Abstract image of a woman sitting on books and studying on a laptop

IPv6 Security - Where is the Challenge

RIPE NCC, profile picture
RIPE NCC

The document discusses security challenges related to IPv6 deployment. It notes that while IPv6 introduces some new vulnerabilities, the biggest risks come from human errors like coding bugs, configuration mistakes, and poor design. Some specific IPv6 vulnerabilities mentioned include rogue router advertisements and weaknesses in the neighbor discovery protocol. The document emphasizes that securing access at lower layers and following best practices like patching systems, enabling encryption, and using strong authentication can help mitigate risks for both IPv4 and IPv6. Ultimately, the human factor is the largest source of security incidents rather than any vulnerabilities inherent in the protocols themselves.

Technology
Related topics:
RIPE NCC
1 of 20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
IPv6 Security Where is the challenge? Marco Hogewoning External Relations RIPE NCC Sunday, April 21, 2013
Biggest Hurdle Deploying IPv6 2 (NRO: Global IPv6 Deployment Survey) Sunday, April 21, 2013
Increased Awareness? 3 (Ernst & Young: Global Information Security Survey) Sunday, April 21, 2013
Where is the Risk? Sunday, April 21, 2013
Threat or Vulnerability? • Threat: the potential to cause harm – DoS, unauthorised access, viruses • Vulnerability: a weakness that can be exploited – Bugs, configuration errors, design flaws • Risk: the possibility that a vulnerability will be exploited by somebody to cause harm 5 Sunday, April 21, 2013
Human Factor • Vulnerabilities exist because of human errors: – Coding errors – Configuration errors – Design flaws • Doesn’t mean it is your fault – But a lot of times you can limit the risk 6 Sunday, April 21, 2013
Examples Is this IPv6 related? Sunday, April 21, 2013
Rogue Router Advertisement • IPv6 relies on routers to announce themselves using ICMPv6 multicasts • Protocol has little to no security • Every machine can claim to be a router – Reconfigure clients to another subnet – Redirect or intercept traffic 8 Sunday, April 21, 2013
Rogue Router Advertisement (IPv4) • Every machine can start a DHCP server – Reconfigure clients to another subnet – Redirect or intercept traffic – NAT44 makes it much easier to hide it • ARP spoofing – Pretend I am the router by claiming its MAC address 9 Sunday, April 21, 2013
Protection at Protocol Layer • “RA Guard” feature – Filter route announcements on switches – On all ports except for the known router – Present in a lot of equipment already • SEcure Neighbor Discovery (SEND) – Fix the protocol by adding verification – Add cryptographic certificates and signatures – No widespread implementation 10 Sunday, April 21, 2013
What About Layer 2? • Securing access to the physical network: – 802.1x authentication – Disable unused ports on switches – Strengthen wireless passwords – MAC address counters or filters (port security) • Lowers the risk for both protocols – Can protect for other vulnerabilities 11 Sunday, April 21, 2013
Upper Layers Where are you? Sunday, April 21, 2013
Vulnerabilities are Everywhere • Most security incidents caused in the application layers: – Buffer overflows – SQL injection – Man-in-the-middle attacks – Weak authentication 13 Sunday, April 21, 2013
General Prevention Methods • Don’t run any unnecessary services • Keep up to date with software patches • Use encryption where possible • Use two-factor authentication • Keep it simple 14 Sunday, April 21, 2013
Source of Incidents 15 (PWC: Information Security Survey) Sunday, April 21, 2013
The Human Factor • Attacks are triggered by somebody • Known vulnerabilities are ignored • Mistakes can and will happen 16 Sunday, April 21, 2013
Capacity Building • Test your implementations before deploying – Don’t rely on the glossy brochure • Build up knowledge – Learn to identify potential risks – Learn how to deal with them • Make use of available resources – Training courses and tutorials – Share your experiences 17 Sunday, April 21, 2013
Improving Security with IPv6 • Multiple subnets makes it easier to separate functions or people • Lack of NAT – Makes everything much more visible – Security moves to the end hosts – Forces you to think • Somebody might already use IPv6! – Using tunnels to hide what is going on 18 Sunday, April 21, 2013
Conclusion • IPv6 might add some vulnerabilities • IPv6 is not a threat • You are the biggest risk 19 Sunday, April 21, 2013
Questions? marcoh@ripe.net Sunday, April 21, 2013

More Related Content

PDF
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Imperva
 
PPTX
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
North Texas Chapter of the ISSA
 
PDF
Network Security Tools
Emanuela Boroș
 
PPT
Network Security Tools and applications
webhostingguy
 
PPTX
Webinar On Ethical Hacking & Cybersecurity - Day2
Mohammed Adam
 
PDF
Akila srinivasan microsoft-bug_bounty-(publish)
PacSecJP
 
PDF
How secure are your systems
City Unrulyversity
 
PDF
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
Shah Sheikh
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Imperva
 
NTXISSACSC2 - Next-Generation Security and the Problem of Exploitation by Mat...
North Texas Chapter of the ISSA
 
Network Security Tools
Emanuela Boroș
 
Network Security Tools and applications
webhostingguy
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Mohammed Adam
 
Akila srinivasan microsoft-bug_bounty-(publish)
PacSecJP
 
How secure are your systems
City Unrulyversity
 
Yehia Mamdouh @ DTS Solution - The Gentleman Thief
Shah Sheikh
 

What's hot (20)

PDF
Cambodia CERT Seminar: Incident response for ransomeware attacks
APNIC
 
PDF
Experience Sharing on School Pentest Project (Updated)
eLearning Consortium 電子學習聯盟
 
PPTX
Introduction of computer security
SoundaryaB2
 
PPT
Network security presentation
hamzakareem2
 
PDF
Computer Security and Risks
Miguel Rebollo
 
PPTX
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
PPT
Brucon presentation
wremes
 
PPTX
NTXISSACSC2 - Threat Modeling Part 3 - DREAD by Brad Andrews
North Texas Chapter of the ISSA
 
PDF
BugBounty Roadmap with Mohammed Adam
Mohammed Adam
 
PPTX
Vulnerability assessment & Penetration testing Basics
Mohammed Adam
 
PPTX
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
CODE BLUE
 
PPTX
Security in Computer System
Manesh T
 
PDF
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
PDF
The Current State of Cybersecurity
TruShield Security Solutions
 
PDF
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
TruShield Security Solutions
 
PPTX
PhD-Guidance-in-Security
Phdtopiccom
 
PDF
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
PPTX
Hacking
NishaPariyar
 
PDF
Introduction to the advanced persistent threat and hactivism
Global Micro Solutions
 
PPTX
Information Security Engineering
Md. Hasan Basri (Angel)
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
APNIC
 
Experience Sharing on School Pentest Project (Updated)
eLearning Consortium 電子學習聯盟
 
Introduction of computer security
SoundaryaB2
 
Network security presentation
hamzakareem2
 
Computer Security and Risks
Miguel Rebollo
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
Brucon presentation
wremes
 
NTXISSACSC2 - Threat Modeling Part 3 - DREAD by Brad Andrews
North Texas Chapter of the ISSA
 
BugBounty Roadmap with Mohammed Adam
Mohammed Adam
 
Vulnerability assessment & Penetration testing Basics
Mohammed Adam
 
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
CODE BLUE
 
Security in Computer System
Manesh T
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
The Current State of Cybersecurity
TruShield Security Solutions
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
TruShield Security Solutions
 
PhD-Guidance-in-Security
Phdtopiccom
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
Hacking
NishaPariyar
 
Introduction to the advanced persistent threat and hactivism
Global Micro Solutions
 
Information Security Engineering
Md. Hasan Basri (Angel)
 
Ad

Viewers also liked (12)

PDF
IPv6 Autoconfig
Fred Bovy
 
PDF
I pv6 autoconfig20c
Frederic Bovy
 
PPTX
IPV6 Addressing
Heba_a
 
PPTX
Eric Vyncke - IPv6 security in general
IKT-Norge
 
PPT
Presentación IPv6
santisegui
 
PPTX
IPv6
Suman Bose
 
PPT
Ipv6
Selkis S.A
 
PPTX
IPV6 ppt
justdoitkhan
 
PPTX
IPv6 technical introduction
Rayed Alrashed
 
PPTX
Ipv6
satish 486
 
PPT
ipv6 ppt
Shiva Kumar
 
PDF
IPv6
Peter R. Egli
 
IPv6 Autoconfig
Fred Bovy
 
I pv6 autoconfig20c
Frederic Bovy
 
IPV6 Addressing
Heba_a
 
Eric Vyncke - IPv6 security in general
IKT-Norge
 
Presentación IPv6
santisegui
 
IPv6
Suman Bose
 
Ipv6
Selkis S.A
 
IPV6 ppt
justdoitkhan
 
IPv6 technical introduction
Rayed Alrashed
 
Ipv6
satish 486
 
ipv6 ppt
Shiva Kumar
 
IPv6
Peter R. Egli
 
Ad

Similar to IPv6 Security - Where is the Challenge (20)

PDF
IPv6 Security - Where is the Challenge?
RIPE NCC
 
PDF
IPv6 Security Overview by QS Tahmeed, APNIC RCT
Bangladesh Network Operators Group
 
PDF
IPV6 - Threats and Countermeasures / Crash Course
Thierry Zoller
 
PPT
Wolfgang Fritsche (IABG) – Secure IPv6 deployment
IPv6 Conference
 
PPTX
Henrik Strøm - IPv6 from the attacker's perspective
IKT-Norge
 
PDF
Internet Security, A Solid Foundation for Sustainable Internet Development
APNIC
 
PPTX
Slides from IPv6 Threats
Cyren, Inc
 
PDF
10 fn s05
Scott Foster
 
PDF
10 fn s05
Scott Foster
 
PDF
Internet Security - A Solid Foundation for Sustainable Internet Development.
APNIC
 
PDF
IPv6 Threat Presentation
johnmcclure00
 
PDF
Presd1 09
Niels Groeneveld
 
PPT
Chapter 4.ppt
girmawodajo
 
PDF
V6 v4-threats
Haris Padinharethil
 
PPT
Cloud Computing & Security
Awais Mansoor Chohan
 
PPT
Security Framework for the IPv6 Era
Shinsuke SUZUKI
 
PPTX
Ron Broersma dren-stavanger-22 nov2011
IPv6no
 
PPT
Adressing IPv6 strategy
Orange Business Services
 
PDF
IPv6 Deployment: Why and Why not?
apnic_slides
 
PPT
Security - ch5.ppt
HabtamuHaileMichael2
 
IPv6 Security - Where is the Challenge?
RIPE NCC
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
Bangladesh Network Operators Group
 
IPV6 - Threats and Countermeasures / Crash Course
Thierry Zoller
 
Wolfgang Fritsche (IABG) – Secure IPv6 deployment
IPv6 Conference
 
Henrik Strøm - IPv6 from the attacker's perspective
IKT-Norge
 
Internet Security, A Solid Foundation for Sustainable Internet Development
APNIC
 
Slides from IPv6 Threats
Cyren, Inc
 
10 fn s05
Scott Foster
 
10 fn s05
Scott Foster
 
Internet Security - A Solid Foundation for Sustainable Internet Development.
APNIC
 
IPv6 Threat Presentation
johnmcclure00
 
Presd1 09
Niels Groeneveld
 
Chapter 4.ppt
girmawodajo
 
V6 v4-threats
Haris Padinharethil
 
Cloud Computing & Security
Awais Mansoor Chohan
 
Security Framework for the IPv6 Era
Shinsuke SUZUKI
 
Ron Broersma dren-stavanger-22 nov2011
IPv6no
 
Adressing IPv6 strategy
Orange Business Services
 
IPv6 Deployment: Why and Why not?
apnic_slides
 
Security - ch5.ppt
HabtamuHaileMichael2
 

More from RIPE NCC (20)

PDF
A Look at a Root Cause for DNS Latency - APRICOT 2025
RIPE NCC
 
PDF
Internet Landscape and Network Resiliency in South East Europe
RIPE NCC
 
PDF
ondrej-caletka-INEX-Deploying_IPv6_mostly.pdf
RIPE NCC
 
PDF
jelena-cosic-internet-landscape-and-network-resiliency-in-south-east-europe.pdf
RIPE NCC
 
PDF
RIPE Atlas & other RIPE NCC Internet Measurement Tools
RIPE NCC
 
PDF
Securing BGP with RPKI - Ondřej Caletka, RIPE NCC
RIPE NCC
 
PDF
Minimising Impact before incidents occur with RIPE Atlas
RIPE NCC
 
PDF
Know Your Network: Utilising RIS and RIPE Atlas to your advantage
RIPE NCC
 
PDF
Know Your Network: Why every network operator should host a RIPE Atlas probe
RIPE NCC
 
PDF
Know Your Network; why every network operator should host a RIPE Atlas probe
RIPE NCC
 
PDF
Taiwan's Digital Landscape with RIPE NCC Tools
RIPE NCC
 
PDF
Navigating IP Addresses: Insights from your Regional Internet Registry
RIPE NCC
 
PDF
Traces of Power: Internet Governance and Climate Action
RIPE NCC
 
PDF
Governing Environmental Sustainability in Tech
RIPE NCC
 
PDF
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
RIPE NCC
 
PDF
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
RIPE NCC
 
PDF
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
RIPE NCC
 
PDF
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
RIPE NCC
 
PDF
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
RIPE NCC
 
PDF
RIPE NCC Internet Measurement Tools
RIPE NCC
 
A Look at a Root Cause for DNS Latency - APRICOT 2025
RIPE NCC
 
Internet Landscape and Network Resiliency in South East Europe
RIPE NCC
 
ondrej-caletka-INEX-Deploying_IPv6_mostly.pdf
RIPE NCC
 
jelena-cosic-internet-landscape-and-network-resiliency-in-south-east-europe.pdf
RIPE NCC
 
RIPE Atlas & other RIPE NCC Internet Measurement Tools
RIPE NCC
 
Securing BGP with RPKI - Ondřej Caletka, RIPE NCC
RIPE NCC
 
Minimising Impact before incidents occur with RIPE Atlas
RIPE NCC
 
Know Your Network: Utilising RIS and RIPE Atlas to your advantage
RIPE NCC
 
Know Your Network: Why every network operator should host a RIPE Atlas probe
RIPE NCC
 
Know Your Network; why every network operator should host a RIPE Atlas probe
RIPE NCC
 
Taiwan's Digital Landscape with RIPE NCC Tools
RIPE NCC
 
Navigating IP Addresses: Insights from your Regional Internet Registry
RIPE NCC
 
Traces of Power: Internet Governance and Climate Action
RIPE NCC
 
Governing Environmental Sustainability in Tech
RIPE NCC
 
Gerardo-Viviers-RPKI-presentation-DKNOG14.pdf
RIPE NCC
 
LIA HESTINA - Minimising impact before incidents occur with RIPE Atlas and RIS
RIPE NCC
 
Intro to RIPE and RIPE NCC: RIPE Atlas workshop
RIPE NCC
 
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
RIPE NCC
 
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
RIPE NCC
 
RIPE NCC Internet Measurement Tools
RIPE NCC
 

Recently uploaded (20)

PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
PDF
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
PPTX
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
PPTX
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 
PPTX
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Modernising the Digital Integration Hub
Daniel Toomey
 
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 
The influence of sentiment analysis in enhancing early warning system model f...
IAESIJAI
 
Microsoft Excel 365/2024 Beginner's training
frank yeboah
 
Custom Battery Pack Design Considerations for Performance and Safety
Epec Engineered Technologies
 
2018-HIPAA-Renewal-Training for executives
Mayank Mathur
 
What is a Computer? Input Devices /output devices
GulJan8
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 

IPv6 Security - Where is the Challenge

  • 1. IPv6 Security Where is the challenge? Marco Hogewoning External Relations RIPE NCC Sunday, April 21, 2013
  • 2. Biggest Hurdle Deploying IPv6 2 (NRO: Global IPv6 Deployment Survey) Sunday, April 21, 2013
  • 3. Increased Awareness? 3 (Ernst & Young: Global Information Security Survey) Sunday, April 21, 2013
  • 4. Where is the Risk? Sunday, April 21, 2013
  • 5. Threat or Vulnerability? • Threat: the potential to cause harm – DoS, unauthorised access, viruses • Vulnerability: a weakness that can be exploited – Bugs, configuration errors, design flaws • Risk: the possibility that a vulnerability will be exploited by somebody to cause harm 5 Sunday, April 21, 2013
  • 6. Human Factor • Vulnerabilities exist because of human errors: – Coding errors – Configuration errors – Design flaws • Doesn’t mean it is your fault – But a lot of times you can limit the risk 6 Sunday, April 21, 2013
  • 7. Examples Is this IPv6 related? Sunday, April 21, 2013
  • 8. Rogue Router Advertisement • IPv6 relies on routers to announce themselves using ICMPv6 multicasts • Protocol has little to no security • Every machine can claim to be a router – Reconfigure clients to another subnet – Redirect or intercept traffic 8 Sunday, April 21, 2013
  • 9. Rogue Router Advertisement (IPv4) • Every machine can start a DHCP server – Reconfigure clients to another subnet – Redirect or intercept traffic – NAT44 makes it much easier to hide it • ARP spoofing – Pretend I am the router by claiming its MAC address 9 Sunday, April 21, 2013
  • 10. Protection at Protocol Layer • “RA Guard” feature – Filter route announcements on switches – On all ports except for the known router – Present in a lot of equipment already • SEcure Neighbor Discovery (SEND) – Fix the protocol by adding verification – Add cryptographic certificates and signatures – No widespread implementation 10 Sunday, April 21, 2013
  • 11. What About Layer 2? • Securing access to the physical network: – 802.1x authentication – Disable unused ports on switches – Strengthen wireless passwords – MAC address counters or filters (port security) • Lowers the risk for both protocols – Can protect for other vulnerabilities 11 Sunday, April 21, 2013
  • 12. Upper Layers Where are you? Sunday, April 21, 2013
  • 13. Vulnerabilities are Everywhere • Most security incidents caused in the application layers: – Buffer overflows – SQL injection – Man-in-the-middle attacks – Weak authentication 13 Sunday, April 21, 2013
  • 14. General Prevention Methods • Don’t run any unnecessary services • Keep up to date with software patches • Use encryption where possible • Use two-factor authentication • Keep it simple 14 Sunday, April 21, 2013
  • 15. Source of Incidents 15 (PWC: Information Security Survey) Sunday, April 21, 2013
  • 16. The Human Factor • Attacks are triggered by somebody • Known vulnerabilities are ignored • Mistakes can and will happen 16 Sunday, April 21, 2013
  • 17. Capacity Building • Test your implementations before deploying – Don’t rely on the glossy brochure • Build up knowledge – Learn to identify potential risks – Learn how to deal with them • Make use of available resources – Training courses and tutorials – Share your experiences 17 Sunday, April 21, 2013
  • 18. Improving Security with IPv6 • Multiple subnets makes it easier to separate functions or people • Lack of NAT – Makes everything much more visible – Security moves to the end hosts – Forces you to think • Somebody might already use IPv6! – Using tunnels to hide what is going on 18 Sunday, April 21, 2013
  • 19. Conclusion • IPv6 might add some vulnerabilities • IPv6 is not a threat • You are the biggest risk 19 Sunday, April 21, 2013