BSDCan2010 - Final Release

BSDCan 2010
The Technical BSD Conference

Fernando Gont
Day Talks - 1 - 2010-05-13
Room DMS 1120
Start time 13:00
Duration 01:00
ID 199
Event type Lecture
Track Hacking
Language used for presentation English

Security Implications of the Internet Protocol version 6 (IPv6)

Fernando Gont will discuss some of the results of a Security Assessment of the Internet Protocol version 6 (IPv6) carried out on behalf of the UK CPNI (United Kingdom's Centre for the Protection of National Infrastructure). He will explain some of the security implications arising from the protocol specifications themselves, and from a number of implementation strategies followed by some of the most popular IPv6 implementations (including KAME). He will describe ongoing efforts to mitigate the aforementioned issues, and will explain the different system knobs that are available in the different BSD-flavours to control different aspects of the IPv6 stack.

The IPv6 protocol suite was designed to accommodate the present and future growth of the Internet, by providing a much larger address space than that of its IPv4 counterpart, and is expected to be the successor of the original IPv4 protocol suite. It has already been deployed in a number of production environments, and many organizations have already scheduled or planned its deployment in the next few years.

There are a number of factors that make the IPv6 protocol suite interesting from a security standpoint. Firstly, being a new technology, technical personnel has much less confidence with the IPv6 protocols than with their IPv4 counterpart, and thus it is more likely that the security implications of the protocols be overlooked when they are deployed. Secondly, IPv6 implementations are much less mature than their IPv4 counterparts, and thus it is very likely that a number of vulnerabilities will be discovered in them before their robustness can be compared to that of the existing IPv4 implementations. Thirdly, there is much less implementation experience with the IPv6 protocols than with their IPv4 counterpart, and “best current practices” for their implementation are not available. Fourthly, security products such as firewalls and NIDS’s (Network Intrusion Detection Systems) usually have less support for the IPv6 protocols than for their IPv4 counterparts.

While a number of papers have been published on the security aspects of the IPv6 protocol suite, they usually provide general discussion on the security implications of IPv6, but do not delve into much detail regarding the security implications of each of the mechanisms, header fields, and options of all the involved protocols.

There is a clear need to raise awareness about the security aspects and implications of the IPv6 protocol suite, to improve the confidence of both IPv6 implementers and the personnel working on the deployment of IPv6 in production environments.