【免费】IPv6securitythreats资源-CSDN文库

共2个文件

pdf：2个

IPv6

security

threats

需积分: 0 194 浏览量 2010-09-01 03:36:58 上传评论收藏 2.16MB RAR 举报

资源推荐

资源详情

资源评论

收起资源包目录

IPv6安全威胁.rar （2个子文件）

Typical DoS DDoS threats under IPv6.PDF 1.03MB

IPv6 SECURITY THREATS AND POSSIBLE SOLUTIONS.PDF 2.01MB

World

Automation

Congress

(WAC)

2006,

July

24-26,

Budapest,

Hungary

IPv6

SECURITY

THREATS

AND

POSSIBLE

SOLUTIONS

DRAGO

ZAGAR,

FACULTY

ELECTRICAL

ENGINEERING,

UNIVERSITY

OSIJEK,

CROATIA

drai!o.zagar(&)etfos.hr

KRESIMIR

GRGIC,

FACULTY

ELECTRICAL

ENGINEERING,

UNIVERSITY

OSIJEK,

CROATIA

kresimir.2r2ic(&)etfos.hr

ABSTRACT

comparison

IPv4,

IPv6

provides

many

improvements

considering

simplicity,

routing

speed,

quality

service

and

security.

IPv6

brings

significant

improvements

mechanisms

for

assuring

higher

level

security

and

confidentiality

the

transmitted

information.

Nevertheless,

still

necessary

take

care

network

security.

This

paper

analyzes

how

actual

security

threats

and

different

types

attacks

affect

IPv6

networks.

IPv6

specific

security

issues

and

issues

due

different transition

mechanisms

are

also

analyzed.

Certain

security

tests

have

been

done

and

their

comments

have

been

given.

Finally,

some

possible

solutions

for

number

security

threats

IPv6

networks

have

been

given.

KEYWORDS:

IPv6,

Network

security,

Firewall,

Intrusion

detection

INTRODUCTION

could

expected

that

new

version

the

Internet

protocol,

IPv6,

will

replace

old

IPv4

during

the

few

years.

IPv6

brings

many

new

features,

possibilities

and

improvements,

especially

considering

simplicity,

routing

speed,

quality

service

and

security

[1].

Although

IPv6

security

mechanisms

are

much

improved

comparing

IPv4,

their

evasion

and

misuse

unfortunately

still

possible.

Considering

security

issues,

especially

problematic

the

transition

period

coexistence

both

IPv4

and

IPv6.

because

transition

mechanisms

provide

new,

previously

unknown,

possibilities

intrusion

and

misuse

computer

systems.

Security

threats

due

transition

mechanisms

should

seriously

taken

into

consideration,

because

expected

that

IPv4

IPv6

transition

will

not

quick

(it

could

last

for

years).

Presence

the

IPv6

protocol

brings

new

demands

for

typical

network

protecting

mechanisms

such

firewalls

and

intrusion

detection

systems

that

need

upgraded

support

IPv6

correctly.

Some

security

threats

against

IPv4

networks

might

also

affect

IPv6

network.

Fortunately,

IPv6

resistant

some

threats

than

IPv4.

But,

there

are

some

new

threats

specific

IPv6.

IPv6

security

issues

can

observed

from

different

standpoints:

issues

due

the

IPv6

protocol

and

its

deployment

and

issues

due

transition

mechanisms.

SECURITY

THREATS

SIMILAR

IPv4

AND

IPv6

NETWORKS

Some

types

attacks

have

not

fundamentally

changed

appearance

the

IPv6

protocol.

typical

example

sniffing

attack.

The

sniffing

attack

refers

attack

that

involves

capturing

data

being

transmitted

through

the

network.

The

sniffing

attack

can

easily

compromise

confidential

data

they

are

transmitted

plaintext

protocol.

Sniffing

attacks

can

avoided

proper

use

security

architecture,

which

used

IPv4

option

and

IPv6

obligation.

Authorized licensed use limited to: Wuhan University. Downloaded on March 15,2010 at 09:46:31 EDT from IEEE Xplore. Restrictions apply.

Most

common

attacks

today

are

application

layer

attacks.

this

group

attacks

belong

buffer

overflow

attacks,

web

application

attacks

(e.g.

CGI

attacks),

different

types

viruses

and

worms.

These

types

attacks

are

actually

performed

the

application

layer

the

ISO/OSI

network

model

(layer

7).

Since

IPv4

and

IPv6

are

protocols

the

network

layer,

transition

IPv6

does

not

have

influence

these

types

attacks.

flooding

attack

very

frequent

type

attack

current

networks.

The

flooding

attack

means

flooding

network

device

(e.g.

router)

host

with

large

amounts

network

traffic,

much

larger

than

able

process.

can

local

distributed

DoS

(Denial

Service)

attack

and

can

cause

unavailability

network

resources.

Arrival

IPv6

did

not

change

basic

principles

flooding

attack.

New

types

extension

headers

IPv6,

new

types

ICMPv6

messages

and

dependence

multicast

addresses

IPv6

(e.g.

all

routers

must

have

site-specific

multicast

addresses)

may

provide

new

ways

misuse

flooding

attacks.

IPv6

SPECIFIC

SECURITY

ISSUES

IPv6

protocol

brings

many

differences

and

new

features

comparison

IPv4.

Some

changes

protocol

specifications

may

potentially

result

security

problems.

3.1

Reconnaissance

attacks

intruder

uses

reconnaissance

attacks

gather

essential

data

about

the

victim

network

that

are

used

later

further

attacks.

intruder

can

use

active

methods,

such

scanning,

passive

data

mining.

result

reconnaissance

attack

intruder

gets

information

about

hosts

and

network

devices

and

their

interconnections

the

targeted

network.

gather

these

information

intruder

uses

ping

probes

order

determine

which

addresses

are

use.

After

that

port

scan

the

accessible

system

performed.

There

are

software

tools

(such

Nmap)

that

can

perform

all

these

actions

together.

The

port

scan

procedure

identical

for

both

IPv4

and

IPv6,

but

there

major

difference

identification

valid

address.

Reconnaissance

techniques

are

the

same

for

IPv4

and

IPv6,

but

the

subnet

size

the

IPv6

network

much

larger

than

the

IPv4

network

(the

default

size

bits).

perform

scan

the

whole

subnet

necessary

make

264

probes

that

makes

impossible.

Unfortunately,

some

types

multicast

addresses

used

IPv6

networks

can

help

intruder

identify

and

attack

some

resources

the

targeted

network.

RFC

2375

[2]

defines

node,

link

and

site-specific

use

multicast

addresses

(e.g.

all

routers

have

site-specific

address

FF05::2).

Also,

crucial

ensure

that

these

internal-use

addresses

are

unreachable

from

the

outside.

can

performed

filtering

network's

border

routers.

3.2

Misuse

routing

headers

According

[1],

all

IPv6

nodes

have

capable

processing

routing

headers.

This

behavior

produces

some

security

problems,

because

routing

headers

can

used

avoid

access

controls

based

destination

addresses.

possible

that

intruder

sends

packet

publicly

accessible

address

with

routing

header

containing

"forbidden"

address

(address

the

victim

network).

Then

the

publicly

accessible

host

will

forward

the

packet

destination

address

stated

the

routing

header

("forbidden"

address)

even

though

that

destination

address

filtered.

spoofing

packet

source

addresses

intruder

can

initiate

denial-of-service

attack

using

any

publicly

accessible

host

for

redirecting

attack

packets.

3.3

Fragmentation

attacks

IPv6

protocol

specification

[1]

does

not

allow

packet

fragmentation

intermediary

devices.

Fragmentation

possible

only

the

source

node

meaning

that

usage

the

path

MTU

discovery

method

(based

ICMP

messages)

obligation.

The

minimum

recommended

MTU

size

for

IPv6

1280

octets.

recommended

security

practice

drop

all

fragments

with

less

than

1280

octets

unless

the

packet

the

last

the

flow.

Using

fragmentation

intruder

can

achieve

that

port

numbers

are

not

found

the

first

fragment

and

that

way

bypass

security

Authorized licensed use limited to: Wuhan University. Downloaded on March 15,2010 at 09:46:31 EDT from IEEE Xplore. Restrictions apply.

monitoring

devices

(which

not

reassemble

fragments) expecting

find

transport

layer

protocol

data

the

first

fragment.

sending

large

number

small

fragments

attacker

can

cause

overload

reconstruction

buffers

the

target

system

potentially

implying

system

crash

type

Denial

Service

attack).

This

can

avoided

limiting

the

total

number

fragments

and

their

arrival

rate.

3.4

Misuse

ICMPv6

and

multicast

Some

important

mechanisms

IPv6

networks,

such

neighbor

discovery

and

path

maximum-transmission-unit

discovery,

are

dependent

some

types

ICMPv6

messages

[3].

Therefore

must

permit

some

ICMPv6

messages

order

have

the

IPv6

network

operate

properly

(e.g.

"packet

too

big"

message

required

for

the

path

MTU-discovery

procedure,

"parameter

problem"

message

necessary

there

unrecognized

option

the

packet

header).

ICMPv6

specification

also

allows

error

notification

response

sent

multicast

addresses

(if

packet

was

targeted

multicast

address).

That

fact

can

misused

attacker.

sending

suitable

packet

multicast

address

attacker

can

cause

multiple

responses

targeted

the

victim

(the

spoofed

source

the

multicast

packet).

SECURITY

ISSUES

DUE

TRANSITION

MECHANISMS

Transition

from

the

IPv4

the

IPv6

protocol

will

not

rapid

and

for

certain

period

time

both

protocols

will

coexist.

There

are

several

transition

mechanisms,

such

tunneling

and

dual-stack

configurations

(supporting

both

IPv4

and

IPv6)

[4].

very

important

for

network

designers

and

administrators

understand

security

implications

the

transition

mechanisms

order

apply

proper

security

mechanisms,

such

firewalls

and

intrusion

detection

systems.

dual-stack

configuration

hosts

applications

can

targeted

both

IPv4

and

IPv6

attacks.

Accordingly,

firewalls

and

intrusion

detection

systems

such

hosts

must

support

both

IPv4

and

IPv6

and

must

have

proper

filtering/detection

rules

for

both

protocols.

Tunneling

mechanisms

may

also

bring

new

danger

and

misuse

possibilities.

Tunneling

can

facilitate

intruder

avoid

ingress

filtering

checks.

Special

attention

must

paid

automatic

tunneling

mechanisms.

Two

methods

automatic

tunneling

are

specified.

The

first

method

called

"6to4"

and

connotes

encapsulation

the

IPv6

packet

directly

into

IPv4

packet.

The

"Teredo"

tunneling

mechanism

connotes

encapsulation

the

IPv6

packet

into

IPv4

UDP

packet.

these

tunneling

methods

are

use,

all

receiving

nodes

must

allow

decapsulation

packets

that

can

sourced

from

anywhere.

This

can

serious

security

problem.

The

6to4

mechanism

uses

automatic

IPv6-over-IPv4

tunneling

for

interconnecting

IPv6

networks.

The

6to4

architecture

includes

6to4

routers

and

6to4

relay

routers.

The

6to4

router

accepts

and

decapsulates

IPv4

packets

from

other

6to4

router,

and

the

6to4

relay

router

accepts

packets

from

native

IPv6

nodes.

Addresses

within

the

IPv4

and

IPv6

headers

may

spoofed,

meaning

this

mechanism

can

used

for

Denial

Service

(DoS)

attacks.

misusing

6to4

transition

mechanism

DoS

attack

can

targeted

the

IPv6

node,

the

IPv4

node

other

6to4

node

[5].

IPv6

FIREWALLS

Firewalls

represent

one

the

most

important

network

security

mechanisms.

They

act

network

traffic

filters

filtering

all

traffic

that

enters

leaves

the

local

network.

Firewalls

are

usually

positioned

between

LAN

and

the

Internet

(or

other

insecure

network),

but

also

possible

place

firewalls

LAN

segments,

even

every

single

host

the

local

network.

Every

packet

being

analyzed

and

results

are

compared

with

predefined

set

rules.

According

predefined

rules,

the

packet

can

accepted,

discarded

sent

additional

check.

For

IPv4

networks

there

are

many

software

firewalls

(both

freeware

and

commercial)

for

different

platforms.

They

usually

have

user-friendly

graphical

interfaces

which

enable

user

Authorized licensed use limited to: Wuhan University. Downloaded on March 15,2010 at 09:46:31 EDT from IEEE Xplore. Restrictions apply.

评论收藏

内容反馈

abc123com

粉丝: 4
资源: 19

IPv6 security threats

Networkers2009：BRKSEC-2003 - IPV6 Security: Threats and Mitigation

Ten Control System security threats

Blackjacking Security Threats to BlackBerry Devices PDAs& Cell Phones in the Enterprise

Security threats to automotive CAN networks—Practical examples a

[6]Security threats to automotive CAN networks.pdf

Improving Web Application Security: Threats and Countermeasures

wireless security: models threats and solutions

Security Threats in the Data Plane of Software-Defined Networks

信息安全_数据安全_Evolution_of_Security_Threats_to.pdf

Wireless Internet Security: Architecture and Protocols

「数据安全」Evolution_of_Security_Threats_to_Telecommunications_Inf

Pattern and Security Requirements(Springer,2015)

Security for Web Developers Using JavaScript, HTML, and CSS 无水印pdf

Core Software Security: Security at the Source

Personal.Cybersecurity.epub

Information Security Practices_Emerging Threats and Perspectives-Springer(2017)

The.Security.Consultants.Handbook.

Blockchain_and_dlt_security_risks_threats_and_vulnerabilitie

python大作业 含爬虫、数据可视化、地图、报告、及源码（整和为一个文件）（2014-2020全国各地区原油加工量）.rar

仿真电路以及操作方法

【纯干货啊】华为IPD流程管理(完整版).pptx

可编程语言标准IEC61131-3中文版.pdf

OFDM完整仿真过程与教程.zip

信号与系统——保研复习资料.pdf

Landsat_WRS2.zip

最全的Visio形状/图形库

AxureRP9项目原型50套、案例20个、元件库1套.zip

北理工+成电+东南——通信/信号保研面试真题.pdf

数字信号处理——保研复习资料.pdf

最新资源

python大作业含爬虫、数据可视化、地图、报告、及源码（整和为一个文件）（2014-2020全国各地区原油加工量）.rar