Embed Size (px)
Citation preview
3-May-05 IPv6 Security 1
Securing an IPv6 Network
Spring 2005 Internet2 Members Meeting
Arlington, VARon Broersma
DREN Chief EngineerHigh Performance Computing Modernization Program
3-May-05 IPv6 Security 2
Context• Historical
– 2001 – DREN IPv6 testbed• Wide area• Dedicated hardware – 10 “core” nodes.• Native IPv6 over partial ATM mesh
– 2003 – DoD and IPv6• DoD CIO issues memorandum to transition by 2008• DREN chosen as the DoD “pilot implementation”
– 2003/2004 – DoD “pilot” on DREN production network• dual stack, native, running on production DREN network
– 2004/2005 – additional efforts• site deployment, multicast, DHCP/DNS, mobility
• Within DoD…– Each of the services (Army, Navy, Air Force) developing their own
transition plans for the “operational networks”.• Most will not begin implementation for a year or more• Most will not be complete until after 2008
– DREN is DoD’s “research network”, and is transitioning now.• Chartered to support the DoD HPC community, and other R&D
organizations.
3-May-05 IPv6 Security 3
DREN Today
• 10 “core nodes” on OC-192 backbone (CONUS), with OC-12 extensions to Hawaii and Alaska.
• About 100 sites (“Service Delivery Points”), connected at DS-3 to OC-48 rates.
• IPv4 unicast and multicast, IPv6 unicast, and ATM services now.
• Dual IPv6 networks (“testbed”, and “production”)
• “jumbo-clean” (i.e. 9K MTU everywhere)• Multiple security levels.
– Both unclassified and classified networks
3-May-05 IPv6 Security 4
DREN “production” network
3-May-05 IPv6 Security 5
DRENv6 “testbed”Logical Topology
Dayton
San Diego
Albuquerque
Wash D.C.
Stennis
Vicksburg
Aberdeen
ATM PVC (OC-3)
tunnel
HICv6
(Hawaii)
GlobalCrossing
HurricaneElectric
LAVAnet
SPRINT
vBNS+
6TAP
SSC CharlestonSSAPAC
SSC San Diego
WCISD
AOL
NRL
ARLWPAFB
ERDC
NAVO
C&W
Cisco
NTTComVerio
AFRLKirtland AFB
Abilene
SD-NAPSDSC
Core Router
“site”
IXP
ISP orBGP Neighbor
FIX-West Abilene
HP
AIX-v6
TIC
JITC
Tunnel broker
3-May-05 IPv6 Security 6
DREN IPv6 philosophy
• Push the “I believe” button, and turn on IPv6 everywhere to see what works (and what doesn’t)
• Do it in a production environment– can get away with this in an R&D
environment, but not on operational networks.
• Go native. (no tunnels)• Even if the world doesn’t convert for
years, R&D environments need it now.• Figure out how to deploy IPv6 to the
rest of DoD in the future.
3-May-05 IPv6 Security 7
Unique Security Challenges
• DoD networks are a big target• DoD has mandatory security
requirements– Certification and Accreditation (DITSCAP)– DoD ports&protocols– Navy UTN Protect Policy– etc.
• Defense in Depth modelGoal: Try to achieve equivalent security to IPv4, so we can deploy IPv6 within DoD policy.
3-May-05 IPv6 Security 8
DoD Security Model
• “Defense in Depth”– Protections at
multiple levels
• Problem: How to securely deploy IPv6 in DoD without these components.
InternetInternet
WANWAN
LANLAN
S
IDSACL
Firewall
IDS
ACL
Scanners
3-May-05 IPv6 Security 9
Lack of Security Features (Examples)
• Router Access Control Lists (ACLs)– Juniper doesn’t support “tcp established”
• Vulnerability Assessment (Scanners)– ISS doesn’t support IPv6 and has no published plans to do so.– NESSUS doesn’t support IPv6 (yet)
• Intrusion Detection Systems– If we want IPv6 support, we have to add it ourselves.– Juniper port mirroring doesn’t support IPv6
• IPSEC– Missing in most IPv6 implementations– Juniper ASPIC doesn’t support IPv6 (until much later)
• Firewalls– Until recently, no production quality IPv6 support– Netscreen (Juniper):
• no OSPFv3, only RIP• IPv6 support only available in certain products• “transparent mode” doesn’t work for IPv6
It is crucial that IPv6 products have equivalent functionality to the IPv4 world
3-May-05 IPv6 Security 10
Overcoming the security issue (workaround)
• Use DRENv6 testbed for transit to Internet– use to peer with rest of IPv6 enable Internet and other testbeds– continue to operate as an “untrusted” IPv6 network
• Enable IPv6 on new DREN2 (MCI) production network.– Dual stack everywhere.
• Establish trusted gateways between v6 enabled DREN2 and the DRENv6 testbed– Upgrade HPC Network Intrusion Detection Systems (NIDS) to be
v6-compliant, monitored by the HPC Computer Emergency Response Team (CERT), and install at the trusted gateways.
– Install v6 version of standard DREN v4 Access Control Lists (ACLs) to protect pilot network to same level as IPv4 production network.
• DREN customers receive “safe” native IPv6 service via existing service delivery point (SDP), in parallel with IPv4 service.
3-May-05 IPv6 Security 11
DREN IPv6 transition architecture – FY04
DRENv6 (Testbed)DRENv6 (Testbed)
DREN2 (Production / Pilot)DREN2 (Production / Pilot)sdp.arlapgsdp.sandiego
sdp.erdc
SSCSDERDC
ARL-APG
NIDSv6NIDSv6 NIDSv6
v6 ACLv6 ACL
v6 ACL
To 6bone, Abilene, and other IPv6 enabled ISPs IPv6 demonstrations (Moonv6)
Dual stack IPv4 and IPv6 wide area infrastructure
sdpsdp
sdp
Type “A” (IP) production service to DREN sitesIPv4 and IPv6 provided over the same interface
Testbed atDREN site
Testbed atDREN site
Native IPv6 backbone
links run native IPv6 where possible, otherwise tunnelled in IPv4
Goal: As secure asthe IPv4 backbone
3-May-05 IPv6 Security 12
Site Security Solution(Example – SPAWAR)
• SPAWAR Intrusion Detection System (IDS) modified to support IPv6
• Netscreen Firewall with IPv6 support in parallel with production firewall.
DREN2 (Pilot)
DREN2 (Pilot)
SPAWARBorder router(Juniper M20)
Netscreen 2000Firewall
to LAN
IPv4 unicast andmulticast services+ IPv6 unicast
Netscreen 208Firewall
switch
IPv4 IPv6
IDS
ProductionFirewall
WAN
IPv6 Firewall
3-May-05 IPv6 Security 13
Other Security Issues
• IPv6 tunnels crossing security domains• TCP and UDP port numbers aren’t in a
fixed location, so how do you filter on them?
• Privacy concerns of non-changing interface identifier (IID)
• What issues haven’t we discovered yet?
3-May-05 IPv6 Security 14
Summary
• With some work, it is possible to secure an IPv6 network.
• There are still some missing pieces, but it is getting better.
• IPv6 capability in products is good, but we cannot be satisfied unless all the security functions and features work just as well in IPv6 as they do in IPv4.
