Talk/Workshop: IPv6 Security In-Depth

René Pfeiffer/ September 6, 2011/ Conference

The tale of two protocol suites has been being written for some time now. The IPv4 Internet has run out of fresh addresses. The IPv6 deployment has begun, but it will take some time before IPv4 is completely phased out (if ever). The work on the IPv6 protocol started in the early 1990s with the temporary IP Next Generation Working Group, collecting proposals. In theory IPv6 addresses many shortcomings of IPv4 and consists of a thoroughly well-designed protocol suite with security in mind. In practice you will neither just switch to IPv6 nor skip the step where you consider the security implications. There is no zero conf mechanism when it comes to security.

All businesses need to know what the security impact of IPv6 really is. Some networks have already deployed IPv6, others think about it and are planning on how to introduce the new protocols. There are a number of factors that make the IPv6 protocol suite interesting from a security standpoint. Firstly, being a new technology, technical personnel has much less confidence with the IPv6 protocols than with their IPv4 counterpart, and thus it is more likely that the security implications of the protocols be overlooked when the protocols are deployed. Secondly, IPv6 implementations are much less mature than their IPv4 counterparts, and thus it is very likely that a number of vulnerabilities will be discovered in them before their robustness matches that of the existing IPv4 implementations. Thirdly, security products such as firewalls and NIDS (Network Intrusion Detection Systems) usually have less support for the IPv6 protocols than for their IPv4 counterparts. Fourthly, the security implications of IPv6 transition/co-existence technologies on existing IPv4 networks are usually overlooked, potentially enabling attackers to leverage these technologies to circumvent IPv4 security measures in unexpected ways.

It is about time to get acquainted with IPv6. This is why DeepSec 2011 features a talk titled Results of a Security Assessment of the Internet Protocol version 6 (IPv6) by Fernando Gont. While a number of papers have been published on the security aspects of the IPv6 protocol suite, they usually provide general discussion on the security implications of IPv6, but do not delve into much detail regarding the security implications of each of the mechanisms, header fields, and options of all the involved protocols. During the last few years, the UK CPNI (Centre for the Protection of National Infrastructure) carried out a comprehensive security assessment of the Internet Protocol version 6 (IPv6) and related technologies (such as transition/co-existence mechanisms). Fernando Gont will discuss the results of the aforementioned project, highlighting the most important aspects of IPv6 security, providing advice on how to deploy the IPv6 protocols securely, and explaining a number of vulnerabilities that were found in IPv6 implementations (together with possible strategies to mitigate them). Additionally, he will demonstrate the use of some attack/assessment tools developed as part of this project (yet unreleased).

For everyone interested in the details or planning to deploy IPv6 DeepSec 2011 features a two-day workshop titled Hacking IPv6 Networks. This course will provide the attendee with an in-depth training on IPv6 security, such that the attendee is able to evaluate and mitigate the security implications of IPv6 in production environments. The attendee will be given an in-depth explanation of each topic covered in this course, and will learn how each of the features can be exploited for malicious purposes. Note that this is a hands-on training, so attendees will perform numerous exercises in a network laboratory (with the assistance of the trainer) such that the concepts and techniques learned during this course are reinforced with practical attack and defence examples.
Subsequently, the attendee will be presented with a number of alternatives to mitigate each of the identified vulnerabilities. This course will employ a variety of tools to evaluate the security of IPv6 networks, and to provide live demonstrations of many IPv6 vulnerabilities. Additionally, the attendee will be given the chance to experiment with these tools in a network laboratory (with the assistance of the trainer), such that the concepts and techniques learned during this course are reinforced with hands-on exercises.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.