Architectural Risks and Mitigations in IPv6

1
Architectural RisksandMitigationsin IPv6

• James R Lindley
• CISSP-ISSAP/ISSEP/ISSMP, CISA, CHS-III
• Senior Computer Engineer
• (Security Architectures)
• IRS IT Security Architectures Engineering

2
Disclaimers

• Information scope is limited, additional readings
  required
• Presentation Organization
• A SHORT review of the IPv6 Protocol Suite
• Architectural Insecurities
• Possible Mitigations

3
Features of Network Layer Protocols

• Logical Addressing
• Route Discovery
• Quality of Service
• Packet Header Structures
• Fragmentation Methods
• Supporting Protocols

4
How to Use 128 Bits

• We really dont get 3.31038

32-bits 4,294,967,295
18,014,398,509,481,983_at_54
18,446,744,073,709,551,615 potential hosts
4,294,967,295_at_32
65,535_at_48
64 bits - Host
A /16 281,474,976,710,655 networks
5
IPv6 Address Types

• Unicast
• Address of a single interface
• One to one delivery to single interface
• Multicast
• Address of a set of interfaces
• One to many - delivery to all interfaces in the
  set
• Anycast
• Address of a set of interfaces
• One to one-of-many - delivery to the closest
  single interface in the set
• No more broadcast addresses

6
Unicast IPv6 Addresses

• Aggregatable Global Unicast Addresses (AGUA)
• Link-local addresses
• Site-local addresses (not SLA see later)
  (deprecated)
• Unique Local Addresses (replaces Site-local)
• Special addresses
• Compatibility addresses
• NSAP addresses (Network Service Access Point)

7
IPv6 Address Summary

• Global
• Typically begins with 2 or 3 (ARIN 26000)
• Unique for the entire IPv6 Internet
• Link-local
• Begin with FE80
• Unique for a single link
• Site-local (deprecated)
• Begins with FEC0
• Local
• Begin with FD00
• Multicast
• Begin with FF00

8
Multiple Addresses on a Node

• Unlike IPv4, an IPv6 node always has multiple
  addresses
• Link-local, site-local, global, etc.
• It is the job of the nodes protocol stack to
  decide most efficient address to use to reach the
  destination
• Greatly simplifies routing

9
Assigning Interface Addresses

• Two ways to assign addresses
• Static assignment
• Automatic assignment
• via DHCP (stateful)
• via autoconfiguration (stateless)
• Static assignment will be challenging because of
  the address size
• Automatic assignment will be much more common

10
Six Paths to an IPv6 Interface ID (Address)

• Extended Unique Identifier (EUI-64) address
• Randomly generated value (SeND)
• A value assigned by a stateful address
  configuration protocol such as DHCPv6
• Expanded IPv4 Address
• A manually configured value
• A value assigned during the establishment of a
  Point-to-Point Protocol connection

11
Extended Unique Identifier (EUI-64) address

• Derived from IEEE MAC-48 address
• Privacy considerations in host ID
• MAC-48 structured address architecture makes
  range scanning easier

12
Randomly generated value (SeND)

• RGV Randomly Generated Value
• Sometimes AKA Cryptographically Generated Address
  (CGA)
• Greater privacy (RGV also used in EUI-64 privacy
  extensions)
• Maximum range scanning difficulty due to
  unstructured address architecture
• Loss of administrative address control

13
IPv6 Interface ID Configuration DHCPv6

• Value assigned by a stateful address
  configuration protocol (i.e., DHCPv6)
• Requires router Managed Address parameter
  configuration
• Requires DHCPv6 server and administration
• May result in address assignment patterns that
  make range scanning easier

14
IPv6 Interface ID Configuration eXIPv4

• Expanded IPv4 Address
• Used with 4to6 and 6over4 and ISATAP tunneling
• May reveal IPv4 use and address
• May make U-Turn Attacks easier

15
IPv6 Interface ID Configuration Manual/PPP

• Manually configured value
• More labor required
• Pattern establishment possible
• Does not make best use of dynamic and automatic
  IPv6 address assignment tools
• Value assigned during the establishment of a
  Point-to-Point Protocol connection
• Used only with PPP
• Found only with MODEM dialup connections

16
Stateless Autoconfiguration

• Hosts generate IP address automatically by
  combining link information with Interface ID
• EUI-64
• Privacy Extensions
• Link information is retrieved via Router
  Solicitations (RS) or Advertisements (RA)

17
Router Advertisements

• RA/RSs are a subset of Neighbor Discovery (ND)
  protocol
• All routers send RAs every 5 minutes from each
  defined link local address to FF021
  (All-nodes-on-link)
• If the Default Router field has a non-zero time
  listed, it may be used as a default router
• RAs have a Managed Address flag if set, it
  means host must contact DHCP server to generate
  Global Unicast Addresses (Stateful configuration
  mandated)

18
Quality of Service

• IPv4 Type of Service header field has been
  renamed Traffic Class in IPv6 with identical bit
  assignment and processing
• IPv4 has no mechanism for recognizing data
  streams, focuses on guarantees of delivery and
  TOS field
• IPv6 has a Flow Control header field that routers
  use to prioritize data stream processing
• Integrated Services (RFC 1633) prioritization
  without Transport Layer data inspection
• Requires Resource Reservation Protocol (RSVP)
  RFC 2205
• Eliminates redundant route resolution processing
• No standard definition of FC field values
• Introduces a potential DOS vulnerability

19
Packet Header Changes

• IPv4 has variable length packet header
• Many fields unused
• Use of options add to variability
• Variability led to integrity check calculation
  processing requirement
• Options limited in complexity
• IPv6 has fixed length packet header
• All fields used
• Options are well-defined
• No requirement for integrity check processing
• Multiple options may be stacked

20
IPv6 Header (Fixed length, 40 bytes) RFC 2460
21
IPv6 Header Detail Flow Control

• Defined in RFC 3697
• Size is 20 bits (2.5 bytes)
• A random number selected by the sending host used
  to specify a particular flow of data
• Not fully defined yet, but has the potential to
  reduce processing latency for a flow of data,
  even if it comes from different applications
• Routers keep track of flows and once received, do
  not have to reprocess routing information for
  additional packets in that flow

22
IPv6 Header Detail Next Header

• Size is 1 byte
• Was called Protocol Type field in v4
• Specifies what type of header is coming next in
  the packet (TCP/UDP/ICMPv6, etc)
• If extension headers are used, the type of
  extension header is listed here
• Common values 6 (TCP), 17 (UDP), 58 (ICMP6)

23
IPv6 Extension Headers
24
Extension Headers Intermediate Nodes

• Hop-by-Hop Options Header
• Jumbo Payload option
• Router Alert option Router must process the
  datagram
• Destination Options header
• Used by intermediate nodes when Routing header is
  present
• Routing header
• Used for source routing and MobileIP

25
Extension Headers Destination Node

• Fragment header
• Used only by the source and destination nodes
• IPSec specific headers
• Authentication header (AH)
• Encapsulating Security Payload (ESP) header
• Destination Options header
• Used only by destination node when Routing Header
  is not present
• Used by MobileIP

26
IPv4 Fragmentation Control

• Maximum Transmission Unit (MTU) defines the
  largest amount of data in octets that a device
  can send or forward in a single datagram
• Path MTU (PMTU) is the smallest MTU of all the
  devices between a source and destination host
• IPv4 has no PMTU discovery mechanism and sends
  packets at the size defined in the source host
  configuration
• An IPv4 intermediate node receiving a packet
  larger than the nodes MTU divides a packet into
  several smaller packets before forwarding the
  new, smaller packets
• This introduces latency and increased traffic
  into the network

27
IPv6 Fragmentation Control

• Before sending a packet, IPv6 sends a test packet
  sized to the source hosts pre-defined MTU to the
  destination
• IPv6 listens for ICMP Packet too large messages
  and, if one is received, sends progressively
  smaller packets until a Packet too large
  message is not returned
• IPv6 resizes the real packets to match the
  discovered PMTU
• IPv6 requires ICMPv6 to pass thru firewalls

28
IPSec for IPv6

• Mandatory inclusion in implementation
• Three User Options
• No Use
• Gateway-Gateway (Available in IPv4)
• Peer-Peer
• Use Requires a Security Association
• IKE RFC 2409
• PKI/PKM (static keying is possible but
  problematic)
• Two Modes
• Transport (Peer-Peer)
• Tunnel (VPN Gateway-Gateway)
• Modes can be combined
• Two Header Options
• Authenticated Header (AH)
• Encapsulating Security Payload (ESP)
• Options can be combined

29
IPSec for IPv6

• Authentication Header (AH)
• RFC 2402
• Whole packet integrity
• Source authentication
• Replay protection
• Does NOT Encrypt, Uses Checksum
• Does NOT provide Confidentiality

30
IPSec for IPv6

• Encapsulating Security Payload (ESP)
• RFC 2406)
• Confidentiality
• Integrity of the Encapsulated Packet
• Authentication of the source
• Anti-replay protection
• Encrypts
• Has more limited integrity check than AH
• Encapsulating Packet is NOT protected

31
DHCPv6

• RFC 3315
• Totally rewritten protocol
• Required for Managed Address systems
• Stateful Configuration
• Automatic Address Assignment

32
DHCPv6

• Many benefits
• Uses multicast instead of broadcast
• Verifies that client is on-link (only supplies
  addresses from link-local addresses)
• Relay agent is simplified since it doesnt need a
  list of DHCPv6 servers just sends to
  All-DHCP-servers address
• Server can push an update when changes occur
• Address Lease Lifetime is infinite when
  changes occur, they are pushed less traffic

33
Neighbor Discovery (ND) Protocol

• Neighbor Discovery has two main subsets
• Router Solicitation/Router Advertisement (RS/RA)
  to communicate with Routers
• Neighbor Solicitation/Neighbor Advertisements
  (NS/NA) to communicate with hosts on link
• The ultimate job of ND is to allow a node that
  knows an IPv6 address to determine the MAC
  address of the on-link recipient node
• Very similar to ARP in IPv4, but uses multicast
  rather than broadcast

34
Why Neighbor Discovery?

• Doesnt an IPv6 address advertise the MAC
  address?
• No, it advertises the EUI-64 address, from which
  one can determine the MAC address
• The EUI-64 isnt guaranteed to be accurate
• It could have been randomly entered by the node
  owner
• It could be randomly changing to protect privacy
• The Layer 2 might not require MAC addresses
  (Frame Relay)
• Therefore ND is always performed (unless already
  cached)
• Next slide explains IEEE EUI-64 MAC-64

35
EUI-64 IEEE Extended Unique Identifier64 bits

• To facilitate the creation of globally unique
  node addresses using the network adapters Media
  Access Code (MAC) number, the IEEE established 2
  new standards EUI-64 and MAC-64.
• Both MAC-64 and EUI-64 split the current EUI-48
  MAC-48 bit numbers into two 24-bit sections and
  then insert either FFFF (MAC-64) or FFFE (EUI-64)
  between the two sections
• MAC-64 is meant to be used with network adapters,
  but the IPv6 specification writers used the
  EUI-64 standard instead

36
Solicited Node Multicast Address (SNMA)

• SNMA is used to avoid duplicate IPv6 addresses
• Created by adding FF (last 24 bits of Interface
  ID) onto FF021
• Clients IPv6 address is 3001B00012126BFFFE3
  A9E9A
• Take the last 24 bits 3001B00012126BFFFE3A9
  E9A
• Prepend FF onto 3A9E9A
• Append the result to the SNMA Prefix
  FF021FF3A9E9A
• Host listens on the SNMA corresponding to each
  assigned IPv6 address

37
Duplicate Address Detection (DAD)

• As a function of ND, when a node generates (or
  receives) a IPv6 address, it automatically sends
  a NS packet to the SNMA that it is configuring
• If a NA is received, node knows that address is
  in use and address is not used

38
Secure Neighbor Discovery (SeND)

• Requires each node to have a trusted router
  certificate list
• List different for each network segment
• Uses Cryptographically Generated Addresses (CGA)
  (RFC 3972) to verify neighbors address ownership
• Solves router trust security problems in IPv6
  Neighbor Discovery node address configuration
• No IPv6 automatic method for creating or
  updating host and router certificate lists

39
ICMPv6

• In IPv4, the Internet Control Messaging Protocol
  (ICMP) was used for some utilities such as ping
  and tracert
• Many organizations block in/out ICMP at the
  firewall
• In IPv6, Neighbor Discovery utilizes ICMPv6, and
  ND is mandatory for delivering packets
• Path MTU discovery is ICMPv6 based
• Therefore, ICMPv6 is mandatory in IPv6 and
  cannot be shut off completely at the firewall

40
DNSv6

• Same functionality as DNS in IPv4
• IPv6 uses AAAA records, IPv4 uses A
• DNS queries return AAAA before A records
• Some implementations will not return an IPv4
  address if an IPv6 address exists for the host
• DNS server with faked IPv6 record for IPv4-only
  box will refer all traffic to IPv6 site
• DNS Server discovery mechanisms still a work in
  progress

41
MobileIP

• Present in IPv4 (RFC 3344), difficult to use
• MobileIPv4
• Mobile Node
• Home Agent
• Foreign Agent
• UDP-based
• Home Agent-(Server) centric

42
MobileIP

• Visited networks must open their firewalls to
  special IPv6 packets
• IPv6 Modes
• Bi-directional Tunneling (Home Agent centric)
• Route Optimization (Peer-to-Peer)
• You can do Binding Updates with any correspondent
  to establish a direct path, but ONLY after
  establishing a security association with the home
  agent or correspondent.

43
MobileIP

• Do not confuse MobileIP with Mobile
  Telephony, which concerns ISO Layers 1 2
  devices.
• MobileIP is ISO Layer 3
• Requires a functioning Layer 1 2 network
  infrastructure
• Requires a way to establish security associations
  (PKI?)

44
Key Risk Considerations

• Each network layer has characteristic types of
  attacks
• Internet Protocol is an address management and
  traffic delivery protocol suite
• Characteristic attacks and activities at the IP
  level are Address Manipulation, Denials of
  Service, and supporting activities
  (reconnaissance, etc.)
• Some attacks utilize upper layer protocols that
  support IP functionality (ICMP, TCP, UDP, etc.)
• Almost all IPv6 security enhancements require a
  way to establish a security association (PKI?)
  (SeND, IPSec, etc.)

45
Key Considerations

• IPv6 address management suite
• Neighbor Discovery / Router Identification
• Autoconfiguration
• Domain Name Service
• Dynamic Host Control Protocol
• ICMP
• Packet Header Changes
• Supporting Activities

46
Neighbor Discovery

• Key concerns
• Neighbor Solicitations / Advisories
• Router Solicitations / Advisories
• ICMP messages
• Secure ND requires trust lists
• IPv6 IPv4 (NDAC ARP, etc.)
• Attacks
• DoS
• Redirects
• Configuration Attacks

47
Neighbor Discovery

• Neighbor Solicitation and Advertisement (NS/NA)
  Spoofing
• N3 sends an NS or NA with N1, N2, or R1 addresses
  and N3 link-layer address.
• Traffic goes to N3 instead of valid neighbors.

48
Neighbor Discovery

• Fake on-link Prefix
• N3 executes NA/NS Spoofing
• N3 sends RA with invalid prefix identified as
  on-link
• Off-link traffic to the prefix is either denied
  or sent to N3

49
Neighbor Discovery

• Neighbor Unreachability Detection (NUD) Denial of
  Service
• N3 sends NA responding to NUD NS messages of all
  or some of others on network
• NUDed nodes are now considered unreachable by
  other nodes, who cease sending

50
Neighbor Discovery

• Router Flood
• N3 sends randomly addressed packets
• R1 sends NS messages that are never answered

51
Neighbor Discovery

• Default Router Disabling
• N3 sends RA with R1 address and a lifetime of
  zero
• R1 is dropped as the default router by other nodes

52
Neighbor Discovery

• Router/DHCPv6 Masquerade
• N3 sends RA with a DHCPv6 configuration that
  points to a DHCPv6 server running on N3
• Nodes obtain addressing information from N3

53
Neighbor Discovery

• Default Router Masquerade
• N3 sends RA as Default Router
• Other nodes start sending traffic to N3
• N3 becomes Man in the middle.
• N3 can also DoS net by sending RA with an invalid
  network renumbering scheme

54
Neighbor Discovery

• Duplicate Address Detection (DAD) Denial of
  Service
• N3 responds to every DAD NS message by claiming
  to already have that address
• Nodes are never able to configure an address

55
Neighbor Discovery

• Prefix Spoofing
• N3 sends RA with invalid network prefix for
  autoconfiguration
• Autoconfigured nodes send traffic with invalid
  prefix
• Nodes never receive misdirected response traffic

56
Neighbor Discovery

• Prefix Flooding
• N3 sends an RA flood with randomly selected
  invalid prefixes
• Nodes eventually drop valid prefixes

57
Neighbor Discovery

• ICMP Redirect
• N3 sends R1-spoofed ICMP redirect message
• Nodes send traffic to N3

58
Neighbor Discovery

• NDAC uses Multicast
• IPSec uses IKE
• IKE has no mechanism for a group key
• IKE does not support Multicast Security
  Associations
• IPSec does not easily support Multicast

59
Autoconfiguration

• Well-known addresses
• EUI-64 creation
• Privacy extensions (Randomization)

60
Autoconfiguration

• Well known multicast addresses
• All routers at FF052
• All DHCP servers at FF0513
• All nodes at FF021
• Human pattern issues remain (pattern in choice of
  key server addresses)

61
Autoconfiguration

• EUI-64 address creation
• Exposes Layer 2 address
• Privacy Issues
• Privacy extensions (Randomization)
• Loss of tracking ability

62
Domain Name Service

• Default Action with AAAA vs A records
• Public servers still public
• DNSv6 attacks still similar to IPv4 (Zone
  Transfers, dynamic DNS, etc.)

63
ICMP

• ICMP message control requirements more granular
• ICMP attacks can reach layers above IP
• IPSec/IKE does not secure ICMP

64
Packet Header Changes

• Fragmentation attacks still possible
• Flow Control field manipulation can cause router
  overflow conditions
• Header chaining can create overflow conditions

65
Supporting Activities

• Reconnaissance
• More difficult, not impossible
• Minus for both attackers and vulnerability
  assessors
• Source routing still available for Man-in-Middle
• SYNFloods and other DoS/DDoS still available for
  complex or Mitnick-type attacks
• Smurf may still be possible using ICMP Packet too
  large and Parameter problem messages

66
Technology Support andTransition Strategy

• There are three pieces to the IPv6 transition
• Infrastructure transition
• Host transition
• Application transition
• Coexistence during transition
• The transition from IPv4 to IPv6 will take years
• Some hosts will use IPv4 indefinitely
• Transition is the long term goal, coexistence in
  the interim

67
Infrastructure Transition

• There are two main ways of providing IPv6
  connectivity to your users
• Upgrade all layer 3 devices to support IPv6 and
  ensure routing tables reflect new IPv6 routes
  this is the ultimate goal
• Use a transition technology to provide IPv6
  connectivity to users in the absence of A.

68
ISATAP

• Intra-Site Automatic Tunnel Addressing Protocol
• Provides unicast IPv6 connectivity between IPv6
  hosts across a IPv4 intranet
• Can use private IPv4 addresses
• Prefix FE8000000000000000005EFE ends with
  the IPv4 address in hex form
• One dual stack ISATAP router per site relays data
  
• Benefit allows scoped deployment of IPv6
  services across without upgrading infrastructure

69
6to4

• Similar to ISATAP, but requires a public IPv4
  address

70
Tunnel Broker

• Both ISATAP and 6to4 provide access to IPv6
  resources based on the IPv4 address
• An unauthorized user could change their IP
  address and gain access to IPv6 services
• Tunnel Brokers add an additional layer of
  authentication into the process by leveraging a
  IAS server
• This can be especially helpful for externally
  facing 6to4 relays

71
Teredo

• ISATAP and 6to4 rely on a translation server in
  the local subnet
• Home users will not have this option, and they
  are behind a NAT
• Teredo was designed to allow home users access to
  IPv6 services by tunneling IPv6 through an IPv4
  NAT
• Microsoft does not recommend the use of Teredo in
  the Enterprise

72
Routing Transition Technologies

• ISATAP or 6to4 provides connectivity between dual
  stacked and native v6 clients within your
  network
• IF you choose to install an ISATAP/6to4 router
  or enable BGP/OSPF IPv6 routing, then IPv6 will
  be routed into/out of your network
• IPv6 PACKETS CANNOT LEAVE THE LOCAL SUBNET UNTIL
  THEY ARE ROUTED OUT!
• This is nothing different from IPv4

73
Host Transition

• Ideal Transition Stages
• Native IPv4
• Dual Stack or Dual IP
• Native IPv6
• Dual stack will be preferred for many years
• Very few IPv6 application issues on
  dual-stack/dual IP machines
• Dual stack gives you the advantages of IPv6
  without requiring that every application be fully
  tested
• Microsoft Vista is NOT dual-stack!

74
Application Transition

• Wouldnt be necessary in a perfect world.
• Maintains operation for older software, leverages
  power of v6 for new software
• Software with embedded IPv4 addresses can operate
  without alteration in a dual stack environment
• New or upgraded software should rigorously
  enforce OSI layer separation no embedded
  addresses or URLs

75
Technical Transition Criteria

• Existing IPv4 hosts can be upgraded at any time
  independent of the upgrade of other hosts or
  routers
• New hosts using only IPv6 can be added at any
  time without dependencies on other hosts or
  routing infrastructure
• Existing IPv4 hosts with IPv6 installed can
  continue to use their IPv4 address and do not
  need additional addresses
• Little preparation is needed to upgrade existing
  IPv4 nodes to IPv6 or to deploy new IPv6 nodes

76
Regulatory Environment

• Non-technical environment doesnt change
• For federal government, FISMA, NIST SP 800-53,
  etc. dont go away
• Legal system definitions and requirements will
  have a significant impact on IPv6 technical
  implementations

77
Some Security Practices Must Change

• Protecting system boundaries becomes more
  difficult
• Network Address Translation (NAT) may gradually
  disappear
• IPv6 subnet size makes net scanning more
  difficult for both protector and attacker
• Firewalls border and personal will flourish
• Host IDS will become more important
• Combination security devices may become more
  common
• Firewalls must perform very granular control of
  ICMPv6

78
IPv6 Security

• Ask a lot of people about security in IPv6 and
  youll hear one thing IPsec
• IPsec is important, but there is more to Security
  than a single protocol
• The most important thing to do is test
• IRS IPv6 transition should be lab tested

79
Work, Work, Work!

• Firewall rules will need to be redone from
  scratch
• Broadcasts may be gone, but there are many new
  multicasts to be filtered
• Protocol types are more important than ever
• Implement Microsoft Active Directory based Server
  and Domain Isolation
• Implement ingress filtering of packets with IPv6
  multicast source addresses
• Many of the security recommendations of IPv4 are
  still in IPv6

80
Transition Security Recommendations

• General Principles
• Security Tools
• Windows Domain Management
• Tunneling
• Flow Control
• IPSec
• MobileIP
• Applications
• Databases

81
General Considerations

• IPv6 is a Work In Progress. Vulnerabilities,
  attack vectors, and security requirements will
  change as the protocol suite is further defined.
• An IPv6 feature or improvement may not be
  relevant to your current or future business
  needs or in a federal environment.
• As a general goal, IPv6 transition should not
  cause a redefinition of the logical security
  boundaries of previously certified and accredited
  (CA) systems.
• Any IPv6 capabilities that differ from IPv4
  should be used only in response to clearly stated
  business requirements.
• Realizing the full benefits of IPSec and SEND
  will require a previous installation of both PKI
  and MS Active Directory.

82
General Considerations

• Security costs will increase due to the need to
  secure two network access protocols and the
  interactions between them
• Technology Refresh purchase schedules may
  result in IPv6-capable systems being procured
  out of phase with same-network IPv6-capable
  security devices. Interior IPv6 capabilities
  should not be implemented without adequate
  traffic control and security by IPv6-capable
  network and perimeter control and security
  devices.
• The possibility of U-Turn attacks must be
  considered when opening internal to external
  channels

83
Security Tools

• Routing devices (routers, firewalls, etc.) should
  deny passage of any externally-generated IPv6
  traffic that uses User Datagram Protocol (UDP) to
  bypass firewalls or other security tools.
• Intrusion detection or prevention systems
  (IDS/IPS) should have the ability to perform
  analysis of tunneled IPv6 traffic without regard
  to the number of tunnel layers.
• IDS/IPS should have the ability to analyze packet
  headers that exceed 512 octets.
• Firewalls should have the ability to analyze both
  IPv4 and IPv6 ICMP traffic and to permit or deny
  access to such traffic based on type and message
  content.

84
Windows Domain Management

• Windows Active Directory should be implemented to
  support Domain and Server Isolation.
• All Domains and Servers should be isolated IAW
  Microsoft recommendations.
• Active Directory should be combined with PKI

85
Tunneling

• No automatic tunnels.
• No tunnels based on UDP (e.g., Toredo).

86
Flow Control

• Devices that respond to Flow Control in any
  fashion should be thoroughly tested for response
  to out-of-bound conditions.
• Device is meant to refer to hardware or
  software or any combination thereof that works as
  a logical machine.

87
IPsec

• IPSec should be implemented in a G2G mode that
  honors current CA logical system boundaries
  except (potentially) in the following cases.
• Where considerations of data confidentiality on
  untrusted networks require end-to-end IPSec
  implementation.
• Where IPSec communication is between member
  servers of the Trusted Computer Base (TCB).
• IPSec Security Associations required for P2P use
  IKE. P2P mode is best served in a PKI
  environment.
• Irrespective of IPSec mode implementation, all
  MS-based systems should be placed in isolated
  domains.
• Full use of IPSec requires implementation of
  PKM/PKI.

88
MobileIP

• Visited networks must open their firewalls to
  special IPv6 packets
• IPv6 in IPv6 packets
• IPv6 packets with mobility headers
• IPv6 packets with home address destination option
• ICMPv6 mobility packets
• IPv6 packets with routing headers

89
Applications

• Ideally, applications should have no awareness of
  IP layer protocols.
• Applications with a network layer component
  should be tested for compatibility with IPv4,
  IPv6, and/or whichever 4to6 and 6to4 tunneling
  mechanisms are implemented.
• Applications that capture IP addresses should
  correctly process input of the various legal
  address format permutations and store and display
  such addresses in an enterprise-wide standard
  format.
• Applications with embedded IPv4 addresses may
  have to be recoded depending on any network
  renumbering during the transition.
• Note There is no current standard data field
  description for IPvX addresses.

90
Databases

• Databases containing network layer addresses
  should be capable of storing both IPv4 and IPv6
  addresses in an enterprise-wide standard format.
• Network-capable DBS should be tested for
  compatibility with IPv4, IPv6, and/or whichever
  4to6 and 6to4 tunneling mechanisms are
  implemented by the IRS.

91
End of Presentation

• Questions?
• Thanx for your attention and time.
• JamesRLindley_at_verizon.net

92
BLANK SLIDE

• This slide purposely left blank.

93
Extra Slides

• Following slides are examples of some of the
  items covered in the main presentation.

94
Features of Network Layer Protocols

• Logical Addressing
• IPv6 Address Space and Syntax
• IPv6 Address Types and Uses
• IPv6 Interface Address Configuration
• Route Discovery
• Quality of Service
• Packet Header Structures
• Fragmentation Methods
• Supporting Protocols

95
Aggregatable Global UnicastAddresses (RFC 3513)

• Refers to the ability to collapse or aggregate
  these addresses in a routing table
• Used for
• Top-Level Aggregation ID (TLA ID)
• Next-Level Aggregation ID (NLA ID)
• Site-Level Aggregation ID (SLA ID) (deprecated)
• Interface ID

96
Aggregating The /48

• Address scope is the entire IPv6 Internet
• Equivalent to public IPv4 addresses
• Known as a /48 since 48 bits denote the routing
  prefix
• This is the standard (smallest) IANA allocation
• Permits 65,532 subnets

97
Local-Use Unicast Addresses

• Link-local Unicast
• Used between on-link neighbors
• Equivalent to IPv4 APIPA addresses
• Single subnet, Routers will not forward
• Neighbor Discovery Autoconfiguration (NDAC)
• Link-Local Unicast Address Format
• Prefix is 1111 1110 10 or FE80/64
• Site-local addresses (deprecated)
• Used between nodes in the same site

98
Site-Local Unicast

• Address scope is a single site
• Equivalent to private IPv4 addresses (RFC 1918)
• Prefix Format 1111 1110 11
• FEC0/10 prefix for site
• Used for local site only
• Deprecated, but may be seen

99
Unique Local Addresses (RFC 4193)

• Private to an organization, yet unique across all
  of the sites of the organization
• Depends on Router Filtering to maintain locality
• FD00/8 prefix
• Replacement for site-local addresses
• Global scope within the site, no router zone ID
  required

100
Special IPv6 Addresses

• Unspecified address (new thing!)
• 00000000 or
• Loopback address
• 00000001 or 1
• DNS server is normally at
• FEC0000FFFF1
• FEC0000FFFF2, or
• FEC0000FFFF3

101
Compatibility Addresses

• Used to create tunneling or IPv4-derived IPv6
  addresses
• IPv4-compatible address 000000w.x.y.z or
  w.x.y.z
• IPv4-mapped address 00000FFFFw.x.y.z or
  FFFFw.x.y.z
• 6over4 address Interface ID of WWXXYYZZ
• 6to4 address Prefix of 2002WWXXYYZZ/48
• ISATAP address Interface ID of 05EFEw.x.y.z

102
NSAP Addresses (RFC 1888)

• NSAP or Network Service Access Point is an OSI IP
  (not IPv4) addressing scheme which may become
  popular in the future, so was made fully
  compatible with IPv6
• Currently unused

103
Multicast Addresses

• Replaces IPv4 broadcast addressing
• First byte is always FF
• Lifetime (4 bits) 0 if permanent, 1 if temporary
• Scope (4 bits) 2 link, 5 site, 8
  organization, E global
• Some IANA defined multicast (group) addresses
• FF021 (All nodes on the link)
• FF022 (All routers on the link)
• FF0513 (All DHCP servers in the site)

104
Anycast Address

• Used to send a packet to a group of hosts and the
  closest host will respond
• A Unicast address assigned to more than one
  interface/host
• Last Hop Routers are configured with a full
  128-bit route
• Routers must join the All routers on link
  Anycast group
• Now a host can send a packet to discover the
  closest available Default Gateway
• Can also be used for clustering server solutions
• Anycast still undergoing definition

105
EUI-64 Example

• Host has a MAC-48 address of 00-AA-00-3F-2A-1C
• 1. Convert MAC address to EUI-64 format by
  inserting Hex FF FE between the Manufacturers ID
  and the Adapter Serial Number
• 00-AA-00-FF-FE-3F-2A-1C
• 2. Complement the 7th bit of first byte
• The first byte in binary form is 00000000. When
  the seventh bit is complemented, it becomes
  00000010 (0x02).
• 02-AA-00-FF-FE-3F-2A-1C
• 3. Convert to colon hexadecimal notation and
  suppress leading zeros
• 2AAFFFE3F2A1C
• Link-local address for node with the MAC address
  of 00-AA-00-3F-2A-1C is FE802AAFFFE3F2A1C

106
EUI-64 Privacy Extensions

• Since the EUI-64/MAC address doesnt change,
  there are privacy concerns
• RFC 3041 Privacy Extensions defines how the
  Interface ID can be randomly generated and
  changed often to protect privacy
• Leverages preferred and valid lifetimes - 24
  hours preferred, 6 days valid
• Privacy Extensions make internal tracking and
  scanning more difficult

107
Router Solicitations

• When a host boots, it cannot wait for 5 minutes
  for configuration data
• Host will send a Router Solicitation (RS) to
  FF022 (All-routers-on-link)

108
Boot Sequence Address Configuration

• Host generates a link-local address using
  Local-Link prefix Interface ID
• Host checks for address collision (Duplicate
  Address Detection)
• Host sends Router Solicitation to FF022
• Router sends Router Advertisement
• If RA Managed Address field1, host contacts DHCP
  for Global Unicast address (FF0212 or
  FF0215 if no response)
• If RA Managed Address field 0, host combines
  link prefix with Interface ID to create Global
  Unicast Address

109
MobileIP

• RFC 3775
• Components
• Mobile Node
• Home Agent (Transfer agent)
• Home Address (HA) (Permanent Address)
• Care-of-Address (CoA) (Hosting Net Address)
• uses Packet Extension Headers
• Can be P2P with route optimization