Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1©2018CheckPointSo2wareTechnologiesLtd.©2018CheckPointSo2wareTechnologiesLtd.
BobHinden/CheckPointFellow
IPv6,InternetSecurity,andtheInternetofInsecureThings
©2018CheckPointSo2wareTechnologiesLtd.
INTERNETPROTOCOLVERSION6(IPV6)
BobHinden–May2018
3©2018CheckPointSo2wareTechnologiesLtd.
IPv6 Background
• In the early 1990s it was not clear that TCP/IP was going to be successful
• There were many competitors OSI CLNP, ATM, AT&T Business, etc.
• Predictions of Internet melt downs
• The IETF was not considered to be an official standards organization
• Not having a plan for what follows IPv4 was a real issue
Bob Hinden – May 2018
4©2018CheckPointSo2wareTechnologiesLtd.
Some Old Slides from ~1995
BobHinden–May2018
5©2018CheckPointSo2wareTechnologiesLtd. BobHinden–May2018
6©2018CheckPointSo2wareTechnologiesLtd. BobHinden–May2018
IETF IPng Time Line• ~1990– Internet growing exponentially and
started looking like running out of IP addresses
– Projected exhaustion of Class B Address space
• 1991– Routing and Addressing (ROAD) group
formed Recommended implementing CIDR and
develop IP Next Generation (IPng)
• 1992– IAB issues “IP Version 7”
This came to be known as the “Kobe Incident”
• 1992 (cont)– IETF issues call for IPng proposals
• 1993– IESG took on IPng responsibility– IPng Area formed
Scott Bradner & Allison Mankin area directors
– RFC1550 Call for IPng Solicitation published
• 1994– IPng Recommendation
7©2018CheckPointSo2wareTechnologiesLtd.
IPng CandidatesIPv7
(Ullman)TP/IX
| | | | | | Jan 92 July 92 Jan 93 Jul 93 Jan 94 Jul 94
TUBA(Callon)
ENCAPS(Hinden)
IPAE
SIP(Deering)
PIP(Francis)
SIPP IPv6
CATNIP
BobHinden–May2018
8©2018CheckPointSo2wareTechnologiesLtd.
IP Version Numbers
Version Name0-3 Unassigned4 InternetProtocol(currentIPv4)5 StreamProtocol(ST)(notanIPng)6 SIP–SIPP–IPv67 IPv7–TP/IX–CATNIP8 Pip9 TUBA10-15 unassigned
BobHinden–May2018
9©2018CheckPointSo2wareTechnologiesLtd.
Classless Inter-Domain Routing (CIDR)• Relaxed fixed boundaries in IP address allocation
Original IP allocation strategy was “flat”
• Allocate blocks of IP addresses to Providers Now called prefixes Routing protocols changed to aggregate all routes to a single provider
• CIDR made address utilization more efficient and greatly improved core routing scaling
BobHinden–May2018
10©2018CheckPointSo2wareTechnologiesLtd.
TUBA
• TCP/UDP Over Bigger Addresses Chairs: Peter Ford & Mark Knopper Documented in RFC1347
• Approach was to run TCP/UDP over the ISO Connection-Less Network Protocol (CLNP) Leveraged the ISO work
• Strength was CLNP, weakness was CLNP
BobHinden–May2018
11©2018CheckPointSo2wareTechnologiesLtd.
CATNIP• Common Architecture for Next-generation Internet Protocol (CATNIP)
Chair: Vladimir Sukonnik Documented in RFC1707
• Based on work of TP/IX working group Goal was to find common ground between OSI and Novell protocols, and to
increase the scale and performance
• Not well specified, interesting ideas, but not a complete proposal
BobHinden–May2018
12©2018CheckPointSo2wareTechnologiesLtd.
SIPP• Simple Internet Protocol Plus (SIPP
Chairs: Steve Deering, Paul Francis, Bob Hinden Documented in RFC1710
• Based on merger of ENCAPS into IPAE, merged with SIP, and with PIP New version of IP designed to be an evolutionary step from IPv4. Designed
to work over a range of speeds and network types.
• Clean design from SIP, addresses too small, extended addresses too complex.
BobHinden–May2018
13©2018CheckPointSo2wareTechnologiesLtd.
The Address Size Debate• Fixed length 64-bit addresses (SIP)
Met requirements by 3 orders of magnitude,1012 sites, 1015 nodes at .0001 allocation
Minimizes growth of packet Efficient for software processing
• Variable length addresses, up to 160-bits (TUBA) Compatible with OSI NSAP address plans Large enough for auto-configuration using IEEE 802 addresses Could start with short addresses and grow later
• Compromised on fixed length 128-bit addresses
BobHinden–May2018
14©2018CheckPointSo2wareTechnologiesLtd.
IPng Recommendation
• IPng based on SIPP with 128-bit addresses
• IPng working group created to create specifications and standardize IPv6 Chairs: Steve Deering, Ross Callon Document editor: Bob Hinden
• Goal to resolve remaining issues, complete unfinished work, move to Proposed Standard IPv6 first published as RFC1883 December 1995
BobHinden–May2018
15©2018CheckPointSo2wareTechnologiesLtd.
0
25
50
75
100
125
150
Jan 1990 Jan 1995 Jan 2000 Jan 2005 Jan 2010 Jan 2015
Una
lloca
ted
Blo
cks
BobHinden–May2018
We did Run Out of IPv4 Addresses
(Last allocation to RIRs from the IANA free pool 31 Jan 2011)
16©2018CheckPointSo2wareTechnologiesLtd.
22% of User Access to Google is with IPv6
BobHinden–May2018
h]ps://www.google.com/intl/en/ipv6/sta_s_cs.html
17©2018CheckPointSo2wareTechnologiesLtd.
North America ISP Status
BobHinden–May2018
ISP PercentageComcast 65%AT&T 65%CharterCommunica_ons 31%CoxCommunica_ons 48%T-MobileUSA 93%VerizonWireless 84%RogersCommunica_ons 49%SprintWireless 70%
h]p://www.worldipv6launch.org/measurements/
18©2018CheckPointSo2wareTechnologiesLtd. BobHinden–May2018
IPv6 Deployment by Country LATNIC Region
24%
29%
20%
6%
8%
6%
5%
h]ps://www.google.com/intl/en/ipv6/sta_s_cs.html
19©2018CheckPointSo2wareTechnologiesLtd. Bob Hinden – May 2018
• The IETF published the IPv6 as an Internet Standard in July 2018 Internet Standard is the last step in the IETF Standards Process
STD 86 RFC 8200Title: Internet Protocol, Version 6 (IPv6) Specification Author: S. Deering, R. HindenStatus: Standards TrackDate: July 2017Obsoletes: RFC 2460
IPv6 is now an Internet Standard
20©2018CheckPointSo2wareTechnologiesLtd. Bob Hinden – May 2018
• Major platforms all support IPv6 MacOS, Windows 10, Linux, Android, iOS, … Routers, Switches, Firewalls, …
• Major content providers support IPv6 Google, Netflix, Facebook, LinkedIn, YouTube, …
• Large ISPs support IPv6• CDN provide IPv6 access to IPv4 only sites• AWS now supports IPv6• Some large Enterprise are going IPv6 only
IPv6 State Today
21©2018CheckPointSo2wareTechnologiesLtd. Bob Hinden – May 2018
• Mid size sites Banks, Commerce, ….
• Enterprises are mostly IPv4 today• Smaller ISPs• IoT Devices• Some new networks products still come IPv4 only
IPv6 is on the roadmap, but…
Challenges going Forward
We have come a long way, but more to do
22©2018CheckPointSo2wareTechnologiesLtd.
• We were right about running out of IPv4 addresses But did not understand the impact of NAT
• We were not right about How long it would take to develop IPv6 When IPv4 addresses would run out How hard and long to deploy
• We made IPv6 happen by building a broad community of motivated and dedicated people around the world
IPv6 Conclusions
BobHinden–May2018
23©2018CheckPointSo2wareTechnologiesLtd.
• We did not anticipate how Internet would change No longer “build it and they will come” Now there has to be a business case
• A lot of the industry was in denial for a long time
• No one has done this before
Conclusions (2)
BobHinden–May2018
24©2018CheckPointSo2wareTechnologiesLtd.
• It’s very hard to deploy anything that requires global deployment before it becomes useful Anything new needs immediate return It has to solve a local problem, before it can solve a global problem
• The good news is that IPv6 deployment has become a local problem
The Internet Today
BobHinden–May2018
©2018CheckPointSo2wareTechnologiesLtd. BobHinden–May2018
INTERNETSECURITY
26©2018CheckPointSo2wareTechnologiesLtd. BobHinden–May2018
• <RANT> Choosetheplahormwiththemostexploits? Don’tupgradetothelatestversionoftheOpera_ngSystem? Don’tapplypatchesandupdates? Don’trunAV,An_-Malware,etc.? Runsystemswithnosupport?
• </RANT>
Some;meIWonderWhyPeople
They must WANT to run Malware!
27©2018CheckPointSo2wareTechnologiesLtd.
InternetSecurityisaProblem
BobHinden–May2018
• Makingsystemssecureishard• OpennessandSecureareopposites• Generalpurposecompu_ngplahormsareclosetoimpossibletosecure• Isola_onfromtheInternetdoesnotprotectsystems• Thereisnoinsideoroutside• OpenSourcedoesn’tmeansecure• h]ps:doesn’tprotectyoufrombadactors• Mo_va_onsfora]acksinclude:
StateSponsored Financial Poli_cal
• Itdoesn’tseemtobegeongbe]er….
28©2018CheckPointSo2wareTechnologiesLtd.
TrustontheInternet
BobHinden–May2018
• TheSnowdenNSArevela_onshavereducedtrustintheInternet EveryonewassurprisedbyhowextensivelyInternettrafficisbeingmonitored
• Ithasmadeitmuchharderforthe“West”tospeakforanOpenInternet
• Callsformoreregula_onoftheInternet
29©2018CheckPointSo2wareTechnologiesLtd.
Whatisbeingdone
BobHinden–May2018
• TheIETFandotherstandardsorganiza_onsaremovingtomakeprotocolshaveencryp_ononbydefault
• Contentprovidersareenablingencryp_on Googlereportsthat93%oftheiraccesstrafficish]ps!
• Browsersareflaggingnonsecuresites• Thiswon’tstopPervasiveMonitoring,butitwillmakeithardertoseeallofthetrafficallofthe_me Selectedindividualswillalwaysbevulnerable
• However,somebadactorsarenowencryp_ngtheirtraffic Justbecauseit’sasecureconnec_on,doesn’tmeanitissafe
30©2018CheckPointSo2wareTechnologiesLtd.
MakingPlaBormsmoreSecure
BobHinden–May2018
• PlahormsmodeledlikeApple’siOSAppsmaybethefuture Vendorcontrolledapplica_ons Onlyverifiedapplica_onsareallowed Vendorhastheabilitytoremoveordisableapplica_ons Windows10Sisthelatestexample
• Thisisalossforeveryoneinmanyways,butmaybetheonlyapproachthatworks Idoubtmostconsumerswillcare
• Weneedtohaveplahormsthataremoresecure• Whatdowedoabouttheinstalledbaseofoldsystems?
©2018CheckPointSo2wareTechnologiesLtd.
TheInternetOfInsecureThings(some_mescallIoT)
BobHinden–May2018
32©2018CheckPointSo2wareTechnologiesLtd. BobHinden–May2018
• MostIoTDevicesarenotsecure
• NumerousSecurityWeaknesses Defaultlogin/passwords,fixfirmwarelogin/passwords,noso2wareupdates,novendorsecuritysupport,…
• Gartnersays6.4BillionIoTDevicesnow Forecasts20.8Billionin2020
WeHaveProblem
33©2018CheckPointSo2wareTechnologiesLtd. BobHinden–May2018
Ini;alIoTBasedDDoSAGacks
• KrebsOnSecuritya]acked13Sept2016
• Publishedaseriesofar_clesaboutvDOS(aDDoSforhireservice)
Ar_clestatedthatvDOSmade$600Kintwoyears,knockingsitesoffline
• Twoweeksa2erar_cleswerepublished,Krebssitewasa]ackedwith620Gigabits/secoftraffic– Akamaiwasprovidingpro-bonoDDoSprotec_on,buttheycouldn’tcon_nuetohandlethetrafficload
– GoogleProjectShieldisnowprotec_nghissite
• OVH(largeinterna_onalwebhos_ngprovider)a]ackedearlyOctober2016
• A]ackedbybotnetcomprisedofmorethan145kcompromisedIPcamerasandDVRs
• A]ackpeakedat1Terabits/sec• OVHwasabletowithstandit
34©2018CheckPointSo2wareTechnologiesLtd. BobHinden–May2018
IoTDevicesInvolved
35©2018CheckPointSo2wareTechnologiesLtd. BobHinden–May2018
• DYN(largeDNSprovider)a]ackedlateOctober2016
• A]ackedbymillionsofsourceIPaddresses,a]acka]ributedtoMiraiIoTmalware
• A]ackpeakedat1.2Terabits/sec
• A]ackaffectedAmazon,CNN,NYT,Nehlix,PayPal,Twi]er,WSJ,etc.
DYNAGack
36©2018CheckPointSo2wareTechnologiesLtd. BobHinden–May2018
IoTBotnetMalware
• Mirai– Usedina]ackonKrebsOnSecurity– Worksbyscanningtheinternetforvulnerabledevices
– Looksforsystemswithfactorydefaultusernamesandpasswords
– Installsso2wareturningdevicesinto“bots”usedtolaunchDDoSa]acks
• Bashlight– Similarto“Mirai”–itinfectsIoTdevicesviadefaultusernamesandpasswords
• NewVariants– Brickerbot–March2017
KillsIoTdevices– Persirai–May2017– IoTMalwarecon_nuestoevolve
37©2018CheckPointSo2wareTechnologiesLtd. BobHinden–May2018
• Scaleofthea]acks–everyoneisvulnerable
• ThenumberandgrowthofIoTdevices
• ThenatureofmostIoTdevicesmakesthismuchhardertofixthanlaptop/desktops/serversandiOS/Android
WeShouldbeWorried
38©2018CheckPointSo2wareTechnologiesLtd. BobHinden–May2018
• Technicallysomeoftheproblemsareeasy Don’tallowdefaultlogin/passwords Nofixedfirmwarelogin/passwords Automa_cupdatesonso2ware
• Otherproblemsaremuchharder HowtoprovidesupportforlowcostIoTdevices? Howlongwilltheybesupported? Whathappenswhentheyarenotsupported? Howarea]acksdetectedandcontained? HowdowefixcurrentdeployedbaseofIoTdevices? Doestheowner/selleroftheIoTdevicesevencare?
It’sGoingtobeaChallengetoFix
39©2018CheckPointSo2wareTechnologiesLtd. BobHinden–May2018
• Whoisresponsible?Isthereanyliability? User RetailSupplier Manufacturer ComponentVendor
• RoleoftheInternetServiceProvider?• Howdoyouprovidelongtermsupportforverylowcostdevices?
Whatdoyoudowhensupportends?
EconomicsareChallenging
40©2018CheckPointSo2wareTechnologiesLtd. BobHinden–May2018
• Canthemarketfixtheproblem?
• Isthereanalterna_vetogovernmentregula_on?
• Itisanworldwideproblem
• Myviewisthatweneedtotreatthisasaproductsafetyissue Vendorsandretailchannelneedtohavesomeformofliabilityforsecurityfailures
HowCanThisbeFixed?
41©2018CheckPointSo2wareTechnologiesLtd. BobHinden–May2018
BobHinden,TheInternetofInsecureThings,InternetProtocolJournal,March2017,Volume20,Number1,page12
h]p://ipj.dreamhosters.com/wp-content/uploads/issues/2017/ipj20-1.pdf
42©2018CheckPointSo2wareTechnologiesLtd. BobHinden–May2018
TheInternetofRansomwareThings
©2018CheckPointSo2wareTechnologiesLtd.
FOREXTRACREDIT
BobHinden–May2018
44©2018CheckPointSo2wareTechnologiesLtd. BobHinden–May2018
• Title:DesignConsidera4onsforFaster-Than-Light(FTL)Communica4on• Date:1April2013• Abstract:
Weareapproachingthe_mewhenwewillbeabletocommunicatefasterthanthespeedoflight.Itiswellknownthatasweapproachthespeedoflight,_meslowsdown.Logically,itisreasonabletoassumethataswegofasterthanthespeedoflight,_mewillreverse.ThemajorconsequenceofthisforInternetprotocolsisthatpacketswillarrivebeforetheyaresent.ThiswillhaveamajorimpactonthewaywedesignInternetprotocols.Thispaperoutlinessomeoftheissuesandsuggestssomedirec_onsforaddi_onalanalysisoftheseissues.
• h]ps://tools.ieh.org/html/rfc6921
RFC6921
45©2018CheckPointSo2wareTechnologiesLtd.©2018CheckPointSo2wareTechnologiesLtd.
THANKYOU