Author Archives: Ferry

IPv6:Security:for:Routing:protocols

Security for Routing Protocols
Routing protocols can be subject to threats such as unauthorized updates for either IPv4 or IPv6 routes. Security capabilities have been designed for routing protocols to mitigate unauthorized update threats. Some IPv6 routing protocols rely on similar mechanisms to those in IPv4 for protection, while others have incorporated IPsec for protection. These security mechanisms do not provide end-to-end security for routing protocols across multiple hops, because while they provide integrity assurance for routing protocol messages between nodes, they do not verify the integrity of messages received from other nodes that are not part of a security association. This is a major security concern for EGPs and a somewhat lesser one for IGPs.

RIPng
RIP for IPv4 uses an MD5-based integrity mechanism; this was removed from RIPng. RIPng offers no integrity assurance features. Per RFC 2080, RIPng leverages IPsec for security. It should be noted that hardware vendors have not incorporated IPsec features as a configuration option, instead relying on native IPv6 IPsec support from the operating platform for protection. RIPng is suitable only for small, private networks where the threat of routing attacks is substantially reduced.

OSPFv3
Securing OSPFv2 in a dual stack environment will protect neither the OSPFv3 protocol nor the OSPFv3 routing table. OSPFv2 allows null, password-based, or cryptographic authentication using MD5-based integrity for routing updates. The authentication fields found in OSPFv2 have been removed from the OSPFv3 packet for IPv6, so MD5 is not an authentication option. OSPFv3 offers no integrity assurance features itself and relies on IPsec AH or ESP for authentication, integrity, and confidentiality. Note that OSPFv3 uses unicast and multicast, and IKE does not work with multicast, so the default method is to use manual keying. Since replay protection cannot be provided using manual keying, OSPFv3 messages are vulnerable to replay attacks, which can lead to DoS attacks, Central Processing Unit (CPU) overload, and localized routing loops. IPsec for OSPFv3 is detailed in RFC 4552.

With routing protocols, routing integrity is usually a greater concern than confidentiality. The ESP parameter NULL indicating no encryption is generally regarded to be an acceptable choice for OSPF security.

IS-IS and EIGRP
Both IS-IS and EIGRP support simple MD5-based integrity for protecting IPv6 routing updates, similar to protecting routing updates for IS-IS and EIGRP for IPv4.

BGP
The use of BGP as an inter-AS routing protocol means that it can be subject to serious threats. Three mechanisms exist to mitigate threats to BGP. The first is the use of MD5-based integrity to protect routing updates. The second mechanism to mitigate threats to BGP is GTSM (RFC 5082). GTSM is a simple security mechanism for rejecting spoofed BGP messages based on their IP TTL or Hop Limit. The sending BGP router always uses a TTL=255, and the receiving BGP router checks that the TTL has the expected value of 255. Any packets from a remote attacker would have to travel via intervening routers, would have a smaller-than-maximum TTL, and would be dropped on receipt. Note however that a router operating as the endpoint of a tunneling protocol may not decrement the hop count upon receiving packets through the tunnel, so these could conceivably come from anywhere with TTL=255.
The third mechanism to mitigate threats to BGP is IPsec. IPsec key management can use shared secrets or public key certificates, which allow IPsec to offer scalability. GTSM has the lowest overhead of the three mechanisms, and is the easiest to configure. It also offers the least effective protection. The MD5 signature mechanism offers low overhead and effective protection, but it forces administrators to disrupt their BGP sessions at each key update, and it does not scale well. IPsec offers the most effective protection, least disruption, and best scalability. It also imposes the highest overhead (although the
overhead is still small), and it is the most complex mechanism to configure. In summary, using an MD5 checksum is certainly better than nothing, but MD5 itself can be attacked successfully, and most of these methods have no easy ways to change hash functions or even change keys. IPsec is preferable for routing protocols that support its use. All of the above security mechanisms protect against unauthorized insertion or manipulation of routing protocol messages. They do not protect against a corrupted or malfunctioning router that may construct and pass along incorrect routing information. Many approaches
to providing better end-to-end security for BGP have been proposed, but consensus on a single solution has not yet been achieved.

Source – Guidelines for the Secure Deployment of IPv6 (NIST)

Test:your:IPv6:connectivity

If your are working to get IPv6 connected to the internet and want to test your setup, than have a look at the following test site: http://test-ipv6.com

Stop untill you get a 10/10 😉

World:IPv6:day::8:june:2011

World IPv6 day

The following has been adapted from the World IPv6 Day page, hosted at the Internet Society (ISOC).
Q: What is World IPv6 Day?

This is a trial period where a number of major web sites will provide their content on both IPv4 and IPv6. This is being led by the Internet Society (ISOC). more information is posted on their World IPv6 Day page.

World IPv6 day, scheduled for 8 June 2011, is a global-scale test flight of IPv6 sponsored by the Internet Society. On World IPv6 Day, major web companies and other industry players will come together to enable IPv6 on their main websites for 24 hours. The goal is to motivate organizations across the industry — Internet service providers, hardware makers, operating system vendors and web companies — to prepare their services for IPv6 to ensure a successful transition as IPv4 address space runs out.
Why is World IPv6 Day necessary?

The address space used by the current version of the Internet protocol, IPv4, is expected to run out in 2011. Without action, we risk increased costs and limited functionality online for Internet users everywhere. The only long-term solution to this problem is adoption of IPv6, which provides over 4 billion times more space. IPv6 is used extensively in many large networks, but it has never been enabled at a global scale. World IPv6 Day will help industry players work together to support the new protocol on an accelerated timeline. With major web companies committing to enable IPv6 on their main websites, there are strong incentives for other industry players to ensure their systems are prepared for the transition.

How, specifically, does World IPv6 Day help motivate change and test the technology?

World IPv6 Day will act as a focal point to bring existing efforts together. For the first time, players from all parts of the industry will be be able to work towards the common goal of enabling IPv6 at a large scale with minimal disruption. By acting together, ISPs, web site operators, OS manufacturers, and equipment vendors will be able to address problems, such as IPv6 brokenness in home networks and incomplete IPv6 interconnection. Also, on the day itself, any global scalability problems can be found in a controlled fashion and resolved cooperatively.

What, specifically, still needs to happen for the industry to effectively transition to IPv6?

All major Internet industry players will need to take action to ensure a successful transition. For example:

  • Internet service providers need to make IPv6 connectivity available to their users
  • Web companies need to offer their services over IPv6
  • Operating system makers may need to implement specific software updates
  • Backbone providers may need to establish IPv6 peering with each other
  • Hardware and home gateway manufacturers may need to update firmware

How will World IPv6 Day impact Internet users?

One of the goals of World IPv6 Day is to expose potential issues under controlled conditions and address them as soon as possible. The vast majority of users should be able to access services as usual, but in rare cases, misconfigured or misbehaving network equipment, particularly in home networks, may impair access to participating websites during the trial. Current estimates are that 0.05% of users may experience such problems, but participating organizations will be working together with operating system manufacturers, home router vendors and ISPs to minimize the number of users affected. Participants will also be working together to provide tools to detect problems and offer suggested fixes in advance of the trial.

What can Internet users do to get ready for World IPv6 Day?

Most Internet users will not be affected. Web services, Internet service providers, and OS manufacturers will be updating their systems to ensure Internet users enjoy uninterrupted service. In rare cases, users may still experience connectivity issues when visiting participating Websites. Users can visit an IPv6 test site to check if their connectivity will be impacted. If the test indicates a problem, they can disable IPv6 or ask their ISPs to help fix the problem.

What if I have a problem connecting to a participating web service. What can I do?

It’s very unlikely you will be impacted by IPv6 Day. Current estimates are that 0.05% of users may experience connectivity issues, and participating organizations will be working together with operating system manufacturers, home router vendors and ISPs to minimize the number of users affected. You can test your Internet connection ahead of IPv6 Day here. In the unlikely event you have problems on IPv6 Day, the best thing to do is to contact your ISP for support. In the coming months, participating organizations will be working together to publish help guides with more specific instructions for diagnosing and addressing potential issues.

What exactly needs to get fixed? Operating systems? Web browsers? Home routers? ISPs?

In some cases, it’s as simple as staying current with the latest updates to your operating system. In other cases, you may need to toggle a control panel setting or update the firmware (software) on your home router. If your ISP does not yet offer IPV6, and you are savvy with technology, see the 6to4 link page for recommendations.

Are participants going to disable IPv4 on World IPv6 Day?

No. Participating websites will not switch from IPv4 to IPv6, they will enable IPv6 in addition to IPv4. IPv4 access will still be available as usual.

What can organizations do to join World IPv6 Day?

We welcome additional participants. Find out how to participate.
What if test-ipv6.com says I will be affected on World IPv6 Day?

A list of things you might check, if you are technically inclined:

  • If using 6to4: make sure protocol 41 is not blocked by a firewall.
  • If using 6to4 without an explicit tunnel provider: Consider switching to tunnelbroker.net, sixxs.net, or gogo6 aka freenet6. They provide managed tunnels.
  • If using 6to4 without an explicit tunnel provider, and in China: www.6fei.com.cn has a “go6” service that is free, and operated from inside China.
  • If using Teredo, make sure UDP port 3544 is permitted out, and responses back.
  • If only the MTU test fails, consider lowering the MTU on your tunnel interface. Also, make sure that ICMP6 type 2 messages are permitted.
  • Turn off tunneling on your home router, unless your ISP set that up for you.
  • If you have a business-owned device: Get your IT department to help. They may not want you to disable IPv6.
  • Home users: Consider disabling IPv6. Windows Vista and Windows 7 users: Microsoft specifically advises against this, as it breaks HomeGroup features, including sharing.

Attacking:the:IPv6:protocol:suite

If you understand the way things work with IPv6, it becomes clear that it should be fairly easy to fool around with it. Searching around on the internet learned me that there are indeed proof of concept codes available to play around with.

All credits to the guys from The Hackers Choice, for both the explanation and code (V2.3).

IPv6:privacy:extensions:on::iPad

Apple iOS4.3 upgrade contains better IPv6 privacy protection based on RFC 3041 – Privacy Extension.

Read all about this in article (EN) or article (NL) on Apple’s website.

IPv6:addressing:size:analogy

There are many things said about the enormous amount of address space of IPv6. Maybe the following wonders you:

“If each IPv6 address weighed one gram, the sum total weight of all IPv6 addresses would be greater than the weight of 56 Earths.”

Security:challenges:deploying:IPv6

The migration to IPv6 services is inevitable as the IPv4 address space is almost exhausted. IPv6 is not backwards compatible with IPv4, which means organizations will have to change their network infrastructure and systems to deploy IPv6. Organizations should begin now to understand the risks of deploying IPv6, as well as strategies to mitigate such risks. Detailed planning will enable an organization to navigate the process smoothly and securely.

Organisations will most likely face security challenges throughout the deployment process, including:

  • An attacker community that most likely has more experience and comfort with IPv6 than an organization in the early stages of deployment
  • Difficulty in detecting unknown or unauthorized IPv6 assets on existing IPv4 production networks
  • Added complexity while operating IPv4 and IPv6 in parallel
  • Lack of IPv6 maturity in security products when compared to IPv4 capabilities
  • Proliferation of transition-driven IPv6 (or IPv4) tunnels, which complicate defenses at network boundaries even if properly authorized, and can completely circumvent those defenses if unauthorized (e.g. host-based tunnels initiated by end users)

Hall:of:Fame

Now it is official, IPv6Security environment is fully IPv6 connected.
As a result of that it’s listed in the Hall of Fame.

Contact details

Survey:on:IPv6:firewalls

Do you have any idea about the IPv6 support when it comes down to firewalling your environment?
The survey from ICANN in 2007 shows that support is very limited at that time.

So be prepaired to check the current IPv6 support, when replacing your gear.
You can find the survey as “SAC 021