So we’re out of IPv4 addresses. What now? IPv6 Status, Security, and Deployment Plans Rich Woynicz Verizon Enterprise Architect
[email protected]
Raleigh ISSA – InfoSeCon October 9, 2015 Track 1 – 3:45 – 4:30 pm
IPv6 – What is it and what happened to IPv5... • A new way of addressing devices - many, many, more devices (340 undecillion)
IPv4 address by Indeterminate
IPv6 address leading zeros" by BobbyPeru - Ipv6_address.svg
• A new series of protocols and features
• A new way of networking
• A new security paradigm
You’ve come a long way … But have a ways to go 1995
1998
2002
2004
2010
2011
2012
2015
ARIN “runs out” of IPv4 addresses World IPv6 launch World IPv6 Day
NIST – USGv6 Profile VzW LTE IPv6 enabled Mobile IPv6 (RFC 3775) published Public IPv6 Internet Service – Domestic U.S. MAE Internet Exchange IPv6 peering service Basic IPv6 protocol (RFC 2460) published in 1998 MCI Experimental IPv6 Service through vBNS+ network RFC 1752 -Next Generation Internet Protocol, or IPng
RFC 2463
RFC 2460 - Internet
Internet Control Message Protocol for IPv6 (ICMPv6)
Protocol Version 6 (IPv6) Specification.
RFC 2460, 4301, & others Improved security support via IP layer security (IPsec) making it cheaper to deploy VPNlike security for all applications.
RFC 2460, 3306, 4291
RFC 4291 Multi-homing Features: Multiple addresses can be assigned to IPv6 network interfaces. Use of different addresses can be used to differentiate link-local, intra-domain, and global messages
Enhanced Multicast Features: Enhanced local and global multicasting support scoped multicasting, and tremendous expansion of usable multicast address space.
RFC 4291, 4193 New Address Types: New addressing options for link local, Anycast, intra-domain3, and globally unique Internet communications.
RFC 3041, 3972 Security Addressing: New security addressing options for randomly generated addresses to protect privacy and cryptographically generated addresses used to sign and authenticate messages. Reference – ipv6.com
RFC 2461, 2462 & others Autoconfiguration: Improved plug and support using IPv6 link-local addressing, scoped multicasting & anycast support to automatically self-configure and discover neighbor nodes, routers, and servers.
What’s your address? There’s no place like 127.0.0.1 or ::1 sweet ::1 • Impress your friends • 16 bits are a quibble or sexdecet (shortened – hextet) • “Make it simple” (yeah right) 1. Leading zeros can be dropped – “09c0” to “9c0” 2. A group of zeros – shorten to one zero “0000” to “0” 3. Continuous groups of zeros -shorten to “::” 0000:0000” to “::” • Are these the same? 2041:0000:310e:0000:0000:09c0:876a:130b and 2041:0:310e::9c0:876a:130b 1d1e:f001 a11:beef:7ac0
7a11:a1e:cafe
Common IPv6 Address Types • Link Local [LL] • Automatically generated – no routers, DHCPv6 needed • May be same on multiple physical interfaces • Think 169.254.x.x in v4 – APIPA (FE80:00/10) • Unique Local • Think RFC 1918 – (FEC00::/7) • Global Unicast Address [GUA] • Think routable outside - (2000::/3) Global Unicast
• Multicast (FF00::/8) • Anycast – no Broadcast • Loopback – (::1/128)
Unique Local Link Local
IPv4 Exhaustion The Well is Dry. The large lady has sung. It’s the end of the (IPv4) world as we know it.
Youtube.com Richard Fowler show
ARIN “ran out” of IPv4 addresses 7/1/2015 IPv4 Unmet Request policy (NRPM 4.1.8) – “Waiting List” https://www.arin.net/resources/request/waiting_list.html • • • •
APNIC – Exhausted Jan 2011 RIPE NCC – Exhausted Sept 2012 LACNIC – Exhausted June 2014 AfriNIC – Expected 2019 As of 9/15/2015
"Huston rir ipv4 exhaustion projection" by Geoff Huston
Why Bother? • IPv6 is already turned on in the network •
Are you looking at it with your IPS/FW/SIEM?
• IPv4 NAT problematic in certain situations • • •
http://www.finaid.org
Certain apps/protocols have issues working with NAT IPv6 does not need NAT IP-based authentication does not work
• It’s not just an address exhaustion issue • • • • • •
Faster packet flow due to abandoning the IPv4 checksum method, a new fixed header length, and no fragmentation. (Can use up to 99% of theoretical wire speed) IPSec security built-in to IPv6 - Increased security Support of multicast, improved multimedia functions No need for NAT, restoring true end-to-end connectivity Simpler and more efficient security & mobility mgt IPv4 Addresses – will increase in cost ~$10 per IPv4 • Minimum /16 could cost >$500k • Specified Transfer Listing Service (STLS)
• IPv6 Growth is inevitable – M2M, Google >7%
IoT
Over 70% of Verizon Wireless Devices support IPv6 as of September 15, 2015 * From worldipv6launch.org
And if you need more reasons….
…all have IPv6 enabled by default.
“Its not just a good idea, it’s the law…” (US Federal IPv6Mandates)
Fords.com
• Aug 2005 – OMB M-05-22 “Transition Planning for Internet Protocol Version 6” • Buy IPv6 Capable Products • May 2009- Federal Chief Information Officers (CIO) •
• • • •
“Planning Guide/Roadmap toward IPv6 Adoption within the U.S. Government” (The “Roadmap”)
OMB September 2010 Memorandum - Transition to IPv6 FAR - requirements for use of the USGv6 Profile and Test Program Gov Employee reviews and annual bonuses – Tied to IPv6 deployment by 2015 NIST • •
NIST Special Publication 500-267, USGv6 Profile NIST Special Publication (SP) 500-273, USGv6 Test Methods
• “The DoD IPv6 Standards Profiles for IPv6 Capable Products”
“And its not just the US Government…” (International IPv6Mandates) Australia: Australian Government Information Management Office (AGIMO) December 31, 2012 deadline requiring every Commonwealth agency to have IPv6 compliance for all Internet gateways, applications and customer-facing systems. cbsnew.com
China: As the country with the largest population of Internet users, China launched its five-year plan for early IPv6 adoption in 2006.
travel.nationalgeographic.com
Japan: Regarded as one of the first countries to adopt IPv6, Japan began deploying the next-generation Internet protocol in the late 1990s through its Widely Integrated Distributed Environment (WIDE) Project.
South Korea - Ministry of Information and Communication, required the mandatory upgrade to IPv6 in the public sector by 2010 . Europe – European Commission’s i2010 initiative has plans for broad deployment of IPv6 by the end of 2010, to be followed by a new initiative, the Digital Agenda. The flagship of the Europe 2020 Economic Strategy, this initiative will provide all EU citizens the ability to access high - speed Internet by 2013, use their mobile phones as a mobile wallet, and access all public services online by 2015. The UK government is in the midst of deploying an IPv6-based public sector network on the heels of the European Commission initiative. www.infowars.com
• • • • • • • • • • • •
www2.ocr-inc.com
Protect everything – like IPv4 Addressing – Automatic Assignment Router Advertisements Type 0 IPv6 Routing Headers (RH0) Extension Headers IPSEC– IPv6 Mandates, but not required IPv6 tunneling (6to4, ISATAP, Teredo,…) What about your Wi-Fi Network? Are you protecting your DNS? EUI-64 can ID manufacturer of NIC NIST 800-119 – IPv6 Security Entire books on IPv6 Security
RA – The bad guy is on your network
Router advertisements
• • • • • •
Block RA ICMP on users ports SeND Protocol RA Guard 802.1x Admission Control Device Firewall Control See RFC 6104
IP Tunneling Mechanisms… the good and the bad
MPLS
IP NAT Tunneling
Tunneling Tunneling
Native IPv6
Configured
Automatic
Mitigation v4 to v4
v4 to v6
6PE
GRE
6to4
NAT44
NAT464
6VPE
L2TP
6RD
CGN
NAT64
GFP
ISATAP
DS-Lite
NAT-TCP
IP
Teredo
NAT-UDP
DS-Lite
NAT-ICMP
LISP
Is that the end… vision.princeton.edu
… or an oncoming train?
• Treat tunnels as you would any other link • With extreme caution • Inspect tunnel traffic at ingress and egress • Review all traffic – just like IPv4 packets • Tunneled IPv6 can circumvent firewalls and IDS/IPS devices • Tunneling IPv6 traffic in the IPv4 protocol (i.e. port 80, 443), ISATAP and Teredo • IPv6 disguised as an IPv4 address • http://[::192.9.5.5]/some_system_directory/
ISATAP (Are you thinking about Geeking Out After Dark?) www.standard market.com
(Intra-Site Automatic Tunnel and Addressing Protocol) • Enables IPv6 deployment within a site with no IPv6 infrastructure • Does not work across NAT • Microsoft implementations “learn” the IPv4 address of the ISATAP router by resolving the name isatap” (via DNS and others) • An attacker could forge name resolution responses to: • Impersonate a legitimate ISATAP router
• Enable IPv6 connectivity in an otherwise IPv4-only network • Can be used in combination with other attack vectors • Block IP protocol 41
Teredo Tunnel • • • • • • • • •
Designed to traverse NAT IPv6 in UDP/IPv4 packets Last resort mechanism for IPv6 connectivity Host is exposed to increased exposure to attack Traffic may take a completely different path than IPv4 traffic An attacker could impersonate a Teredo server if he can attack the DNS Block UDP port 3544 GPO to change the registry keys to keep Teredo off. UDP packets for a Teredo IPv6 address that always starts with 2001::/32
“Lasciate ogne speranza, voi ch'intrate” Where to start? 1. 2. 3. 4. 5. 6. 7.
Train and learn (InfoSeCom) Get buy in from your org Get policy (purchase only IPv6 capable products) Inventory your system Build a lab, play, and learn more Plan big, implement small – incrementally Incent with carrot vs. stick – publish results, market internally (and externally) 8. Form core IPv6 team 9. Pilot (s) 10. Work from inside out or outside in… 11. Deploy all new services with dual stack day 1
IPv6 - Everywhere • Data Center Servers Firewall Proxies and load balancers Routers and Layer 3 enabled switches
• Remote locations Client desktop, laptop, and mobile devices Routers and Layer 3 enabled switches Wireless Networks (Wi-Fi, cellular) Corporate remote access
• Network All IP carrier networks Internet Private IP networks
IPv6 Transition IPv6 Supportability Timeline Dual Stack Required IPv6 Enable Hosts IPv6 Enable Servers Allow hosts to access IPv6 Sites Transition applications to IPv6
WAN IPv6 Status Product Specific Systems
Vendor A
Vendor B Vendor C
Comments
Basic Routing
IPv6 routing can be turned on and supported
Embedded Firewall
Firewall supports IPv6
Intrusion Prevention
IDS / IPS supports IPv6
Ethernet LAN
Plug-in or embedded LAN ports
Content Filtering
Ready
Partial
Not Ready
Not Vendor Supported
Seek Professional Help! Strategic Roadmap
Impact Impact Assessment Assessment & andGap GapAnalysis Analysis
Transition Planning
Design & Implementation
Business Drivers
Network
Technology Selection
Addressing Schema
Technical Drivers
Security
Migration Planning
D&I HLD, LLD
Strategic Goals
Applications
Staff Preparation
Proof of Concept
Training
Compliance
IPAM Framework
Implementation
Roadmap
Gap Analysis
Process Development
Handoff & Support
Governance + Project Management
IPv6 Tools • http://ip-lookup.net/index.php • IP-Lookup helps you to find information about your current IP address • http://www.subnetonline.com/pages/ipv6-network-tools.php • IPv6 Network Tools • http://ipv6-test.com/validate.php • Website IPv6 accessibility validator • http://www.ipv6proxy.net/ • Test to IPv6 web sites from IPv4 locations • http://ipv6-test.com/ • IPv6-test.com is a free service that checks your IPv6 and IPv4 connectivity and speed • http://test-ipv6.com/ • Test your IPv6 connectivity. • https://msdn.microsoft.com/enus/library/windows/desktop/bb736546%28v=vs.85%29.aspx • The Netsh commands for IPv6 • http://ipv6-literal.com/ • Tool for the static assignment of IPv6 addresses into “literal” addresses • http:www.pierky.com/ipv6-prefix-calculator/# • Prefix Calculator • http://ip6.nl • Test IPv6 site capabilities
Thank you.
Rich Woynicz Company: Verizon, Enterprise Architect (“An unofficial IPv6 Evangelist”)
Phone: 919-378-3281 Location: Cary, NC Email:
[email protected] Website: http://www.verizon.com Twitter Username: @RichWoynicz LinkedIn Page: https://www.linkedin.com/in/rwoynicz Rich Woynicz has almost 30 years’ experience in designing, architecting, and delivering advanced communications solutions. He specializes in crafting complex solutions involving a variety of communications, IT, and security technologies for Verizon Global Enterprises and Public Sector customers. These solutions include incorporating and evangelizing evolving requirements like IPv6 and FISMA/FedRAMP security within Verizon’s solutions. He has two engineering degrees from Virginia Tech. In his spare time he enjoys fishing and is certified as an Extension Master Gardener in Raleigh, NC.