02 ipv6-cpe-panel security
TRANSCRIPT
![Page 1: 02 ipv6-cpe-panel security](https://reader033.vdocuments.site/reader033/viewer/2022060111/556259c3d8b42a1b4b8b5571/html5/thumbnails/1.jpg)
1
IPv6 residential gateway security
Eric Vyncke Cisco Systems CTO/Consulting Engineering [email protected]
![Page 2: 02 ipv6-cpe-panel security](https://reader033.vdocuments.site/reader033/viewer/2022060111/556259c3d8b42a1b4b8b5571/html5/thumbnails/2.jpg)
draft-vyncke-advanced-ipv6-security-00.txt> 2
The Security Questions when adding IPv6 to a RG/CPE
Is IPv6 more or less secure than IPv4? Roughly equivalent (lack of knowledge makes IPv6 less secure for now)
Which security policy for IPv6? Same as for IPv4? (including the ‘NAT security’) Same as in 2000 when IPv4 CPE were designed?
How congruent must be the IPv* policies?
![Page 3: 02 ipv6-cpe-panel security](https://reader033.vdocuments.site/reader033/viewer/2022060111/556259c3d8b42a1b4b8b5571/html5/thumbnails/3.jpg)
draft-vyncke-advanced-ipv6-security-00.txt> 3
Typical IPv4 Security
Apply spoofing anti-spoofing (and anti-bogons)
Allow all traffic inside to outside
Only allow traffic outside to inside if it matches an outbound flow
Drop the rest
Specific TCP/UDP ports could be blocked (such as 445/TCP) or opened
Often co-located with the NAT function (cfr iptables)
![Page 4: 02 ipv6-cpe-panel security](https://reader033.vdocuments.site/reader033/viewer/2022060111/556259c3d8b42a1b4b8b5571/html5/thumbnails/4.jpg)
draft-vyncke-advanced-ipv6-security-00.txt> 4
IPv6 Changes a Few Things
Link-local / ULA are completely isolated from ‘bad’ Internet
Good for security
Home device are globally reachable Perhaps less good for security
![Page 5: 02 ipv6-cpe-panel security](https://reader033.vdocuments.site/reader033/viewer/2022060111/556259c3d8b42a1b4b8b5571/html5/thumbnails/5.jpg)
draft-vyncke-advanced-ipv6-security-00.txt> 5
CPE to CPE Communication IPv4 vs. IPv6 SP want to see all user to user traffic
IPv4 WAN addresses must communicate Usually in the same layer 2 domain… tricks to force traffic to BNG
IPv6 WAN addresses have no reason to communicate IPv6 LAN addresses must communicate (easy: this is routed)
SP BNG
Ole’s CPE Eric’s CPE
2001:db8:café::/64 2001:db8:bad::/64
2001:db8:bad::/64
192.2.0.0/24
192.168.1.0/24 192.168.1.0/24
![Page 6: 02 ipv6-cpe-panel security](https://reader033.vdocuments.site/reader033/viewer/2022060111/556259c3d8b42a1b4b8b5571/html5/thumbnails/6.jpg)
draft-vyncke-advanced-ipv6-security-00.txt> 6
IPv6 Simple Security
An IETF work item from James Woodyatt, Apple
Advices a security policy for IPv6 which is mostly congruent with the IPv4 one:
Basic anti-bogons/spoofing Outbound permitted Inbound permitted
Benefits: Guidelines for the CPE implementers Technically doable & easy Congruent with IPv4 (easier for user)
Cons: Break the open host to host promise of IPv6
![Page 7: 02 ipv6-cpe-panel security](https://reader033.vdocuments.site/reader033/viewer/2022060111/556259c3d8b42a1b4b8b5571/html5/thumbnails/7.jpg)
draft-vyncke-advanced-ipv6-security-00.txt> 7
What has changed between v4 & v6?
IPv4 CPE designed pre-2000 Hosts were weak, vulnerable CPE were CPU and memory constraints NAT prevents any easy & direct host to host communication Security technique: mainly firewall
IPv6 CPE are designed in 2010 IPv6 hosts are much stronger and resistant CPE have more CPU and memory Host to host communication is possible New security techniques: Intrusion Prevention System, reputation of IP addresses, centralized & automatic updates
Humm… Wishful
thinking for sensors,
webcams and other small/
embedded OS
![Page 8: 02 ipv6-cpe-panel security](https://reader033.vdocuments.site/reader033/viewer/2022060111/556259c3d8b42a1b4b8b5571/html5/thumbnails/8.jpg)
draft-vyncke-advanced-ipv6-security-00.txt> 8
Proposal: less simple security
Why not use modern techniques for IPv6 CPE? IPS Automated updates (policies & engines) Address reputation Cloud computing …
Individual I-D: draft-vyncke-advanced-ipv6-security
![Page 9: 02 ipv6-cpe-panel security](https://reader033.vdocuments.site/reader033/viewer/2022060111/556259c3d8b42a1b4b8b5571/html5/thumbnails/9.jpg)
draft-vyncke-advanced-ipv6-security-00.txt> 9
Overview
7 policies are identified. These are largely based on features which are commonly available in “advanced” security gear for enterprises today
Home edge router is not something that is purchased and thrown away when obsolete. Instead, it is actively updated like many other consumer devices are today (PCs, iPods and iPhones, etc.)
Business model may include a paid subscription service from the manufacturer, a participating service or content provider, consortium, etc.
![Page 10: 02 ipv6-cpe-panel security](https://reader033.vdocuments.site/reader033/viewer/2022060111/556259c3d8b42a1b4b8b5571/html5/thumbnails/10.jpg)
draft-vyncke-advanced-ipv6-security-00.txt> 10
Advanced Security
Feedback
User control
IPS
Dynamic Update
![Page 11: 02 ipv6-cpe-panel security](https://reader033.vdocuments.site/reader033/viewer/2022060111/556259c3d8b42a1b4b8b5571/html5/thumbnails/11.jpg)
draft-vyncke-advanced-ipv6-security-00.txt> 11
Why is this important to IPv6?
Security policy can be adjusted to match the threat as IPv6 attacks arrive
We don’t break end-to-end IPv6, unless we absolutely have to
While providing arguably better security, troubleshooting, etc. than we would otherwise
![Page 12: 02 ipv6-cpe-panel security](https://reader033.vdocuments.site/reader033/viewer/2022060111/556259c3d8b42a1b4b8b5571/html5/thumbnails/12.jpg)
draft-vyncke-advanced-ipv6-security-00.txt> 12
Conclusion
IPv6 is as (in)secure as IPv4
User education will be key
IPv6@2010 is different than IPv4@2000 More secure hosts More powerful CPE End-to-end connectivity could/should be restored