© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Security Issues in IPv6 Discussing Security Issues in an IPv6 Transition Environment
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Dual-Stack Issues Node may be poorly protected on IPv6 Node IPv6 address may be discovered via IPv4 scan IPv4 and IPv6 links may have different security levels / :DB8:8904:A23B::/64 Host A.25, ::25 IPv6 w NO/IPsec IPv4 w/IPsec Host B Attacker
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Firewalls typically have no visibility into the payload of a tunneled packet. Inability to Inspect Tunneled Packets Transition Mechanism Challenges IPv4 HeaderIPv6 Header IPv6 Payload (includes Layer 4 headers and data) Opaque to IPv4 Firewall IPv4 payload (not available for inspection by IPv4 firewall) IPv4 payload (available for inspection by IPv6 firewall)
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v to4 Firewall Solution Transition Mechanism Challenges (Cont.) 6to4 IPv6 IPv4 IPv6 in IPv4 Tunnel IPv4 Firewall (no deep packet inspection) IPv6 Firewall IPv4 Pass-Through
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v In both the 6to4 and ISATAP firewall solutions, no packets arrive at the IPv6 transition device without inspection. ISATAP Firewall Solution Transition Mechanism Challenges (Cont.) IPv6 ISATAP IPv4 IPv4 Firewall IPv6 IPv6 Firewall IPv6 in IPv4 Tunnel
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Prevalent use of IPsec by internal hosts (peer-to-peer): edge devices, or firewalls, cannot inspect ESP-encrypted payloads. Use of IPsec Transition Mechanism Challenges (Cont.) ESP TrailerEncrypted Headers and PayloadESP Header IPv6 Header (next header = 50 = ESP) Opaque to IPv6 Firewall
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Manual Tunnels from Edge Devices Transition Mechanism Challenges (Cont.) 6to4 Packets 6to4 Relay 6to4 Packets Discarded Router IPv4 Only Passes IP Protocol 41 tun0 s0/0 Site Router IPv4 and IPv6 tun0 s0/0 IPv6 in IPv4 Tunnel
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Internet 6to4 IPv6 Transition Mechanism Challenges Tunnel Security Issues Valid 6to4 IPv4 Packet Invalid, Generated 6to4 IPv4 Packet 2002:v4addr::/48 6to4 Relay Hacker with Packet Generator 6to4 Relay
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Teredo requires outbound UDP. In the enterprise, all outbound UDP traffic should be denied, with specific UDP services allowed to specific Internet sites. Other security issues exist, all of which can be partially mitigated and most of which are not new. Teredo Tunnel Security Issues (Cont.) Teredo Client Teredo Server IPv4 NAT
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPsec cannot run through NAT-PT. NAT-PT Security Issues IPv6 OnlyIPv4 Only NAT-PT IPv4 Packet IPsec/ESP Encrypted s= :40000, d= :23 IPv4 Packet TCP FTP with Embedded v4 Addresses FTP port command client will listen for data at : s= :40000, d= :23 s=[2001:db8::30]:1000, d=[2001:db8::40]:23 IPv4 Packet IPsec/ESP Encrypted IPv6 Packet TCP FTP with Embedded v4 Addresses FTP port command client will listen for data at : s=[2001:db8::30]:1000, d=[2001:db8::40]:23 IPsec Peer FTP Client IPsec Peer FTP Server
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v ICMP Traffic Requirements Visiting Mobile Nodes Inside DMZ Outside Closely Managed ICMP IPv6 Client/Peer Resident Home Agents Mobile Nodes (away) Internet Server/Peer Proxy and DMZ Servers
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Summary Dual stack may lead to uneven security posture at Layer 3, one for IPv4 and one for IPv6. IPv6 transition mechanisms are unable to inspect tunneled packets. When using IPsec, edge devices cannot inspect ESP-encrypted payloads. Tunneling can compromise perimeter security. IPsec will not run through NAT. When configuring edge packet filtering, be sure to deny all by default while permitting needed functions.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v