5/5/12

Click to edit Master subtitle style

5/5/12

IPv6 Security Considerations

IPv6 Security Considerations

5/5/12

Authorization for automatically assigned addresses and configurations

Protection of IPv6 packets

Host protection from scanning and attacks

Authorization for Automatically Assigned Addresses and Configurations

IPv6 hosts can use the following methods to obtain an address configuration:

5/5/12

1-Neighbor Discovery (ND) with an exchange of Router Solicitation and Router Advertisement messages.

2-Dynamic Host Configuration Protocol for IPv6 (DHCPv6).

Authorization for Automatically Assigned Addresses and Configurations

For ND-based IPv6 configuration, SEcure Neighbor Discovery (SEND) (defined in RFC 3971) can provide protection for Router Solicitation and Router Advertisement messages. SEND can also provide protection for Neighbor Solicitation and Neighbor Advertisement message exchanges for address resolution or neighbor unreachability detection.

5/5/12

IPv6 in Windows Server 2008 and Windows Vista does not support SEND.

Recommendations
5/5/12

To prevent unauthorized computers from communicating on intranets, the recommendation is that you use IEEE 802.1X authentication to authenticate all computers that are connecting to your network with wired or wireless connections. With IEEE 802.1Xbased authentication at the link layer, computers cannot send any network traffic until they have authenticated themselves to a switch or wireless access point. Only after a successful IEEE 802.1X authentication can an IPv6 host use address autoconfiguration protocols such as ND or DHCPv6 to obtain an automatically assigned IPv6 address configuration.

Protection of IPv6 Packets

5/5/12

To help protect IPv6 packets from tampering (data modification) and interpretation (passive capturing) by intermediate or neighboring nodes, IPv6 packets can be protected with Internet Protocol security (IPsec). IPsec uses cryptographic security services to provide tampering protection, spoofing protection, and optional encryption for IP packets.

Host Protection from Scanning and Attacks

5/5/12

Address Scanning :
With IPv6, the scanning of a subnet for valid unicast IPv6 addresses is made much more difficult by the large number of possible addresses.

an attacker must theoretically scan up to 264 possible addresses.

Host Protection from Scanning and Attacks

5/5/12

Port Scanning :
To prevent a port scan, hosts should use a host-based stateful firewall. Host-based stateful firewalls silently discard all incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic).

A host-based stateful firewall will not prevent an attacker from determining open ports on a host if those ports are being used for active communication or the ports correspond to a service being offered by the host.

Control of What Traffic Is Exchanged with the Internet

5/5/12

To prevent unwanted traffic from the Internet, organizations typically deploy edge firewalls, proxies, and intrusion detection systems (IDSs).

These security devices attempt to ensure that an attackers traffic from the Internet .cannot penetrate to the intranet

Recommendations
5/5/12

To prevent unwanted and unauthorized IPv6 traffic from the Internet, you can do the following:
v

Upgrade your edge firewall, proxy, and IDS to include IPv6 and tunneled IPv6

functionality.

If your intranet computers must communicate with hosts on the IPv6 Internet,

upgrade your edge firewall between your intranet and the IPv6 Internet to support stateful IPv6 firewalling.

Recommendations
5/5/12

For IPv6-over-IPv4 tunneled traffic from Internet hosts to intranet hosts,

configure your IPv4-based edge firewall to drop all IPv4 protocol 41 packets on its Internet interface. An exception is when you are using 6to4. The 6to4 router must be able to receive IPv6- over-IPv4 tunneled traffic from the Internet.

For Teredo traffic from intranet hosts to Internet hosts, configure your

IPv4-based edge firewall to silently discard all IPv4 traffic with the source or

Recommendations
5/5/12

Deploy ISATAP correctly on your intranet so that default route traffic is never forwarded

to the IPv4 Internet. Default route traffic from ISATAP hosts on the IPv4 portion of your network should be forwarded to an ISATAP router, which is connected to both the IPv4 and IPv6-capable portions of your intranet. The default route on the ISATAP router should point to the IPv6-capable portion of your intranet.

If your ISATAP router and edge firewall is the same device, ensure that the devices

default route for IPv6 traffic points to the IPv6-capable portion of your network, not to the IPv4 Internet.

Recommendations
5/5/12

If the ISATAP hosts on your intranet must communicate with hosts on the

IPv6 Internet, upgrade your edge firewall between your intranet and the IPv6 Internet to support stateful IPv6 firewalling.

21/5/5


5/5/12

Understanding IPv6 2nd Edition - Microsoft Press