IPV6: CURRENT DEPLOYMENT AND
MIGRATION STATUS AND SECURITY
CHALLENGES
Presenters
Lepe Khanum (lepek@ifi.uio.no)
Tor Håvard Karlsen (torhk@ifi.uio.no)
Date: 18.03.16
Agenda
Introduction
 History of IP
 IPv6 address
IPv6: Current Deployment and Migration Status
 Deployment
 Transition technologies
 Migration
IPv6 Security Challenges
 IPv6 auto configuration
 Attacks
 Security solution and tools
 Security Challenges
 Future Research
Internet Protocol (IP)
The Internet Protocol is responsible for addressing hosts
and for routing datagrams (packets) from a source host to a
destination host across one or more IP networks.
(source: wikipedia)
History of IP
• In may 1974, IEEE first published the paper about TCP/IP
• The IP protocols version 0 to 3 was experimental protocol which was
used between 1977 and 1979.
• In 1981, IPv4 was introduced by RFC 791
• In 1995, IPv6 was introduced by RFC 1883 ( modified in RFC 2460)
• In 1996, NAT was introduced also by RFC 1918.
IPv6 address
• IPv4 uses a 32-bit address which is 232 = 4 294 967 296 address
space.
• IPv6 uses a 128-bit address which is 2128 = approximately
3.4×1038 addresses, that is more than 7.9×1028 times as many as
IPv4.
IPv4
IPv6
IPv6: Current Deployment and Migration
Status
Xianhui Che, Dylan Lewis
IPv6 Security Challenges
Carlos E. Caicedo, James B.D. Joshi and Summit R.
Tuladhar
Agenda
Introduction
 History of IP
 IPv6 address
IPv6: Current Deployment and Migration Status
 Deployment
 Transition technologies
 Migration
IPv6 Security Challenges
 IPv6 auto configuration
 Attacks
 Security solution and tools
 Security Challenges
 Future Research
IPv6 Deployment
•
Small countries are ahead of the
IPv6 deployment schedule as
compared to bigger.
•
The IPv4 leader United States has
only received a 2% level where
Vatican has first reached 100% IPv6
deployment
•
Next Cuba that has got 60%
deployment ration as assessed in
April 2009
IPv6 Deployment
•
A large portion (almost 40%, or
1481.694 Million) of IP address
have been allocated to the USA.
•
Twenty-one percent of IP
addresses are currently
unallocated
•
It’s not possible to redistributed to
ease the need for IPv4 addresses.
•
It’s better to creating a new
infrastructure than modifying an
existing older infrastructure
IPv6 Deployment
IPv4 vs. IPv6
•
Users are not
interested to know
which protocol they
are using.
IPv6 deployment
IPv6 vs. NAT
•
NAT played a major role
in meeting the IP
address requirement
that arose out of
Internet growth and
IPv6 deployment is so
slow in coming.
•
IPv6 is end to end
transparent where NAT
is not.
IPv6 deployment
• IPv6 is not just about IP address space, but also cost saving for the
network.
• IPv6 allow clients to communicate with one another without any
human intervention because of it’s auto-configuration mechanisms.
• For Mobile IP, the adoption of IPv6 has been made relatively easier
compared to the case in the Internet backbone network.
Transition technologies of IPv6
There are four types of transition technologies
Dual stack
Translation
 Tunneling
 IPv6 over WAN links
Transition Technologies
Dual Stack
• Dual Stack is a basic mechanism which implements both protocols in
the network layer at the same time.
• Dual-stack mechanism does not require tunneling within the network.
Fig: Dual-Stack IPv6 Topology
Source: http://what-when-how.com/wp-content/uploads/2011/09/tmp1914_thumb.jpg
Transition Technologies
Translation
• Translator works in the similar way as NAT.
Figure: NAT64/DNS64
https://labs.ripe.net/Members/raimis/experimental-nat64-dns64-service
Transition Technologies
Tunneling
Source: https://josephmlod.files.wordpress.com/2011/06/ipv6-overipv4-tunnel.png
Transition Technologies
6to4 tunneling
Source: https://josephmlod.files.wordpress.com/2011/06/ipv6auto6to4.png
Transition Technologies
Conparisons of diferent tunneling technologies
Transition Technologies
IPv6 over WAN links

MPLS

ATM

Packet over SONET/SDH (POS)
Transition Technologies
Comparisons of different transition approaches
Performance Validation
•
•
•
Core network is implemented either
with IPv4 or with IPv6.
TCP is designated as the transport
layer protocol for the evaluation of
network layer protocol performance.
RIP/RIPng is chosen as the routing
protocol in the core network.
Fig1: Network simulation model
• The statistics indicate very
steady TCP performance
supported by the IP core
network despite the node failure
in a short period, which validates
the excellence of the transitional
approaches between IPv4 and
IPv6
Fig2: Average TCP segment delay for overlaid networks
Performance Validation
• IP-only network is more advantageous
with the performance in the failure status,
due to the additional features of RIPng
Fig3: Average TCP segment delay for
sole-protocol networks
• IPv4-only and IPv6-only networks
encountered close-to-zero packet loss
during the node failure.
• Networks implemented with single
routing policy are more active and
flexible with response to network
status changes.
Fig4: IP packets loss
Migration challenges
Compatibility check
IPv4-to-IPv6 migration includes
four issues:
• Interoperability with Software
and Hardware
• Technology Education
• Planning
• Business Return on
Investment
Figure: IPv6 Compatibility check
Migration challenges
 Technology Education
• IPv6 upgrade requires education for developers about vendor’s services and the
infrastructure.
• Planning education for users should be done to support a smooth introduction of IPv6.
• System Administrator have to invest much more time to implement the new protocol.
 Planning
• A step-by-step integration plan takes more time to built the network.
• Migration from IPv4 to IPv6 should be completed on a node-by-node basis because
IPv6 have auto configuration features.
• In step by step strategy, dual stack is implemented in the initial phase(upgrade
hardware and software) and then transition plan can move forward.
Migration challenges
 Business Return on Investment
• All the resources on networks needs to support IPv6 protocol. So we have
to update all the old machine. But it would not make financial sense to
spend money on old machine.
• The longer the implementation is delayed the more expense is needed to
upgrade the network.
• Private organizations may be not interested in spending money on the
technology migration since IPv4 NAT provides a short-term solution and is
virtually cost free.
Migration challenges
Migration guidelines
• Network administrators need to have the
knowledge about how new protocol works. If they
don’t have that skill then training is necessary.
• Peripherals used on the network such as printers
need to be checked to ensure their compatibility
with IPv6
• The report should consist of relative costs, any
problems that may arise in the future.
Figure: Migration guidelines
Agenda
Introduction
 History of IP
 IPv6 address
IPv6: Current Deployment and Migration Status
 Deployment
 Transition technologies
 Migration
IPv6 Security Challenges
 IPv6 auto configuration
 Attacks
 Security solution and tools
 Security Challenges
 Future Research
IPv6 auto-configuration

Generate IP address based upon network prefix and
MAC address.


Neighbor Discovery Protocol (NDP).


DHCP servers are therefore optional.
Part of ICMPv6 protocol.
Fetch network prefix using a Router solicitation (RS)
packet.

IPv6 features an “all routers” multicast address.
IPv6 auto-configuration

Duplicate Address Detection

Send Neighbor solicitation(NS) packet with the generated IP.

Neighbor Advertisement (NA) packet received if the address is already in
use.
Attacks using NDP

DoS attack on the DAD protocol.

Man in the middle attack

Bogus router implementation attack
DoS attack on DAD protocol
Does any one use address
F34::1A:3?
Man-in-the-middle attack

Sends a NS packet to find the MAC address of a node.

An attacker can reply with a NA packet.
What is the MAC
address of B?
Node B
Node A
Man-in-the-middle attack

Sends a NS packet to find the MAC address of a node.

An attacker can reply with a NA packet.
I'm node B
use my MAC
address
Node B
Node A
Man-in-the-middle attack

Sends a NS packet to find the MAC address of a node.

An attacker can reply with a NA packet.
Node A
Node B
Bogus router implementation attack

Routers can use NDP to discover other routers.

An attacker may send out false RA messages claiming to
be a router.

Receiving nodes does not validate RA messages.


Updates its communication parameters.
Makes DoS and MITM attacks possible.
Non-NDP attacks

Reconnaissance attacks

Attacker scans the network for vulnerable services on host machines.



Huge address space.



Scan network for hosts.
Scan ports of the identified host machines.
Time consuming for attackers to scan all possible addresses.
Difficult for administrators to identify target systems or malicious systems on
the network.
Multicast structure in IPv6 makes it possible to identify key network
components such as routers and DHCP servers.
Non-NDP attacks

Routing header attack



IPv6 allows packets to be routed through nodes specified in the packet
header.
Destinations not otherwise reachable could become reachable through a
specified route.
Multicast-based attacks


IPv6 features multicast addresses for “all routers” and “all DHCP
servers”.
DoS attacks possible by telling members to leave the multicast group.
Security solutions

Secure Neighbor Discovery (SEND) protocol.

Uses Cryptographically Generated Addresses (CGA) to verify a senders
ownership of an IP address.

CGA

IPv6 address generated with a one way cartographic hash function
based the nodes public key and some additional parameters.

Prevents stealing and spoofing of IP addresses.

Nothing prevents an attacker from generating a CGA.

Limited usefulness to an attacker.

Should be certified for better security.
Security solutions

Firewalls and packet filtering

Knowledge of IP address ranges used in the company network can
mitigate address spoofing.

Block packets attempting to reach key network devices through their
multicast addresses from outside the network.

IPv6 depends upon ICMPv6 to function. Therefore filtering of these
packet should be done carefully to ensure that the functionality of the
network is not affected.
Security Tools


Support for IPv6 in network security tools is in many cases limited or
lacking.
Open Source tools that support IPv6:

THC-IPv6: A tool for attacking IPv6 based networks.

Multi-Generator, SendIP, Scapy6, and IPv6PacketGen: used for generating IPv6
packets

Wireshark : Network Protocol analyzer

Snort: Intrusion detection and prevention system

Neighbor Discovery Protocol Monitor(NDPMon): Monitors

the local network and reports suspicious ND messages

ddaddos: Monitors a network to detect DAD based attacks

NDPWatch: Keeps a database of Ethernet vs IPv6 pairings and report any
changes.

NMap: Network vulnerability scanner

Netcat6: Utility to read/write data across IPv6 connections.
Challenges of secure IPv6 Deployment


IPsec

Supported in IPv6 but usage is optional.

Addresses several security issues found in IP networks.

Requires encryption key management infrastructure.

Complex and difficult to manage.
Traffic tunneling

May allow malicious packets through IPv6 unaware firewalls.

Policies to securely handle tunneling of IPv6 must be in place.
Challenges of secure IPv6 Deployment

Dual-stack systems

Separate configuration two IP infrastructures.

Increased attack surface.

Firewalls and intrusion detection must support both protocols.
Future research

Security researchers need to identify security
vulnerabilities before widespread adoption of IPv6.

Detection of malicious or rouge devices on the local link
is a key challenge in protecting IPv6 networks.
Future research

More effective tools must be developed.

Network monitoring especially scanning and intrusion detection.

Proactive and reactive defense capabilities.

Integrated tools to manage security administration of both IPv4 and IPv6
networks.

IPsec

Research more efficient key-management infrastructure
implementations.

Integration of public-key infrastructure with IPv6 networks.
Thank you
Any Questions?