02 ipv6-cpe-panel security

1

IPv6 residential gateway security

Eric Vyncke Cisco Systems CTO/Consulting Engineering [email protected]

draft-vyncke-advanced-ipv6-security-00.txt> 2

The Security Questions when adding IPv6 to a RG/CPE

  Is IPv6 more or less secure than IPv4? Roughly equivalent (lack of knowledge makes IPv6 less secure for now)

 Which security policy for IPv6? Same as for IPv4? (including the ‘NAT security’) Same as in 2000 when IPv4 CPE were designed?

 How congruent must be the IPv* policies?


Typical IPv4 Security

 Apply spoofing anti-spoofing (and anti-bogons)

 Allow all traffic inside to outside

 Only allow traffic outside to inside if it matches an outbound flow

 Drop the rest

 Specific TCP/UDP ports could be blocked (such as 445/TCP) or opened

 Often co-located with the NAT function (cfr iptables)


IPv6 Changes a Few Things

  Link-local / ULA are completely isolated from ‘bad’ Internet

Good for security

 Home device are globally reachable Perhaps less good for security


CPE to CPE Communication IPv4 vs. IPv6   SP want to see all user to user traffic

  IPv4 WAN addresses must communicate Usually in the same layer 2 domain… tricks to force traffic to BNG

  IPv6 WAN addresses have no reason to communicate IPv6 LAN addresses must communicate (easy: this is routed)

SP BNG

Ole’s CPE Eric’s CPE

2001:db8:café::/64 2001:db8:bad::/64

2001:db8:bad::/64

192.2.0.0/24

192.168.1.0/24 192.168.1.0/24


IPv6 Simple Security

  An IETF work item from James Woodyatt, Apple

  Advices a security policy for IPv6 which is mostly congruent with the IPv4 one:

Basic anti-bogons/spoofing Outbound permitted Inbound permitted

  Benefits: Guidelines for the CPE implementers Technically doable & easy Congruent with IPv4 (easier for user)

  Cons: Break the open host to host promise of IPv6


What has changed between v4 & v6?

  IPv4 CPE designed pre-2000 Hosts were weak, vulnerable CPE were CPU and memory constraints NAT prevents any easy & direct host to host communication Security technique: mainly firewall

  IPv6 CPE are designed in 2010 IPv6 hosts are much stronger and resistant CPE have more CPU and memory Host to host communication is possible New security techniques: Intrusion Prevention System, reputation of IP addresses, centralized & automatic updates

Humm… Wishful

thinking for sensors,

webcams and other small/

embedded OS


Proposal: less simple security

 Why not use modern techniques for IPv6 CPE? IPS Automated updates (policies & engines) Address reputation Cloud computing …

  Individual I-D: draft-vyncke-advanced-ipv6-security


Overview

  7 policies are identified. These are largely based on features which are commonly available in “advanced” security gear for enterprises today

 Home edge router is not something that is purchased and thrown away when obsolete. Instead, it is actively updated like many other consumer devices are today (PCs, iPods and iPhones, etc.)

 Business model may include a paid subscription service from the manufacturer, a participating service or content provider, consortium, etc.


Advanced Security

Feedback

User control

IPS

Dynamic Update


Why is this important to IPv6?

 Security policy can be adjusted to match the threat as IPv6 attacks arrive

 We don’t break end-to-end IPv6, unless we absolutely have to

 While providing arguably better security, troubleshooting, etc. than we would otherwise


Conclusion

  IPv6 is as (in)secure as IPv4

 User education will be key

  IPv6@2010 is different than IPv4@2000 More secure hosts More powerful CPE End-to-end connectivity could/should be restored

02 ipv6-cpe-panel security

Education

Transcript of 02 ipv6-cpe-panel security