Author Archives: Ferry

Did:the:NSA:Subvert:the:Security:of::IPv6?

Following the Snowden leaks revealing Bullrun – the NSA program to crack the world’s encryption – there is an emerging consensus that users can no longer automatically trust any security.

Cryptographer and EFF board member Bruce Schneier has given advice on how to be as secure as possible. “Trust the math,” he says. “Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That’s how you can remain secure even in the face of the NSA.”

He confirms the growing consensus that Bullrun‘s greatest success is in subverting the implementations of encryption rather than in the ability to crack the encryption algorithms themselves. The general belief is that the NSA has persuaded, forced or possibly even tricked individual companies into building weaknesses or backdoors into their products that can be exploited later.

The bottom line, however, is that the fabric of the internet can no longer be trusted. Meanwhile, John Gilmore, co-founder of EFF and a proponent of free open source software, has raised a tricky question: has NSA involvement in IPv6 and IPSEC discussions effectively downgraded its security? IPSEC is the technology that would make IP communications secure.

Gilmore notes that he had been involved in trying to make IPSEC “so usable that it would be used by default throughout the internet.” But “NSA employees participated throughout, and occupied leadership roles in the committee and among the editors of the documents.”

The result was “so complex that every real cryptographer who tried to analyze it threw up their hands and said, ‘We can’t even begin to evaluate its security unless you simplify it radically'” – something that never happened.

Gilmore doesn’t explicitly say that the NSA sabotaged IPSEC, but the fact remains that in December 2011, IPSEC in IPv6 was downgraded from ‘must include’ to a ‘should include.’ He does, however, make very clear his belief in NSA involvement in other security standards.

Discussing cellphone encryption, he says “NSA employees explicitly lied to standards committees” leading to “encryption designed by a clueless Motorola employee.”

To this day, he adds, “no mobile telephone standards committee has considered or adopted any end-to-end (phone-to-phone) privacy protocols.  This is because the big companies involved, huge telcos, are all in bed with NSA to make damn sure that working end-to-end encryption never becomes the default on mobile phones.”

 

World:IPv6:Launch::Amsterdam

June 6th 2012 was marked as World IPv6 Launch, as the World IPv6 Launchsuccessor of last years World IPv6 Day (June 8th). Today a lot of major internet content providers turned on their Internet Protocol version 6 (IPv6) connectivity, and became reachable on “the new internet” (finally).

“The fact that over 2,000 websites and 50 access providers are making significant commitments through participation in World

IPv6 Launch is yet another indication that IPv6 is no longer a lab experiment; it’s here and is an important next step in the Internet’s evolution,” commented Leslie Daigle, Chief Internet Technology Officer at the Internet Society. “As more IPv6 services become available, it’s increasingly important for companies to accelerate their own deployment plans.”

As networks around the world transition to IPv6, it is essential for organizations to deploy network security solutions that can deliver protection for both IPv6 and IPv4 content. Organizations must also gain a clear understanding of the security challenges that come with the migration from IPv4, thoroughly evaluate threats that are unique to IPv6, and adopt best practices necessary for a secure deployment.

Near one of the major internet exchanges in the world, Amsterdam Internet Exchange (AMS-IX), a World IPv6 Launch event was organized at the Universiteit van Amserdam (UVA). Information can be found at http://www.ipv6launch.nl  and recordings will be available soon.

Been there – Done that – Got the T-shirt

World IPv6 Launch T-shirt Amsterdam Netherlands

Comparison:IPv4:versus:IPv6

IPv4 versus IPv6 - slide 1
IPv4 versus IPv6

Euphoria:after:following::IPv6:workshop

Feedback from a student who followed the #IPv6 workshop

“3th April 2012 is an historical day for me (Rob van der Lubbe) and for Croon, I made my first IPV6 connection to the Internet.

My first Internet IPv6 web browse was to the site www.ipv6.cisco.com and the second site was www.ipv6security.nl ,this side confirmed that I was using an IPv6 address!!

I setup a 6to4 Tunnel Broker connection to the site www.sixxs.net, I used a simple Cisco 831 router with IPv6 configured en startup to make a tunnel to Sixxs .

On the LAN Ethernet side I configured IPv6 so I can route to the tunnel, I connected a Notebook on the LAN, configured on the Notebook only a DNS IPv6 address and I was able to Internet!!

Special thanks to Ferry Kemps of IPv6security.nl, who give the knowledge in the training of IPv6!!”

Example::IPv6:firewall:ruleset

Below you will find an example ruleset for your IPv6 firewall, which you can use as a baseline. Replace the <2001:db8> with you own IPv6 network address.

remark reject multicast addresses

deny ipv6 ff00::/16 any log
deny ipv6 any ff05::/16 log

remark reject site-local and ipv4-compatibility addresses
deny ipv6  fc00::/10   any  log
deny ipv6  any  fc00::/10  log
deny ipv6  0::/96  any  log
deny ipv6  any 0::/96  log

remark reject 6to4 destination (if not providing 6to4 relays)
deny ipv6 any 2002::/16 log

remark reject external traffic with internal source addr
deny ipv6 2001:db8:60::/44 any log

remark reject unique local, should be confined our network
deny ipv6 any fc00::/16 log
deny ipv6 fc00::/16 any log

remark reject type 0 routing header

deny ipv6 any any routing-type 0 log

remark allow incoming connections to specific servers (<replace>)
permit tcp any host <2001:db8:60::80> eq www
permit tcp any host <2001:db8:60::25> eq smtp
permit udp any host <2001:db8:60::53> eq domain

remark allow BGP sessions either way for external BGP peer
permit tcp host <2001:db8:2::1> host <2001:db8:2::2> eq bgp
permit tcp host <2001:db8:2::1> eq bgp host <2001:db8:2::2>

remark allow incoming TCP on non-reserved ports

permit tcp any <2001:db8:60::/44> range 1024 65535

remark allow responses to outgoing DNS back to any host
permit udp   any  eq  domain <2001:db8:60::/44>

remark allow IPSec and IKE between North and Remote
permit udp host <2001:db8:2f::2> eq 500 host <2001:db8:6f::2> eq 500
permit esp host <2001:db8:2f::2> host <2001:db8:6f::2>

remark allow UDP to non-reserved ports with destination of our net or global multicast
permit udp  any  <2001:db8:60::/44> gt 1023
permit udp  any  ffe0::/12 gt 1023

remark allow specific ICMP types inbound to global addresses
permit icmp any  <2001:db8:60::/44>   destination-unreachable
permit icmp any  <2001:db8:60::/44>   packet-too-big
permit icmp any  <2001:db8:60::/44>   parameter-problem
permit icmp any  <2001:db8:60::/44 >  echo-reply

remark allow ping from our partners at remote site
permit icmp <2001:db8:20::/44>   <2001:db8:60::/44>  echo-request

remark allow ND and MLD ICMP types generally, but not RD
permit icmp  any  any    nd-na
permit icmp  any  any    nd-ns
permit icmp  any  any    mld-query
permit icmp  any  any    mld-redunction

remark allow tunnel traffic only to North and Central routers
permit 41   any  host <2001:db8:6f::2>
permit 41 any host <2001:db8:60::f14b:65a1>

remark reject everything else
deny ipv6 any any log

remark reject multicast source addresses
deny ipv6 ff00::/16 any log

remark reject site-local and ipv4-compatibility addresses
deny ipv6 fc00::/10 any log
deny ipv6 any fc00::/10 log
deny ipv6 0::/96 any log
deny ipv6 any 0::/96 log

remark reject unique local, should not exit our network
deny ipv6 any fc00::/16 log
deny ipv6 fc00::/16 any log

remark reject type 0 routing header
deny ipv6 any any routing-type 0 log

remark allow outbound TCP from specific servers
permit tcp host <2001:db8:60::80> eq www 2000::/3
permit tcp host <2001:db8:60::80> eq 443 2000::/3
permit tcp host <2001:db8:60::25> eq smtp 2000::/3

remark allow outbound TCP from non-reserved ports
permit tcp <2001:db8:60::/44> gt 1023 2000::/3

remark allow BGP sessions either way for our BGP
peer  permit tcp host <2001:db8:6f::2> eq bgp host <2001:db8:6f::1>
permit tcp host <2001:db8:6f::2> host <2001:db8:6f::1> eq bgp

remark allow UDP to valid addresses and global multicast
permit udp <2001:db8:60::/44> 2000::/3
permit udp <2001:db8:60::/44> ffe0::/12

remark allow specific ICMP messages out to everywhere
permit icmp <2001:db8:60::/44> 2000::/3 packet-too-big
permit icmp <2001:db8:60::/44> 2000::/3 parameter-problem
permit icmp <2001:db8:60::/44> 2000::/3 echo-request

remark allow some ICMP just to our partners at remote site
permit icmp <2001:db8:60::/44> <2001:db8:20::/44> destination-unreachable
permit icmp <2001:db8:60::/44> <2001:db8:20::/44> echo-reply

remark allow tunnels only from North and Central routers
permit 41 host <2001:db8:6f::2> any
permit 41 host <2001:db8:60::f14b:65a1> any

remark deny everything else
deny ipv6 any any log

New:iPad:embraces:IPv6:Privacy:Extension

The new iPad runs out of the box with Privacy Extensions enabled. It seems that transport selection between IPv4 and IPv6 is based on “Happy Eyeballs” method. Looks like there is no preference for IPv6, but selection is based on the fastest transport IPv4 or IPv6.

20120319-082912.jpg

Taste:and:IPv6

Sometimes taste and content don’t fit together. Two great terms but a horrible presentation.

image

Cutting:edge:Formula-1:adopts::IPv6

The Telecom World converged in greater numbers than ever before on Barcelona last week for the annual Mobile World Congress (MWC).

This years’ motto: Redefining Mobile. Complete info at CircleID.

Hilarious::IPv6:versus:NAT

Some people just don’t get the message about the transition towards IPv6.

Will a killer-app indeed trigger the mass, so they are demanding IPv6 from there providers?
That’s not such a bad idea after all!

IPv6::generally:explained

To get a basic understanding what IPv6 is all about, watch the tube below (6 min.)