FOSSLC is a non-profit organization that specializes in technology and know-how to record conferences with excellent quality. Click on the icons below to view great videos from communities we are actively involved with:

 

Security Implications of IPv6

in BSDCan, BSDCan2010, Networking, Programming, Security, BSD

Location

Ottawa, ON
Canada
45° 24' 41.6592" N, 75° 41' 53.4984" W

Fernando Gont will discuss some of the results of a Security Assessment of the Internet Protocol version 6 (IPv6) carried out on behalf of the UK CPNI (United Kingdom's Centre for the Protection of National Infrastructure). He will explain some of the security implications arising from the protocol specifications themselves, and from a number of implementation strategies followed by some of the most popular IPv6 implementations (including KAME). He will describe ongoing efforts to mitigate the aforementioned issues, and will explain the different system knobs that are available in the different BSD-flavours to control different aspects of the IPv6 stack.

The IPv6 protocol suite was designed to accommodate the present and future growth of the Internet, by providing a much larger address space than that of its IPv4 counterpart, and is expected to be the successor of the original IPv4 protocol suite. It has already been deployed in a number of production environments, and many organizations have already scheduled or planned its deployment in the next few years.

There are a number of factors that make the IPv6 protocol suite interesting from a security standpoint. Firstly, being a new technology, technical personnel has much less confidence with the IPv6 protocols than with their IPv4 counterpart, and thus it is more likely that the security implications of the protocols be overlooked when they are deployed. Secondly, IPv6 implementations are much less mature than their IPv4 counterparts, and thus it is very likely that a number of vulnerabilities will be discovered in them before their robustness can be compared to that of the existing IPv4 implementations. Thirdly, there is much less implementation experience with the IPv6 protocols than with their IPv4 counterpart, and “best current practices” for their implementation are not available. Fourthly, security products such as firewalls and NIDS’s (Network Intrusion Detection Systems) usually have less support for the IPv6 protocols than for their IPv4 counterparts.

While a number of papers have been published on the security aspects of the IPv6 protocol suite, they usually provide general discussion on the security implications of IPv6, but do not delve into much detail regarding the security implications of each of the mechanisms, header fields, and options of all the involved protocols.

There is a clear need to raise awareness about the security aspects and implications of the IPv6 protocol suite, to improve the confidence of both IPv6 implementers and the personnel working on the deployment of IPv6 in production environments.

Minutes: 
66
Event: 
BSDCan2010
Speaker: 
Fernando Gont
Filmed: 
13.05.2010

Comments

IPv6 is only about bigger numbers?

As a guy that has been researching/hacking/securing IPv6 for over 8 years, I think you are a bit confused! IPv6 is a rethink/rewrite of the original IPv4 security model with many new features, beyond IPSec. I agree, vendors have ignored IPv6 and the proper implementation of the protocol on routers, firewalls, IDS/IPS devices, host and more. I have multiple vulnerabilities, many, through responsible disclosure have been waiting for years for vendor to fix. You can view my 'public work' at http://sites.google.com/site/ipv6security/

Re: IPv6 is only about bigger numbers?

Can you provide details about what's the "rethink of the original IPv4 security model" you're referring to? -- Yes, there are new protocols, etc. But that doesn't necessarily imply any sort of "rethink" by itself.

Why don't you provide

Why don't you provide download links for the video?

We're not running Flash junk here, nor are we running random sites' javascript on our browser, so your "embed" junk is badly broken.

Even if we could stream, we also want to view it offline after downloading it at less than 1Gbps rates.

So why do you restrict to broken embedded "streaming" instead of providing links for downloading? Please provide download links.