Einbrüche, Viren, Trojaner, machen auch unter IPv6 nicht Halt. Als Marktführer im Bereich Unified-Threat-Management (UTM) entwickelt Fortinet umfassende Sicherheitslösungen zur Bekämpfung solcher Bedrohungen - für IPv4 und IPv6 Netzwerke. Der Workshop orientierte Vortrag zeigt die Notwendigkeit von umfassenden Security Lösungen bei der Migration zu IPv6 auf.

1. IPv4 Highway
Fortinet
IPv6 Security
June 8th, 2011
Rainer Baeder
Fortinet Confidential

2. Drivers for IPv6
• Basic Demand Drivers
• More network appliances but lack of IPv4 addresses to support
• Control OpEx for network and IT
• Elimination of complex NAT networks
• Strong intrinsic security
• Better support for mobility applications
• Greater flexibility and simplicity
• New Opportunities to Improve Business Performance Business
process improvements
• New business opportunities
• More addresses for objects – enhanced automation and productivity
• Machine-to-Machine (M2M) telematics / *Internet of Things*
• IPv6 connection to anything
2

3. IPv6 – its time for preparing the step
... and basically – we run out
of IPv4 addresses
to stay competitive, we must
open the door for IPv6
and use its foremost
Snapshot
June 3rd 2011

4. Migration Complexities
Deployment Considerations
• Compatibility issues between IPv4 and IPv6
• Vendor interoperability issues with IPv6
• Potential security issues
• Network management considerations
• Existing hardware may not handle IPv6 traffic efficiently
• Router memory and CPU limitations may preclude IPv6
deployment
• Technology refresh cycles can be exploited to deploy IPv6
capabilities
• Global public routing practices continue to evolve
4

5. The most important targets of IPv6
• Larger IP address space
• IP Adresses are 128 bits (instead of 32 bits)
• Advanced header structure
• Improved processing capability thru Subsegmenting of essential
and optional headerfields (in ExtensionHeaders)
• Different IPv6 Addresses
• Public IPv4 addresses correspond with Global Unicast Addresses
• Private IPv4 addresses correspond with Site Local Unicast
Addresses
• Special Address types for usage of IPv4 and IPv6 in parallel
• Support of autoconfiguration
• Should follow Plug-and-Play principle
• Improved security
• 2 additional ExtensionHeaders are foreseen (Encapsulation
Security Payload Header und Authentication Header)
• Both can be used in IPv4 as well

6. Principle Design Consideration
• “Dual stack when you can – Tunnel when you must –
Translate when no other option works”
• Create a virtual team of IT representatives from every L9
Religious
area of IT to ensure coverage for OS, Apps, Network L8
and Operations/Management Political
L7
• Now is your time to build a network your way – don’t Application
carry the IPv4 mindset forward with IPv6 unless it L6
Presentation
makes sense L5
Session
• Design Consistency with IPv4 L4
Transport
• Design should work across all WAN clouds, LAN, L3
Enterprises, Data Center, Campus, etc Network
L2
• Deploy it – at least in a lab – IPv6 won’t bite Data Link
L1
• Consider the human factor, keep it simple! Physical
6

7. IPv6 Transition Methodologies
MPLS-Based IP-Tunnel NAT-Based
Solutions Approaches Solutions
Configured Configured IPv4 to IPv4 IPv4 to IPv6
6PE 6VPE
Tunnels Tunnels (Mitigation) (Interworking)
GRE 6to4 NAT44 NAT464
L2TP 6RD NAT444 NAT64
Dual Stack
GFP ISATAP DS-Lite NAT-TCP
IP Teredo NAT-UDP
DS-Lite NAT-ICMP
7

8. IPv6 Protocol Vulnerability
• IPv6 Header • Extension Header
• Header Manipulation • EHeader Filtering
• Protocol Fuzzing • EHeader Fuzzing
• ICMPv6 • Router Header Attacks
• ICMPv6 Filtering • Fragmentation Header
• ICMPv6 Attacks • Unknown Header
• Node Survey • Protocol Layer Header
• Scanning • Higher Layer Spoofing
• Improved/Smart Scanning • Generic Malware
• Multicast techiques • Router Protocol Security
• Sniffing • Flooding / (d)DoS and Packet
• Multicast
8

9. IPv6 Address Types – well-known Multicast
• Interface-local scope • Link-local scope
• FF01::1 all-nodes • FF02::1 all-nodes
• FF01::2 all-routers • FF02::2 all-routers
• Site-local scope • FF02::5 OSPFIGP
• FF05::1:3 all-routers • FF02::9 RIP-routers
• FF05::1:3 all DHCP servers • FF02::B Mobile Agents
• FF02::6A all snoopers
• FF02::1:2 all DHCP agents
• FF01::101 / all-NTP Server on the same node as sender
• FF02::101 / all-NTP Server on the same link as sender
• FF05::101 / all-NTP Server on the same site as sender
• FF0E::101 / all-NTP Server in the internet
Global Unicast Addresses correspond with Public IPv4 addresses
Site Local Unicast Addresses correspond with Private IPv4 addresses
9

10. IPv6 Firewalling
• IPv6 Addressing • DHCPv6 Threats
• Unallocated Addresses • Endpoint Security
• IPv6 Headers allowance • IPv6, IPSec and Firewalls
• L2 FW • Management
• IPv6 and NAT • Routing Security
• Neigbor Discovery allowance • RIPng, OSPFv3
(NDP) • QoS Threats
• Duplicate Address Detection Issue • Tunneled Traffic Inspection
• Redirect Issue
• Unwanted Tunnels
• SEcure Neigbor Discovery
• Mobile IPv6 (MIPv6)
(SEND)
10

11. Fortinet IPv6 Strategy
• Feature Parity on all function with
IPv4 and IPv6 on higher layers
• Application unaware weather it runs on
IPv4 or IPv6
• IPv6 Firewalling 3+ years
integrated
• Stepwise extension to a complete
functionality on IPv6
• Almost completed now

12. Today implemented for IPv4 & IPv6
• Stateful Firewalling and Routing
• Serviceobjects (eg ICMPv6), IPv6 Addressobjects
• Dynamic Routing, OSPF / RIP / BGP
• AntiVirus Scanning
• http(s), ftp, smtp(s), imap(s), pop3(s), Instant-Messaging, nntp
• Intrusion Prevention
• Signature based IPS/IDS and DoS-Protection
• URL Filtering
• Data Leak Prevention
• Management of the device via IPv6
• eg SSH or https via IPv6 for devicemanagement
12

13. Today implemented for IPv4 & IPv6
• Bandwidth Management
• Shaping, QoS
• IPSec (IKEv1 & IKEv2)
• DNS (AAAA Record)
• IPv4 over IPv6 Tunneling
• IPv6 over IPv4 Tunneling (eg Tunnelbroker like SixXS)
• SIP ALG (Application Gateway)
• Carrier-grade SIP-ALG. SIP-Fuzzing Protection, Pinholing, Rate-Control
etc.
• Application Control
• Logging and Reporting of Datatraffic, Reporting on FortiAnalyzer
13

14. Protection on all Layers - UTM
• Combined Methods on different layers
• Allow, but don’t trust all application
• Content of the application
• Support for IPv4 und IPv6
14

15. Forehand Planning is the key
• Vision for the business or the adoption driver
• IPv6 Training
• IP architecture that supports the vision -> IPv6 addressing
scheme + design
• Evaluate infrastructure readiness to support the IPv6
implementation of the architecture
• Drive requirements and define purchasing strategy
• Align with other initiatives to accelerate readiness
• Define timeline
Overnight Adoption is Limiting and Expensive
15

16. Thank You.