While IPv6 has been a defined standard since 1998, the end-user adoption of this standard is minimal. Less than 1% of Internet peers utilize IPv6 in the course of normal operation. However, IPv6 support within operating systems and network routers is becoming commonplace. While IT personnel continue to be focused on IPv4, IPv6 capabilities may already be active by default on many Internet connected systems within an IT professional's environment. These IPv6 interfaces generate traffic which can bypass traditional controls based on IPv4 technology. Although IPv6 is likely to eclipse IPv4 as the dominant Internet protocol, the path to this state is disorganized and unclear. This state indicates that as IPv6 gains inertia as a legitimate Internet protocol, IT administrators need to be aware of and manage IPv6 traffic on their network with as much vigilance as they would apply to the more commonplace IPv4.
Kevin D. Wilkins, CISSP, Senior Network Engineer, iSecure LLC
After coursework at the Rochester Institute of Technology, Kevin’s professional experience includes ISP and VOIP operations. Kevin has 10 years of industry experience in system and network engineering and platform management. In the last few years, a focus on information security has brought his experiences together into a consolidated viewpoint of enterprise-wide security policy and implementation.
Peter Rounds, Senior Network Engineer, Syracuse University
Peter has been a Sr. Network Engineer at Syracuse University for 11 years. He is responsible for maintaining core network infrastructure consisting of Internet edge traffic identification/management, Internet BGP routing and security profile management, campus OSPF and security profile management, and data center network and security profile management. He is responsible for numerous security technologies for the University.
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
IPv6 Can No Longer Be Ignored
1. IPv6 Can No Longer Be Ignored
1Copyright 2010 - ISecure LLC
Prepared for Attendees
of the
2010 ISSA Rochester Security Summit
2. Presenters
• Kevin Wilkins, CISSP – Sr. Network Engineer, iSecure LLC
– My professional experience includes 12 years of ISP and
VOIP operations. In the last few years, a focus on
information security at iSecure has brought my
experiences together into a consolidated viewpoint of
enterprise-wide security policy and implementation.
3. Presenters
• Peter Rounds – Sr. Network Engineer, Syracuse University
– Senior network engineer at Syracuse University for 11
years. Responsible for maintaining core network
infrastructure, including Internet traffic management
implementation and security profiles.
4. Synopsis
• Hidden risks to enterprise network resources may exist
through unmonitored use of IPv6 and IPv4-to-IPv6 transition
mechanisms like encapsulated IPv6 protocols 6to4, Intrasite
Automatic Tunnel Addressing Protocol (ISATAP or IP Protocol
41) , and Teredo. This discussion includes an introduction to
IPv6, the identification of encapsulated IPv6 protocols, their
potential threats to enterprise resources, and mitigation
strategies designed to protect enterprise resources from
these potential threats.
5. What is IPv6?
• IPv6 is a revised IP protocol intended to supplement and
replace IPv4.
• IPv6 was ratified in 1998 as RFC 2460.
• IPv6 addresses use a 128 bit value, vs. IPv4's 32 bits. This
provides an address space on the order of 3.4x10^38
addresses. (Nearly a "duodecillion"!!)
6. What is IPv6 for?
• IPv6 has this large address space as a necessary enhancement
to IPv4's much more limited 4.29X10^9 possible addresses.
(4.29 billion)
• The Internet Engineering Task Force (IETF) has foreseen an
eventual depletion of available IPv4 addresses, thus IPv6 was
designed.
7. Projected IPv4 Exhaustion
• Projected IANA Unallocated Address Pool Exhaustion:
05-Jun-2011
• INTEC Systems Institute "IPv4 Exhaustion Counter“
• http://inetcore.com/project/ipv4ec/index_en.html
8. IPv4 Example…
• IPv4 address range:
0.0.0.0 -> 255.255.255.255 = 4,294,967,296 possible
addresses
• An IPv4 address: "173.194.35.104”
10. Where is IPv6?
• As a commonly accepted protocol, IPv6 has seen difficulty
gaining momentum. Almost the entire IT industry is perfectly
happy with IPv4, and converting an established network to
use IPv6 addresses is a monumental task.
• Most use of IPv6 today is found in research, dedicated
networks, and by an inquisitive few.
11. Where is IPv6... Really?
• Since 2008, the US Government has mandated that new purchases
of computer and network equipment must support certain
minimum standards for IPv6. See NIST Special Publication 500-267.
• IPv6 is becoming generally supported in network devices, operating
systems, remote management protocols, and other networked
applications.
• Microsoft Windows XP/Server 2003 offered optional support for
IPv6. Microsoft Windows Vista/Server 2008 and beyond have
nearly complete IPv6 support, and the protocol is enabled by
default. Linux and Cisco also support IPv6.
• Recent versions of Microsoft Windows also include utilities which
will encapsulate IPv6 traffic within an IPv4 tunnel.
12. So I might be running IPv6 now?
• Yes! And this new IPv6 capability in contemporary systems
represents an unknown security risk.
• The IT industries' propensity to ignore IPv6 in favor of IPv4
means that local administrators might be unaware of the
potential IPv6 traffic traversing their network and interacting
with their information systems.
• Furthermore, support for IPv6 on contemporary network
security devices seems to be lagging behind IPv6 support in
operating systems and routers. Network based Content
Inspection, Intrusion Prevention, and Antivirus may be
ineffective at scanning native or encapsulated IPv6 traffic.
17. Wait, what was this about
encapsulated IPv6?
• Encapsulation technologies such as Teredo, 6to4 and IP
Protocol 41 (ISATAP) were developed to aid in the transition to
IPv6.
• These transition aids are necessary, as both IPv4 and IPv6 will
coexist for quite some time.
• RFC 5211 “An Internet Transition Plan” describes the use of
these IPv6 encapsulation mechanisms as the IPv4 address
space becomes depleted and organizations are forced to
migrate to IPv6.
• Network security devices might not be able to "peel the
onion" to discover what applications and threats might be
utilizing IPv6 resources within the IPv4 encapsulation.
18. Teredo and Windows
• Windows Vista and Windows 7 have an IPv6 encapsulation
service called Teredo, which is enabled by default.
• Teredo will automatically seek out a Teredo gateway
( teredo.ipv6.microsoft.com ), assign an IPv6 address to the
Teredo interface, and attempt to route IPv6 traffic.
• Teredo is intended for tunneling IPv6 traffic via an IPv4 NAT
router.
21. 6to4 and Windows
• 6to4 is intended for tunneling IPv6 traffic via non-NAT IPv4
transport.
• A host or router intending to use 6to4 must have inherent
IPv6 support and a routable (non-NAT) IPv4 address.
• IPv6 traffic is encapsulated and tunneled via an IPv4 network
from one IPv6 network to another IPv6 network on the
remote end.
22. ISATAP and Windows
• ISATAP traffic is another transition mechanism where IPv6
traffic is tunneled via IPv4
• ISATAP packets use IPv4 with the IP Protocol field set to 41
• ISATAP is typically seen on an Intranet for host to host
communications, but host to router communication is also
possible.
23. How do I control this IPv6 traffic?
• First - awareness is the key. Check your networked systems to
see which components offer IPv6 support, and if IPv6 support
is enabled. Run packet captures and analyze your systems to
see if native or encapsulated IPv6 traffic traverses your
network.
• In a server farm or corporate environment where there is no
need for IPv6 at this time, consider establishing a policy to
disable the IPv6 interfaces on computer systems and block or
null-route IPv6 traffic in the network.
24. How do I control this IPv6 traffic?
• In ISP, government, higher education, or research
environments, the use of IPv6 might be legitimate. In this
case, monitoring and granular control is warranted.
• Check your network security equipment to see how it handles
IPv6. The integrated Proxies and Application Layer Gateways
might not yet handle IPv6 traffic.
• Network security devices might not be able to "peel the
onion" to discover what applications and threats might be
utilizing IPv6 resources within the IPv4 encapsulation.
27. Control IPv6 at Internet Edge
• IPv6 related Protocol types and Descriptions
41 ISATAP
43 IPv6-Route Routing Header for IPv6
44 IPv6-Frag Fragment Header for IPv6
58 IPv6-ICMP ICMP for IPv6
59 IPv6-NoNxt No Next Header for IPv6
60 IPv6-Opts Destination Options for IPv6
• Inbound ACL:
deny 41 any any
deny 43 any any
deny 44 any any
deny 58 any any
deny 59 any any
deny 60 any any
• Outbound ACL:
deny udp any any eq 3544 - used by Teredo to reach Internet locations
deny ip any host 192.88.99.1 - is the 6 to 4 relay anycast address
28. Story Time with Peter Rounds
• In the spring, an SU Sys-admin came to Peter Rounds with a
concern – he was able to bypass the datacenter firewall and
open an RDP connection to datacenter servers via IPv6.
• Teredo was tunneling through their datacenter firewall and
presenting itself to the public Internet via IPv6.
• In the interim, SU has implemented firewall policies to block
ISATAP, IPv6, and Teredo negotiation protocols in their router
ACLs.
29. Story Time with Peter Rounds
• Disabling IPv6 and tunneling mechanisms represents a
stopgap measure which break the transition technologies
designed to aid in the general deployment of IPv6.
• Transition is coming very soon! Verizon Business Solutions
has said that the “last drop of oil” will be tapped in a matter
of months. Verizon will be unable to provide IPv4 blocks and
will instead be assigning IPv6 address space.
30. Conclusions
• IPv6 isn’t "bad", and may represent the future for a lot of
networks. Some say that IPv4 will never go away, but in the
meantime, IPv6 is here.
• IT Administrators need to be aware of IPv6 as a protocol
which is gaining legitimacy and is actually supported on a
wide number of systems.
• IPv4 to IPv6 encapsulation mechanisms exist as a tool to aid in
the migration from a predominantly IPv4 environment to an
IPv6 environment.
• With this awareness comes the requirement to control IPv6
with the same attention to detail that they would apply to
controlling the more commonplace IPv4 traffic.
31. References – Transitional Security Issues
• Security Concerns With IP Tunneling
http://tools.ietf.org/html/draft-ietf-v6ops-tunnel-
security-concerns-02
• Support for IPv6 in Windows Server 2008 R2 and Windows 7
http://technet.microsoft.com/en-
us/magazine/2009.07.cableguy.aspx
• IPv6 Security Considerations and Recommendations
http://technet.microsoft.com/en-us/library/bb726956.aspx
32. References – Threat Mitigation
• How to prevent ipv6 tunneling across firewalls and
routers
http://www.howfunky.com/2010/02/how-to-prevent-ipv6-
tunneling-across.html
• Disable all IPv6 in Windows
http://tutorials-tips-tricks.info/disable-and-turn-off-
ipv6-in-windows
• Wiki - IPv6 Firewalls
http://www.getipv6.info/index.php/IPv6_Firewalls
• IPv6 firewalling knows no middle ground
http://arstechnica.com/hardware/news/2007/05/ipv6-
firewall-mixed-blessing.ars
33. References – Guidelines for IPv6 Adoption
• An Internet Transition Plan
http://tools.ietf.org/html/rfc5211
• Hurricane Electric IPv6 Certification Project
http://ipv6.he.net/certification/
• NIST Special Publication 800-119 - Guidelines for the
Secure Deployment of IPv6 (Draft)
http://csrc.nist.gov/publications/drafts/800-119/draft-
sp800-119_feb2010.pdf
• Microsoft Windows Server 2008 Whitepaper - IPv6
Transition Technologies
http://download.microsoft.com/download/1/2/4/124331bf-
7970-4315-ad18-0c3948bdd2c4/IPv6Trans.doc
34. References – Guidelines for IPv6 Adoption
• Tier 1 for IPv4! = Tier 1 for IPv6
http://www.networkworld.com/community/blog/tier-1-ipv4-
tier-1-ipv6
• BT Diamond IP IPv6 Address Management Guide
http://btdiamondip.com/software/offers/confirm_ipv6.aspx
• Google, Microsoft, Netflix in talks to create shared
list of IPv6 users
http://www.networkworld.com/news/2010/032610-dns-ipv6-
whitelist.html