1. IPv6 residential gateway security
Eric Vyncke
Cisco Systems CTO/Consulting Engineering
evyncke@cisco.com
1
2. The Security Questions
when adding IPv6 to a RG/CPE
Is IPv6 more or less secure than IPv4?
Roughly equivalent (lack of knowledge makes IPv6 less secure
for now)
Which security policy for IPv6?
Same as for IPv4? (including the ‘NAT security’)
Same as in 2000 when IPv4 CPE were designed?
How congruent must be the IPv* policies?
draft-vyncke-advanced-ipv6-security-00.txt> 2
3. Typical IPv4 Security
Apply spoofing anti-spoofing (and anti-bogons)
Allow all traffic inside to outside
Only allow traffic outside to inside if it matches an
outbound flow
Drop the rest
Specific TCP/UDP ports could be blocked (such as 445/
TCP) or opened
Often co-located with the NAT function (cfr iptables)
draft-vyncke-advanced-ipv6-security-00.txt> 3
4. IPv6 Changes a Few Things
Link-local / ULA are completely isolated from ‘bad’
Internet
Good for security
Home device are globally reachable
Perhaps less good for security
draft-vyncke-advanced-ipv6-security-00.txt> 4
5. CPE to CPE Communication
IPv4 vs. IPv6
SP want to see all user to user traffic
IPv4 WAN addresses must communicate
Usually in the same layer 2 domain… tricks to force traffic to BNG
IPv6 WAN addresses have no reason to communicate
IPv6 LAN addresses must communicate (easy: this is routed)
SP BNG
2001:db8:bad::/64
192.2.0.0/24
Eric’s CPE Ole’s CPE
2001:db8:café::/64 192.168.1.0/24 192.168.1.0/24 2001:db8:bad::/64
draft-vyncke-advanced-ipv6-security-00.txt> 5
6. IPv6 Simple Security
An IETF work item from James Woodyatt, Apple
Advices a security policy for IPv6 which is mostly congruent with the IPv4
one:
Basic anti-bogons/spoofing
Outbound permitted
Inbound permitted
Benefits:
Guidelines for the CPE implementers
Technically doable & easy
Congruent with IPv4 (easier for user)
Cons:
Break the open host to host promise of IPv6
draft-vyncke-advanced-ipv6-security-00.txt> 6
7. What has changed between v4 & v6?
IPv4 CPE designed pre-2000
Hosts were weak, vulnerable
CPE were CPU and memory constraints
NAT prevents any easy & direct host to host communication
Security technique: mainly firewall
IPv6 CPE are designed in 2010 Humm…
Wishful
IPv6 hosts are much stronger and resistant thinking for
sensors,
CPE have more CPU and memory webcams and
other small/
Host to host communication is possible embedded OS
New security techniques: Intrusion Prevention System,
reputation of IP addresses, centralized & automatic updates
draft-vyncke-advanced-ipv6-security-00.txt> 7
8. Proposal: less simple security
Why not use modern techniques for IPv6 CPE?
IPS
Automated updates (policies & engines)
Address reputation
Cloud computing
…
Individual I-D: draft-vyncke-advanced-ipv6-security
draft-vyncke-advanced-ipv6-security-00.txt> 8
9. Overview
7 policies are identified. These are largely based on
features which are commonly available in “advanced”
security gear for enterprises today
Home edge router is not something that is purchased
and thrown away when obsolete. Instead, it is actively
updated like many other consumer devices are today
(PCs, iPods and iPhones, etc.)
Business model may include a paid subscription service
from the manufacturer, a participating service or
content provider, consortium, etc.
draft-vyncke-advanced-ipv6-security-00.txt> 9
10. Advanced Security
Dynamic Update
IPS
User control
Feedback
draft-vyncke-advanced-ipv6-security-00.txt> 10
11. Why is this important to IPv6?
Security policy can be adjusted to match the threat as
IPv6 attacks arrive
We don’t break end-to-end IPv6, unless we absolutely
have to
While providing arguably better security,
troubleshooting, etc. than we would otherwise
draft-vyncke-advanced-ipv6-security-00.txt> 11
12. Conclusion
IPv6 is as (in)secure as IPv4
User education will be key
IPv6@2010 is different than IPv4@2000
More secure hosts
More powerful CPE
End-to-end connectivity could/should be restored
draft-vyncke-advanced-ipv6-security-00.txt> 12