The “IPv6 Security Summit” is a special two-day convention that will be held Monday March 14th and Tuesday March 15th, 2016, in the context of the Troopers security conference. It will be run in three tracks of both half-day workshops with 90 min. and presentations on specific topics. The goal is to foster the discussion of IPv6 security aspects & issues and to provide practical advice for security officers, network planners and practitioners in the IPv6 security field.
A number of international speakers will provide talks covering latest attack techniques & defense strategies, current developments in the standardization space and case studies from various environments.
Agenda will be published soon - as a teaser, see the following list of presentations with all already accepted talks:
NATTED - A Field Report
When introducing IPv6 in a network segment today, this is most often done with a dual stack approach. Continuing to use IPv4 in addition to IPv6 in this segment ensures that communication with other IPv4-only segments is still possible. But this approach has several drawbacks such as: Network administrators won't set up new IPv4 segments, but rather just 'add' IPv6 to the existing segment, security staff has to maintain two firewall rule sets and the number of routes doubles.
One way around this could be NAT64 / NAT46. Applied on the border of segments, it enables network devices in IPv4-only segments to talk to devices in the IPv6 segments. Sure, this requires additional configuration on the borders but this effort is much smaller than operating an entire segment dual stack configured. Using this approach one could simply set up an entirely new network segment IPv6-only, thus using all the advantages the huge IPv6 space offer. In addition, in the future when IPv4 is switched off, none of the devices in the segment needs adaptation, but only the border device.
To gain practical experiences with this approach we assumed our management networks to be IPv6 only (in fact they are dual stack) and configured required NAT64 /46 rules on the border device (Juniper SRX240 HA cluster) to ensure connectivity to the other IPv4-only segments. In the talk we explain this approach in detail, report about our experiences and summarizes pros and cons of it.
Recent IPv6 Standardization Efforts
During the last few years, a number of IPv6 security efforts have sparked at the Internet Engineering Task Force (IETF) -- the organization that standardizes the internet protocols. These efforts have been the result of both new IPv6 security research and increased IPv6 operational practice, and have ranged from informational documents aimed at raising awareness and/or providing advice to the network operations community, to new protocol features or updates aimed at mitigating security vulnerabilities.
This presentation will be an updated version of the (now classic) Troopers' "Recent IPv6 Standardization Efforts", but with an increased focus on the practical impact of such efforts, and with broader coverage in terms of work and IETF working groups.
If you want to know how the recent IETF work will affect the security of your network and/or your operational practices, this presentation is for you.
Developing an Enterprise IPv6 Security Strategy
Usually IPv6 planning projects include at least three main documents: a road map, an address concept & plan and an IPv6 security concept. In this talk I’ll focus on the latter and I will lay out typical steps needed to come up with a set of IPv6 security controls (both on the infrastructure and on the host/endpoint layer) suited to provide adequate IPv6 security in enterprise organizations, in an operationally feasible way.
Security Aspects of IPv6 Multi-Interface and Source/Destination Routing
Recent works in the MIF, routing working groups of the IETF are about supporting simultaneous use of several interfaces as well as discovering the provisioning domain (PvD): default search domain, recursive DNS servers, prefix to be used, … Another recent topic is about source/destination routing where the source address is also used in the forwarding decision. The talk will briefly present those recent work items, then it will focus on their security impacts (denial of service, spoofing, …).
Advanced IPv6 Network Reconnaissance
A lot has happened in the area of "IPv6 Network Reconnaissance" in the last few years. For starters, the myth of "IPv6 scanning attacks being infeasible" has been dismantled, and a number of tools have sparked in an attempt leverage both IPv6 address scans and other IPv6 network reconnaissance techniques.
This presentation will cover the latest tools (and features) for IPv6 network reconnaissance and, more importantly will release a brand-new tool for comprehensive IPv6 network reconnaissance.
A must-see/must-attend for security practitioners in the need of finding juicy IPv6 nodes, whether for good.... or not.
Basic IPv6 Attacks & Defenses. Hands-On Workshop
RAFAEL SCHAEFER & CHRISTOPHER WERNY
This is a Troopers IPv6 Security Summit classic! It’s an introductory workshop to attacks in IPv6 networks and associated protection strategies/approaches. We will cover all relevant available tools and play with them, including hands-on sessions (mostly with Cisco devices, HP can be included on request, see also below) for the participants. For all attacks covered mitigation strategies will be discussed, together with an evaluation as for their actual security benefit and operational feasibility.
Bring your own device (a laptop with ssh & rdp)
IPv6 in Wireshark Workshop
IPv6 is the new Internet Protocol. Many technologists use Wireshark for network validation and troubleshooting. This session will quickly review IPv6 basics and then dive into configuring Wireshark v2 to assist in viewing IPv6 more effectively.
Wireshark configuration profiles, display filters, and color rules usage and benefits in Wireshark will be discussed and demonstrated to aid the understanding of what you will be seeing.
Everyone is encouraged to bring their own laptop with Wireshark (min version 2.0) loaded as this workshop will be a hands-on/follow Jeff session with an IPv6 enabled "lab" WiFi network. Attendees will be able to capture real-time traffic in order to fully experience the conveyed topics.
Business Partner Connections in the Age of IPv6 – A Discussion of Approaches and Their Properties
Connecting business partners is the subject of fierce debates in many IPv6 planning teams, as existing architectures from the IPv4 world can not easily be transformed to an IPv6 world for a number of technical reasons and because the overall addressing strategy will change in quite some organizations. In this talk I will discuss potential approaches, together with an evaluation of their respective advantages/disadvantages and I will try to provide an outlook which types of challenges we’ll see in complex setups (and, maybe, how to solve them).
IPv6 First Hop Security Features on HP Devices
In this talk I’ll provide an overview which IPv6 First Hop Security (FHS) features are currently available on HP Comware based devices, how those are configured and what actually works (or doesn’t). We will have some devices in the room (and this talk will be open end) so we can even explore things in a practical way, next to a number of demos being part of the talk anyway.
Automating IPv6 Deployments
Researching IPv6 security challenges is fun. Figuring out how IPv6 works is attractive. Fitting IPv6 idiosyncrasies into your network design is still interesting. Deploying IPv6 on all servers, switches, routers, firewalls and load balancers is absolutely boring (once you figure out what needs to be done) and error-prone, resulting in potentially awesome troubleshooting experiences.
However, we can automate every well-defined repeatable process, and IPv6 deployment is no exception. This presentation will help you get started on your journey to automated IPv6 network deployment.
Advanced IPv6 Attacks Using Chiron. Hands-On Workshop
During the IPv6 Security Summit at Troopers 14, Chiron, an all-in-one IPv6 penetration testing framework was released publicly for first time. Since then, the advanced features of Chiron were used to discover some 0-day evasion techniques against high-end commercial and open-source Intrusion Detection / Prevention Systems. Moreover, for Troopers 15 it was enhanced with new features, like advanced MLD support and a fake DHCPv6 server, which can be combined with its other features, like the use of arbitrary Extension Headers and fragmentation to leverage really advanced attacks. In this workshop, after a quick refreshing to the basic capabilities of Chiron, we will focus on the advanced IPv6 functionalities that the framework offers. We will not only show how to reproduce the latest published IPv6 attacks, but moreover, how you can create your own arbitrary IPv6 attacking scenarios for your own security assessments or penetration testing purposes. A lab will be set up in order not only to reproduce the presented techniques, but to also try your skills and – why not – to discover your own 0-day techniques :).
No programming experience or prior knowledge of Chiron are required. Some necessary (but not very basic) IPv6 theory will also be given to better explain the demonstrated IPv6 attacks. Bring your own Linux device with Python installed, or your favourite Operating System with VirtualBox, and you are good to go (source code and virtual images with all what you need will be provided).