[ipv6hackers] IPv6 security (slides and training)

[Douglas Otis]

On 11/8/11 3:27 PM, Fernando Gont wrote:
>  On 11/08/2011 04:50 PM, Douglas Otis wrote:
>
> > Clearly, networks are more secure not connecting to the Internet,
> > but in most cases that is not practical.
> >
> > A retreat to IPv4 will not provide safer access to the Internet,
> > whether one were to consider IPv6 security a myth or not.
>
>  Which part of the presentation gave you the idea that I'm advocating
>  a retreat to IPv4???
>
>  For the record: I'm not.
>
>  Address exhaustion is a real problem, and the only solution on the
>  table is IPv6. That's the reason to deploy it. -- And my presentation
>  didn't argue against that.

Your presentation makes dismissive statements regarding IPv6 deployment.

Page 5 "(current estimations are that IPv6 traffic is less than 1% of 
total traffic)"

This estimation is problematic and ignores massive growth in actual IPv6 
deployment.  Many traffic estimates are either dated or not collected in 
regions offering native IPv6.  NTT America, a leading IPv6 provider, 
does not separately measure IPv4 and IPv6 traffic.  This is not 
surprising since most routers do not support separate counters needed to 
make v4/v6 ratio measurements.  With issues related to 6to4 and Teredo, 
the percentage of hosts preferring IPv6 are likely limited to those 
using prior configurations.  That leaves a small number of hosts 
actually having native IPv6 service.  Since such environments are new 
(and yet being deployed rapidly), reporting IPv6 traffic estimates is 
likely to be misleading anyway.

IPsec obstacles are also overblown and fail to envision superior 
deployments currently in use that do not depend upon end-to-end 
connectivity.  Page 20 concludes by suggesting protection is provided by 
stateful firewalls where end-to-end protections are either not 
available, increases host exposure, or is not desired for production.  
Yikes.  The conclusion on Page 26 is simply wrong because it assumes 
hosts are not supported by security services that could even be located 
within the cloud.

Your presentation also overlooks the value IPv6 offers at providing 
better security when dealing with NATs.  It seems you see no value in 
technology that has been deployed for many years providing the basis for 
much of today's secure communications.

For example, Apple's ability to navigate safely beyond NATs depends upon 
Security Associations based upon the IPv6 address held by the host.  
Terminating security at the NAT (making an unlikely assumption that the 
NAT is able) exposes sessions to questionable security at the NAT and 
that maintained in the presence of wireless networks.  The use of IPv6 
can easily extend security to the host, even when traversing a NAT in a 
manner that also supports access point mobility.

For example, Apple places IPv6 ULA in the destination field of IPsec 
Security Associations to ensure the end-to-end path between hosts are 
fully protected.  These Security Associations also survive network 
changes since the IPv6 ULA remains the same even when a host changes 
location.  Furthermore, encryption and IPsec is transparent to the NAT.  
This mode of operation would not even be practical using IPv4!

When IPv6 is combined with secure services (not even necessarily present 
within the local network), security becomes much better than what is 
possible using IPv4 with an OS that by default does not open 
non-security related ports.

It would be better to recommend ISATAP, Teredo, and 6to4 be disabled, 
and that IPv6 aware routers be used.

> > Currently, there is 65,000 times more IPv6 /64 prefixes announced
> > than IPv4 /32 addresses within the entire 3.8 billion IPv4 unicast
> > space. This space is growing geometrically with the graph becoming
> > nearly vertical. A rough guess might be announcements will soon
> > slow at 1.4 quadrillion (1000 trillion) IPv6 /64 prefixes.
> > Retaining IPv4 only local networks means Internet traffic must be
> > carried over Large Scale NATs (LSNs) offering unknown and insecure
> > end points.
>  Again, I do not necessarily advocate that. However, there are some
>  scenarios (defense networks, for example) in which you don't won't
>  to deploy IPv6 unless you really need it.

This is where we disagree.  I have seen government defense networks leak 
IPv6 traffic due to internally compromised systems.  IPv6 deployed 
properly can improve security over what is possible using IPv4.  
Clinging to IPv4 is not the safe path forward.

> > IPsec is not the only way to implement end-to-end security.
>  Not only that. In some cases it may be undesirable, or may not
>  provide what you want (e.g., you may want to authenticate a user,
>  rather than the end-point itself).

Exactly.  Read RFC6281.  The IPv6 packet is wrapped by the UDP header 
and encrypted by ESP having an IPv6 destination.  This safely navigates 
the perils found in either home, corporate, or military configurations.

> > Security related assumptions premised on use of IPv4 must be
> > questioned, just as they should be for IPv6. As a general rule, no
> > OS unable to properly handle IPv6 should be used.
>  Under your general rule, people should probably use only OpenBSD.

Most modern BSD derivations should prove satisfactory, perhaps needing a 
few minor tweaks. :^)

-Doug