, a locally connected attacker has many scanning options with IPv4 as well).  By compromising hosts in a network, an attacker can learn new addresses to scan  Transition techniques (see further) derive IPv6 address from IPv4 address
  • 19. More on reconnaissance  The first category of attack is reconnaissance, which also is generally the first attack executed by an adversary. In this attack the adversary attempts to learn as much as possible about the victim network. This includes both active network methods such as scanning as well as more passive data mining such as through search engines or public documents.  Ping sweeps, port scans, Application and vulnerability scans; Some tools such as Nmap can perform elements of all these scan types at the same time.
  • 20. FHS: First Hop Security  RA guard use-case  IPv6 device tracking  IPv6 snooping logging  IPv6 source guard  IPv6 snooping  PortACL blocks all ICMPv6 RA from hosts  Fake DHCPv6 Replies  Selectively filter ICMP  Disable RH0 .
  • 21. RA Guard RA Guard is a feature that allows the operator of a Layer 2 switch to predetermine which switch ports are actually router facing. RA guard can also validate the source of the RA, the prefix list, the preference and any other information carried within it. It can validate the cryptographic credentials when provided (as defined in Secure Neighbor Discovery specification, i.e. SeND) to provide nodes that don’t support SeND with a level of security equivalent to those that do support it. How it help with rogue DHCP :permit RAs only if they have the M and O bits set, and enforce that the subsequent DHCP advertised prefix is within the company's range. Enable logging on the network device for auditing
  • 22. IPv6 snooping  RA guard / DHCP guard  IPv6 address gleaning  IPv6 ND inspection IPv6 snooping included the guard functions, if you enable IPv6 snooping, you do not need to explicitly configure RA guard / DHCP guard on the same port.  IPv6 address gleaning  Address gleaning learns the IPv6 addresses of devices connected to that link and is a prerequisite for more advanced FHS features like Source-Guard. The learning is done by examining information in the ND and DHCPv6 packets, (in particular the addresses carried in them). However, by default the DHCPv6 server messages are dropped - so in order to glean from DHCPv6 messages the guard policy must be applied on the port connecting the valid DHCPv6 server, that allows the DHCPv6 messages.  The FHS code learns the addresses and installs them into the binding table. Each entry contains the source the address was learned from, the address itself, the MAC address, interface, vlan, priority level, age, state and time left.  IPv6 ND inspection  ND inspection verifies the sanity of the ND messages that pass through the device. It can also enforce limits on the number of the addresses per port. This feature enforces the ND process by ensuring that all parties are stepping through all the correct steps in the ND process. The ND inspection process builds the neighbor binding table.
  • 23. Fake RA Messages  • Traffic interception • DNS IPv6 address injection (DNS interception) • Denial-of-service attack(bogusprefixes)
  • 24. Fake DHCPv6 Replies  Intruder responds to DHCPv6 requests • DNS IPv6 addressinjection • Denial-of-service attack Solution should be enabling :DHCPv6 guard
  • 25. Fake Neighbor Advertisement Messages Intruder responds to ICMPv6 Neighbor Solicitation requests • Trafficinterception • Denial-of-serviceattack  Enable DHCPv6 snooping, ND inspection, SEND
  • 26. ARP spoofing (V4) = NDP spoofing(V6) Dynamic ARP inspection for IPv6 is available Secure Neighbor Discovery (Cryptographic NDP); IPv6 addresses whose interface identifiers are cryptographically generated. Prevent replay attacks by timestamp and nonce options. IPV6 supports all the features Dot1x,private Vlan ,port security
  • 27. Attacks(Continuation)  Remote Neighbor Discovery Attacks  How to prevent: Tight ingress ACLs(check the forwarding path order-of- operation)  Control-plane policing(CoPP)  ND cache limits (globally and per-box)  Prefixes longer than /64 (extreme measure, use with care)
  • 28. DAD Attacks  Effectively disables SLAAC  Might interfere with DHCPv6-based address assignment.  IPv6 Extension Headers All networking gear should drop packets with RH0 by default • Firewalls and ACLs should be able to filter on extension headers Firewalls should limit the number of extension headers • Firewalls/ACLs should be able to drop fragmented headers
  • 29. More on RH0  The IPv6 Type 0 Routing header is similar in function to the Loose Source and Record Route IP options. The IPv6 Routing header is identified by a Next Header (NH) value of 43 in the immediately preceding header.  Attackers can maliciously use IPv6 Type 0 Routing headers to bypass packet filters (IPv6 access-list policies) or anycast addressing and routing. These headers can also be used to perform reflected denial of service (DoS) attacks, spoofing, double spoofing, and amplification attacks (ping-pong attacks that can cause link saturation and potential performance issues through added CPU processing).
  • 30. Routing Security with IPv6  Challenges and solutions almost identical to IPv4: • Don’t run routing protocols on customer-facing interfaces • Use IPsec with OSPFv3 • Use MD5 authentication with other routing protocols  best practices:  • Network Ingress Filtering (BCP38) for IPv4 and IPv6 • TTL security (BGP) • Route filters in distance- and path vector protocols
  • 31. Challenge in implementing V6 in DMZ’s  Normally, servers connected to a network device on single NIC or bond(ACTIVE/STANDBY,ACTIVE/ACTIVE)  Switch connected port might be a access vlan or trunk vlan.  If it is access port , then Tag host interface with new external vlan for V6 communication. TASKS: 1. Configure external vlan on firewall 2. Need to tag new vlan to respective switch and change host port config to trunk 3. configure servers port as trunk and test connectivity. Advantages:  No physical movement of host  Logical configuration  Sysops and Network need to work together to test connectivity  Unblock IPv6 implementation to faster rollout