DeepSec 2014 Talk: The IPv6 Snort Plugin
The deployment of the new Internet Protocol Version 6 (IPv6) is gathering momentum. A lot of applications now have IPv6 capabilities. This includes security software. Routers and firewall systems were first, now there are also plugins and filters available for intrusion detection software such as Snort. Martin Schütte will present the IPv6 Snort Plugin at DeepSec 2014. We have asked him to give us an overview of what to expect.
- Please tell us the top 5 facts about your talk!
- Main research for my talk was done in 2011. I am quite surprised (and a little bit frightened) by how little the field of IPv6 security has developed since then.
- It is often easier to build attack tools than to defend against them. But to improve IPv6 network security we urgently need more detection and defence tools.
- The Snort IPv6 plugin is my approach to strengthen network security. It uses just a few building blocks to add new detection techniques to an old and established framework.
- The software project is a product of my diploma thesis, unfortunately I had to abandon it afterwards. So if anyone is interested in it and could help with further development they are more than welcome.
- It used to be difficult to compile the software but now I took the time to build a Debian package. I will publish that at DeepSec.
- How did you come up with it? Was there something like an initial spark that set your mind on it?
We started with the question ‘Why is IPv6 adoption’ so slow?’ One hypothesis was that there was a lack of sufficiently advanced network and security monitoring tools. Nobody wants to operate a network without any estimation on its activity and security implications. So I selected an IDS as a good way to approach these security issues. An IDS cannot solve all problems, but in many cases just making the issues and activity visible is already a big step ahead.
- Why do you think this is an important topic?
IPv6 is inevitable and we have to deal with it. As a protocol stack it has lots of problems of its own, and the whole v4 to v6 transition adds a second layer of problems on top of that. – But in the medium-term (say for the next decade) it is the only viable solution to the current IP address shortage.
- Is there something you want everybody to know – some good advice for our readers maybe? Except for “come to my talk” ?
Advice to anyone in network security: Ask your vendors about IPv6 operations and security functions! Too many people (even equipment providers) still hope IPv6 will not affect them and they end up with dysfunctional and insecure products.
- A prediction for the future – what’s next? What do you think will be the next innovations or future downfalls – for IT-Security in general and / or particularly in your field of expertise?
For IPv6 security: there are some more protocol layers to analyze, especially multicast comes to mind. Another very interesting and highly relevant topic are security issues caused by IPv4/IPv6 interaction and routing. So far we know of routing loop attacks against ISATAP, 6to4, and Teredo (documented in RFC 6324); in the future I would expect more of these directed against common IPv6/IPv4 tunnelling and transition configurations.
Martin’s presentation is one of the IPv6 talks we offer at DeepSec 2014. We recommend all IPv6 talks and the IPv6 workshop for anyone dealing with networks, either passively or actively.