Subscribe to the TAG Weekly Update (Be in the know!)
Cyber Frontiers is all about Exploring Cyber security, Big Data, and the Technologies Shaping the Future Through an Academic Perspective! Christian Johnson, a student at the University of Maryland will bring fresh and relevant topics to the show based on the current work he does.
Please leave a REVIEW (iPhone or iPad) – https://itunes.apple.com/WebObjects/MZStore.woa/wa/viewContentsUserReviews?id=857124890&type=Podcast&ls=1&mt=1
Support the Average Guy Tech Scholarship Fund: https://www.patreon.com/theaverageguy
You can contact us via email at email@example.com
Full show notes and video at http://theAverageGuy.tv/cf030
IPV6 Adoption in 2016
What is IPV6
New internet protocol
Ability to many more devices due to 128 vs 32 bit of ipv4
End to end connectivity
No private address collisions
Simpler header, less extraneous data
Less information to be processed by router
Fewer information in header
New Extension Headers The IPv6 specification currently defines 6 Extension Headers:
Routing Header – Similar to the source routing options in IPv4. Used to mandate a specific routing.
Authentication Header (AH) – A security header which provides authentication and integrity.
Encapsulating Security Payload (ESP) Header – A security header which provides authentication and encryption.
Fragmentation Header – The Fragmentation Header is similar to the fragmentation options in IPv4.
Destination Options Header – This header contains a set of options to be processed only by the final destination node. Mobile IPv6 is an example of a Destination Options Header.
Hop-by-Hop Options Header – A set of options needed by routers to perform certain management or debugging functions
No drawbacks in security
The firewall provides security not NAT itself
Not backwards compatible
IPSEC – built in
Using IPSec, participating peers (computers or machines) can achieve data confidentiality, data integrity, and data authentication at the network layer (i.e. Layer 3 of the Open Systems Interconnection 7-layer networking model).
Encryption – symmetric
Encryption that can be deployed in standalone environments between clients, routers, and firewalls
With IPsec, data can be sent across a public network without observation, modification, or spoofing. IPsec functionality is similar in both IPv6 and IPv4; however, site-to-site tunnel mode only is supported in IPv6.
In IPv6, IPsec is implemented using the AH authentication header and the ESP extension header. The authentication header provides integrity and authentication of the source. It also provides optional protection against replayed packets. The authentication header protects the integrity of most of the IP header fields and authenticates the source through a signature-based algorithm. The ESP header provides confidentiality, authentication of the source, connectionless integrity of the inner packet, antireplay, and limited traffic flow confidentiality.
Offers end to end encryption
SEND Protocol – secure neighbor discovery
Cryptographic confirmation of host at connection time
The design of IPv6 intended to re-emphasize the end-to-end principle of network design that was originally conceived during the establishment of the early Internet. In this approach each device on the network has a unique address globally reachable directly from any other location on the Internet.
Deployment and configuration is an issue
Proper deployment and configuration is a serious issue. Trying to deploy IPv6 the same way IPv4 was done guarantees problems. IT administrators must learn a whole new approach to networking, from simple network troubleshooting to configuring firewalls and monitoring security logs. There are many opportunities for confusion and mistakes.
Lack of support
The No.1 risk today is the lack of IPv6 security knowledge. Enterprises must invest time and money in IPv6 security training upfront, before deploying. That or risk compromise and spending more time and more money on security later to plug the holes. Network security is more effective as part of the planning stage rather than after deployment. This is not an area to skimp on. According to Scott Hogg, IPv6 Security author and CTO of GTRI, “All security practitioners should learn about IPv6 now because all organizations have IPv6-capable and enabled operating systems in their environments. Failure to secure the IPv6 systems is like allowing a huge back-door to exist.”
Security device bypass via unfiltered IPv6 and tunneled traffic. Only a lack of knowledge is considered a bigger risk than the security products themselves. Conceptually it’s simple, security products need to do two things – recognize suspicious IPv6 packets and apply controls when they do. However in practice this is hardly possible in v4 let alone an environment that may have rogue or unknown tunnel traffic.
Reputation based protection – Many security software vendors use the reputation of IP addresses to filter out malicious websites that are known sources of malware. While reputation systems for IPv4 addresses already exist, it’s a bit of a chicken-and-egg situation when it comes to IPv6. No one has established an IPv6 reputation database, so no one is using reputation-based security with IPv6 addresses — and therefore no one is building a reputation database. It’s something the security industry will surely eventually adopt, but for now it’s a missing piece in the security puzzle.
Jim’s Twitter: http://twitter.com/#!/jcollison
Contact Christian: firstname.lastname@example.org
Contact the show at email@example.com
Find this and other great Podcasts from the Average Guy Network at http://theaverageguy.tv