IPv6 Security

Course Description

Most knowledgeable IT professionals have a clear sense of just how imperative a secure networking environment is to the successful use of IP networks. The reasonable, but still precarious level of security that is achievable with IPv4 technology has been achieved over about two decades of public use of the Internet, during which the sophistication and motivation of opponents has greatly increased.

The architecture of IPv6 was defined with the intent that it would offer a higher level of intrinsic security than is offered by IPv4. To some extent this has been achieved - but in some ways it creates challenges and vulnerabilities that are not part of the IPv4 realm.

The objective of this course is to enable people with a working knowledge of IPv6 to understand the dimensions and scope of the security vulnerabilities that are recognized to be part of IPv6 networking. Specifically, the course identifies what kinds of architectural features, operating policies, and administrative elements define the best practices for developing a secure IPv6 infrastructure.

IPv6 security is still a work in progress. The course is designed to enable students to evolve their understanding of the subject as working experience in the industry evolves. Thus, in some cases, the course deals with issues about which there may not yet be an industry consensus -- and potential problems areas that may or may not develop into threats.

Who Should Attend

Students are assumed to have concept familiarity with IPv6 to the extent of understanding:

• IPv6 header features, notably including expanded address space and features of options/extension headers.
• Address management options; stateless and stateful address assignments.
• ICMP for Version 6 (ICMP6).
• Mobile IP
• Quality of Service features
• Transition strategies that involve tunneling

This course includes a hands-on workshop component, in which students have opportunity to explore some of the important concept features of IPv6, ICMP6 and view/analyze security-related packet and protocol features with Wireshark and other software tools. If the hands-on activity is impractical due to lack of computers, students will be walked through an in-class demonstration of the workshop elements, and be left with software to complete the hands-on part of the course on their own time.

Program Outline: IPv6 Security:

(i) Introduction

Many IPv6 security concerns have a familiar appearance
Other vulnerabilities have a very familiar feel
Some entree issues:
• Enhanced security was an early promise of IPv6
• Stateless Auto-configuration makes tracking of accountability challenging
• Mandated support for Routing Extension Headers creates new vulnerabilities
• Mobile IP adds important functionality -- with recognized problems
• Avoidance of NAT makes internal address visibility a concern
• Transition strategies commonly use tunnels -- a serious security vulnerability
• Dual stack configurations create risks due to unproven implementations

A cornerstone of IPv6 security is IPSec
Meeting the authentication, integrity and privacy objectives of IT security
VPNs: Transport and tunneling modes
Trust relationships and certificate/key exchange -- a PKI service is needed
Secure RTP -- and alternative to IPSEC for real time applications

Issues associated with the new address regime
Address auto-configuration
IPSec-Secured ICMP6 is problematical where endpoints are not known in advance
Secure Neighbor Discovery (SEND) offers some help
Routing Extension Headers
Fragmentation spoofing
Anycast addressing is difficult to secure
QoS DiffServ and/or Flow labeling lack authentication

Greatly improved mobility support with IPv6 is a valuable feature
IPSec authentication procedures may be too time-consuming for real time mobility
Spoofing and session hijacking are potential challenges

Transitioning to IPv6
Tunneling is envisaged in several forms
Undocumented IPv6 hosts can unwittingly create a stealth network

Corporate networks should isolate developmental IPv6 subnets
Firewalls must be enabled with robust IPv6 support and deep inspection capability Secure ICMPv6 traffic wherever possible
Network tools must be IPv6 enabled
Intrusion detection (IDS) is vital -- network and host-based
Disable IPv6 functionality where it is not actually used (as with most Vista hosts).
Much of the security detail is a work-in-progress

Workshop/lab manual

Click here to return to our catalog page