So we re out of IPv4 addresses. What now?

So we’re out of IPv4 addresses. What now? IPv6 Status, Security, and Deployment Plans Rich Woynicz Verizon Enterprise Architect [email protected]...
0 downloads 1 Views 2MB Size
So we’re out of IPv4 addresses. What now? IPv6 Status, Security, and Deployment Plans Rich Woynicz Verizon Enterprise Architect [email protected]

Raleigh ISSA – InfoSeCon October 9, 2015 Track 1 – 3:45 – 4:30 pm

IPv6 – What is it and what happened to IPv5... • A new way of addressing devices - many, many, more devices (340 undecillion)

IPv4 address by Indeterminate

IPv6 address leading zeros" by BobbyPeru - Ipv6_address.svg

• A new series of protocols and features

• A new way of networking

• A new security paradigm

You’ve come a long way … But have a ways to go 1995

1998

2002

2004

2010

2011

2012

2015

ARIN “runs out” of IPv4 addresses World IPv6 launch World IPv6 Day

NIST – USGv6 Profile VzW LTE IPv6 enabled Mobile IPv6 (RFC 3775) published Public IPv6 Internet Service – Domestic U.S. MAE Internet Exchange IPv6 peering service Basic IPv6 protocol (RFC 2460) published in 1998 MCI Experimental IPv6 Service through vBNS+ network RFC 1752 -Next Generation Internet Protocol, or IPng

RFC 2463

RFC 2460 - Internet

Internet Control Message Protocol for IPv6 (ICMPv6)

Protocol Version 6 (IPv6) Specification.

RFC 2460, 4301, & others Improved security support via IP layer security (IPsec) making it cheaper to deploy VPNlike security for all applications.

RFC 2460, 3306, 4291

RFC 4291 Multi-homing Features: Multiple addresses can be assigned to IPv6 network interfaces. Use of different addresses can be used to differentiate link-local, intra-domain, and global messages

Enhanced Multicast Features: Enhanced local and global multicasting support scoped multicasting, and tremendous expansion of usable multicast address space.

RFC 4291, 4193 New Address Types: New addressing options for link local, Anycast, intra-domain3, and globally unique Internet communications.

RFC 3041, 3972 Security Addressing: New security addressing options for randomly generated addresses to protect privacy and cryptographically generated addresses used to sign and authenticate messages. Reference – ipv6.com

RFC 2461, 2462 & others Autoconfiguration: Improved plug and support using IPv6 link-local addressing, scoped multicasting & anycast support to automatically self-configure and discover neighbor nodes, routers, and servers.

What’s your address? There’s no place like 127.0.0.1 or ::1 sweet ::1 • Impress your friends • 16 bits are a quibble or sexdecet (shortened – hextet) • “Make it simple” (yeah right) 1. Leading zeros can be dropped – “09c0” to “9c0” 2. A group of zeros – shorten to one zero “0000” to “0” 3. Continuous groups of zeros -shorten to “::” 0000:0000” to “::” • Are these the same? 2041:0000:310e:0000:0000:09c0:876a:130b and 2041:0:310e::9c0:876a:130b 1d1e:f001 a11:beef:7ac0

7a11:a1e:cafe

Common IPv6 Address Types • Link Local [LL] • Automatically generated – no routers, DHCPv6 needed • May be same on multiple physical interfaces • Think 169.254.x.x in v4 – APIPA (FE80:00/10) • Unique Local • Think RFC 1918 – (FEC00::/7) • Global Unicast Address [GUA] • Think routable outside - (2000::/3) Global Unicast

• Multicast (FF00::/8) • Anycast – no Broadcast • Loopback – (::1/128)

Unique Local Link Local

IPv4 Exhaustion The Well is Dry. The large lady has sung. It’s the end of the (IPv4) world as we know it.

Youtube.com Richard Fowler show

ARIN “ran out” of IPv4 addresses 7/1/2015 IPv4 Unmet Request policy (NRPM 4.1.8) – “Waiting List” https://www.arin.net/resources/request/waiting_list.html • • • •

APNIC – Exhausted Jan 2011 RIPE NCC – Exhausted Sept 2012 LACNIC – Exhausted June 2014 AfriNIC – Expected 2019 As of 9/15/2015

"Huston rir ipv4 exhaustion projection" by Geoff Huston

Why Bother? • IPv6 is already turned on in the network •

Are you looking at it with your IPS/FW/SIEM?

• IPv4 NAT problematic in certain situations • • •

http://www.finaid.org

Certain apps/protocols have issues working with NAT IPv6 does not need NAT IP-based authentication does not work

• It’s not just an address exhaustion issue • • • • • •

Faster packet flow due to abandoning the IPv4 checksum method, a new fixed header length, and no fragmentation. (Can use up to 99% of theoretical wire speed) IPSec security built-in to IPv6 - Increased security Support of multicast, improved multimedia functions No need for NAT, restoring true end-to-end connectivity Simpler and more efficient security & mobility mgt IPv4 Addresses – will increase in cost ~$10 per IPv4 • Minimum /16 could cost >$500k • Specified Transfer Listing Service (STLS)

• IPv6 Growth is inevitable – M2M, Google >7%

IoT

Over 70% of Verizon Wireless Devices support IPv6 as of September 15, 2015 * From worldipv6launch.org

And if you need more reasons….

…all have IPv6 enabled by default.

“Its not just a good idea, it’s the law…” (US Federal IPv6Mandates)

Fords.com

• Aug 2005 – OMB M-05-22 “Transition Planning for Internet Protocol Version 6” • Buy IPv6 Capable Products • May 2009- Federal Chief Information Officers (CIO) •

• • • •

“Planning Guide/Roadmap toward IPv6 Adoption within the U.S. Government” (The “Roadmap”)

OMB September 2010 Memorandum - Transition to IPv6 FAR - requirements for use of the USGv6 Profile and Test Program Gov Employee reviews and annual bonuses – Tied to IPv6 deployment by 2015 NIST • •

NIST Special Publication 500-267, USGv6 Profile NIST Special Publication (SP) 500-273, USGv6 Test Methods

• “The DoD IPv6 Standards Profiles for IPv6 Capable Products”

“And its not just the US Government…” (International IPv6Mandates) Australia: Australian Government Information Management Office (AGIMO) December 31, 2012 deadline requiring every Commonwealth agency to have IPv6 compliance for all Internet gateways, applications and customer-facing systems. cbsnew.com

China: As the country with the largest population of Internet users, China launched its five-year plan for early IPv6 adoption in 2006.

travel.nationalgeographic.com

Japan: Regarded as one of the first countries to adopt IPv6, Japan began deploying the next-generation Internet protocol in the late 1990s through its Widely Integrated Distributed Environment (WIDE) Project.

South Korea - Ministry of Information and Communication, required the mandatory upgrade to IPv6 in the public sector by 2010 . Europe – European Commission’s i2010 initiative has plans for broad deployment of IPv6 by the end of 2010, to be followed by a new initiative, the Digital Agenda. The flagship of the Europe 2020 Economic Strategy, this initiative will provide all EU citizens the ability to access high - speed Internet by 2013, use their mobile phones as a mobile wallet, and access all public services online by 2015. The UK government is in the midst of deploying an IPv6-based public sector network on the heels of the European Commission initiative. www.infowars.com

• • • • • • • • • • • •

www2.ocr-inc.com

Protect everything – like IPv4 Addressing – Automatic Assignment Router Advertisements Type 0 IPv6 Routing Headers (RH0) Extension Headers IPSEC– IPv6 Mandates, but not required IPv6 tunneling (6to4, ISATAP, Teredo,…) What about your Wi-Fi Network? Are you protecting your DNS? EUI-64 can ID manufacturer of NIC NIST 800-119 – IPv6 Security Entire books on IPv6 Security

RA – The bad guy is on your network

Router advertisements

• • • • • •

Block RA ICMP on users ports SeND Protocol RA Guard 802.1x Admission Control Device Firewall Control See RFC 6104

IP Tunneling Mechanisms… the good and the bad

MPLS

IP NAT Tunneling

Tunneling Tunneling

Native IPv6

Configured

Automatic

Mitigation v4 to v4

v4 to v6

6PE

GRE

6to4

NAT44

NAT464

6VPE

L2TP

6RD

CGN

NAT64

GFP

ISATAP

DS-Lite

NAT-TCP

IP

Teredo

NAT-UDP

DS-Lite

NAT-ICMP

LISP

Is that the end… vision.princeton.edu

… or an oncoming train?

• Treat tunnels as you would any other link • With extreme caution • Inspect tunnel traffic at ingress and egress • Review all traffic – just like IPv4 packets • Tunneled IPv6 can circumvent firewalls and IDS/IPS devices • Tunneling IPv6 traffic in the IPv4 protocol (i.e. port 80, 443), ISATAP and Teredo • IPv6 disguised as an IPv4 address • http://[::192.9.5.5]/some_system_directory/

ISATAP (Are you thinking about Geeking Out After Dark?) www.standard market.com

(Intra-Site Automatic Tunnel and Addressing Protocol) • Enables IPv6 deployment within a site with no IPv6 infrastructure • Does not work across NAT • Microsoft implementations “learn” the IPv4 address of the ISATAP router by resolving the name isatap” (via DNS and others) • An attacker could forge name resolution responses to: • Impersonate a legitimate ISATAP router

• Enable IPv6 connectivity in an otherwise IPv4-only network • Can be used in combination with other attack vectors • Block IP protocol 41

Teredo Tunnel • • • • • • • • •

Designed to traverse NAT IPv6 in UDP/IPv4 packets Last resort mechanism for IPv6 connectivity Host is exposed to increased exposure to attack Traffic may take a completely different path than IPv4 traffic An attacker could impersonate a Teredo server if he can attack the DNS Block UDP port 3544 GPO to change the registry keys to keep Teredo off. UDP packets for a Teredo IPv6 address that always starts with 2001::/32

“Lasciate ogne speranza, voi ch'intrate” Where to start? 1. 2. 3. 4. 5. 6. 7.

Train and learn (InfoSeCom) Get buy in from your org Get policy (purchase only IPv6 capable products) Inventory your system Build a lab, play, and learn more Plan big, implement small – incrementally Incent with carrot vs. stick – publish results, market internally (and externally) 8. Form core IPv6 team 9. Pilot (s) 10. Work from inside out or outside in… 11. Deploy all new services with dual stack day 1

IPv6 - Everywhere • Data Center Servers Firewall Proxies and load balancers Routers and Layer 3 enabled switches

• Remote locations Client desktop, laptop, and mobile devices Routers and Layer 3 enabled switches Wireless Networks (Wi-Fi, cellular) Corporate remote access

• Network All IP carrier networks Internet Private IP networks

IPv6 Transition IPv6 Supportability Timeline Dual Stack Required IPv6 Enable Hosts IPv6 Enable Servers Allow hosts to access IPv6 Sites Transition applications to IPv6

WAN IPv6 Status Product Specific Systems

Vendor A

Vendor B Vendor C

Comments

Basic Routing

IPv6 routing can be turned on and supported

Embedded Firewall

Firewall supports IPv6

Intrusion Prevention

IDS / IPS supports IPv6

Ethernet LAN

Plug-in or embedded LAN ports

Content Filtering

Ready

Partial

Not Ready

Not Vendor Supported

Seek Professional Help! Strategic Roadmap

Impact Impact Assessment Assessment & andGap GapAnalysis Analysis

Transition Planning

Design & Implementation

Business Drivers

Network

Technology Selection

Addressing Schema

Technical Drivers

Security

Migration Planning

D&I HLD, LLD

Strategic Goals

Applications

Staff Preparation

Proof of Concept

Training

Compliance

IPAM Framework

Implementation

Roadmap

Gap Analysis

Process Development

Handoff & Support

Governance + Project Management

IPv6 Tools • http://ip-lookup.net/index.php • IP-Lookup helps you to find information about your current IP address • http://www.subnetonline.com/pages/ipv6-network-tools.php • IPv6 Network Tools • http://ipv6-test.com/validate.php • Website IPv6 accessibility validator • http://www.ipv6proxy.net/ • Test to IPv6 web sites from IPv4 locations • http://ipv6-test.com/ • IPv6-test.com is a free service that checks your IPv6 and IPv4 connectivity and speed • http://test-ipv6.com/ • Test your IPv6 connectivity. • https://msdn.microsoft.com/enus/library/windows/desktop/bb736546%28v=vs.85%29.aspx • The Netsh commands for IPv6 • http://ipv6-literal.com/ • Tool for the static assignment of IPv6 addresses into “literal” addresses • http:www.pierky.com/ipv6-prefix-calculator/# • Prefix Calculator • http://ip6.nl • Test IPv6 site capabilities

Thank you.

Rich Woynicz Company: Verizon, Enterprise Architect (“An unofficial IPv6 Evangelist”)

Phone: 919-378-3281 Location: Cary, NC Email: [email protected] Website: http://www.verizon.com Twitter Username: @RichWoynicz LinkedIn Page: https://www.linkedin.com/in/rwoynicz Rich Woynicz has almost 30 years’ experience in designing, architecting, and delivering advanced communications solutions. He specializes in crafting complex solutions involving a variety of communications, IT, and security technologies for Verizon Global Enterprises and Public Sector customers. These solutions include incorporating and evangelizing evolving requirements like IPv6 and FISMA/FedRAMP security within Verizon’s solutions. He has two engineering degrees from Virginia Tech. In his spare time he enjoys fishing and is certified as an Extension Master Gardener in Raleigh, NC.

Suggest Documents