Domain #1
Network Security
TCP/IP
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
TCP/IP Overview
The De Facto standard for Internetworking
Also called Internet Protocol (IP)
Internet was ARPANET designed by DARPA
Initially mostly friendly groups connected together
Universities, Government, researchers, etc
Now millions of computer worldwide
TCP/IP is a SUITE of protocols
Architecture independent
Stable and Robust (to a point of course)
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
What about models
OSI
TCP/IP
Transport / Host to Host
Internet / Network Access
Link Layer
Physical
Application
Presentation
Session
Transport
Network
Data Link
Application
RFC 1122 (in bold)
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Routing Datagrams
Host A1
Host C1
Gateway G1 Gateway G2
Application
Application
Transport
Transport
Internet Internet Internet Internet
Link Layer
Network A
Network B
Network C
Link Layer Link Layer Link Layer
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Data Encapsulation
Application Layer
Transport Layer
Internet Layer
Link Layer
Data
Data
Data
Data
Header
Header Header
Header Header Header
Send Receive
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Data Structures (1 of 2)
Application Layer
Transport Layer
Internet Layer
Link Layer
TCP UDP
stream message
segment packet
datagram datagram
frame frame
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Data Structures (2 of 2)
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Transmission Methods
Unicast
From one station to another station
Broadcast
From one station to all the stations on the same LAN
Multicast
From one station to multiple selected locations
Information sent only once over the networks
Routers must be configured appropriately
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Whats in a MAC address
Built at the factory directly on the card
A Media Access Control (MAC) address has 48 bits
24 bits is the OUI
OUI specifies the vendor name
OUI specifies the mode
Unicast
Multicast
MAC address are globally unique
Could be spoofed or fake
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Ethernet Overview
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Address Resolution Protocol (ARP)
Maps IP address to their corresponding MAC address
Commonly called ARP
Station on Ethernet network communicate using MAC
You know the IP address but not the MAC address
You must query using ARP to find the destination MAC
A broadcast will be use for that purpose
The intended recipient will reply back with MAC
MAC is kept in cache for a short period of time
As mentioned they should be unique
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Gratuitous ARP
Requests that are NOT normally needed
Could be a gratuitous ARP Request or an ARP reply
Gratuitous Arp Request
Has both the source and destination IP set to the IP address of the
machine that issued the packet.
A gratuitous ARP is a reply to which no request has been made
They have many legitimate usage (see notes)
However Gratuitous ARP can be used for offensive purpose
We will see later on in the lesson all the details of ARP poisoning
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
What are ports (UDP & TCP)
Same as doors within a building
Ease communication between entities
A 16 bit field within the TCP and UDP packets
IANA Internet Assigned Numbers Authority
Well Known ports are from 0-1023 (0 is not used on IPV4)
Registered ports are from 1024 to 49151
Dynamic and/or Private Ports are from 49152 to 65535
Ephemeral ports (short live connections)
Some OS dare to be different, see the notes
Windows Server 2003 is from 1025 to 5000
http://www.iana.org
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
What are protocols
Protocols online are very much the same as real life one
Take a phone call for example
The SMTP protocol is a great example
Hello
The HTTP protocol is the most commonly use protocol
Some common one are:
TCP UDP SNMP Telnet RIP
IP HTTP FTP SSL OSPF
ICMP SMTP TFTP TLS Ethernet
POP3 SFTP Chargen Echo Finger
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Port Numbers (Partial List)
80 HTTP 110 POP3 500 IKE
443 HTTPS 119 NNTP 1701 L2TP
20/21 FTP 123 NTP 1723 PPTP
23 Telnet 143 IMAP 1812 RADIUS AUTH
25 SMTP 161 SNMP Monitoring 1813 RADIUS ACCNT
88 Kerberos 162 SNMP Trap/Alert 2049 NFS
53 DNS 389 LDAP 4000 ICQ
22 SSH 636 LDAP SSL 5000 Yahoo Messenger
69 TFTP 520 RIP
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Protocol Numbers
# /etc/protocols
# Internet (IP) protocols
#
ip 0 IP # internet protocol
icmp 1 ICMP # internet control message protocol
ggp 3 GGP # gateway-gateway protocol
tcp 6 TCP # transmission control protocol
egp 8 EGP # exterior gateway protocol
pup 12 PUP # PARC universal packet protocol
udp 17 UDP # user datagram protocol
hmp 20 HMP # host monitoring protocol
xns-idp NSIDP # Xerox NS IDP
rdp 27 RDP # "reliable datagram" protocol
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Port Number and Protocol
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
IP (Internet Protocol)
IP provides the basic packet delivery service on which TCP/IP
networks are built. All TCP/IP data flows through IP, incoming and
outgoing, regardless of its final destination
The Internet Protocol functions include:
Defines the datagram, which is the basic unit of transmission on
the internet
Defines the Internet addressing scheme
Moving data between the Network Access Layer and the
Transport Layer
Routing of datagrams to remote hosts
Performs fragmentation and re-assembly of datagrams.
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
IP Datagram
The datagram is the packet format defined by IP
A packet is a block of data
The packet carries the information necessary to deliver it
Similar to your postal letter which has an address
The first five or six 32-bit words, (default is 5) of the datagram are
control information called header.
The header contains all the information necessary to deliver the
packet.
No error detection or recovery
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
IP Datagram Format
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Services provided by TCP
Connection-oriented data management
Reliable data transfer
Stream-oriented data transfer
Push functions
Resequencing
Flow control ( sliding windows )
Multiplexing
Full-duplex transmission
Precedence and security
Graceful close
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
TCP Three Way Handshake
TCP uses Three-way Handshake, and dynamically allocate port.
Host A Source
Host B Destination
132.87.19.6 195.173.24.10
3044,23
3044,23
23,3044
23,3044
SYN
SYN, ACK
ACK, data
data transfer has begun
IP address + Port number = socket
Port 23 = Telnet
source port 3044
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
TCP Segment Format
Bits
0 4 8 12 16 20 24 28 31
H
e
a
d
e
r
W
o
r
d
s
1
2
3
4
5
6
Source Port Destination Port
Sequence Number
Acknowledgment Number
Window
Urgent Pointer
Options Padding
data begins here ...
Offset Reserved Flags
Checksum
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
UDP Protocol
User Datagram Protocol
A connectionless protocol
Uses best effort
A lot less overhead than TCP
Has no reliability and no acknowledgement
Good for application where some packets can be lost
Streaming media and Voice over IP are examples
DNS makes use of UDP
Often used by attackers as well, i:e port 53 UDP
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
UDP Message Format
Bits
0 4 8 12 16 20 24 28 31
Source Port Destination Port
Checksum
data begins here ...
Length
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
TCP/IP Addressing Packets
IP address & Subnetwork mask uses decimal dot notation
Each address has four integers separated by periods
Each integers represents 8 bits of the 32 bits address
Values are from 0 (network) to 255 (broadcast)
0 and 255 are reserved and cannot be use
An IP address could be 10.10.5.2 for example
One portion is the network the other is the hosts
Subnetwork masks uses Decimal Dot notation as well
An example for a Class C address is 255.255.255.0
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
IP Addressing
140.179.220.200
Written in binary form:
140 .179 .220 .200
10001100 10110011 11011100 11001000
We see the address in the decimal form
Your computer sees it in the binary form
Lets decode the first octet (140) on the next slide
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Binary Octet Decoded
An octet is made up of eight 1s and/or 0s:
Bit Pos: 1 2 3 4 5 6 7 8
Value: 128 64 32 16 8 4 2 1
The value of 140 looks like this:
2
7
2
6
2
5
2
4
2
3
2
2
2
1
2
0
1 0 0 0 1 1 0 0
128 64 32 16 8 4 2 1
128 0 0 0 8 4 0 0
128 8 4
= 140
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Classes of IP addresses
As mentioned previously, all IP addresses are 32 bit
They are expressed in dot notation ( 4 octets of 8 bits)
All IPs have a Network ID and a Host ID
It may have a Subnetwork ID if subnetting is being use
Belong to one of five classes: A, B, C, D, E
Each address has a corresponding subnetwork mask
Most of the time referred to as Subnet Mask
We will look at each of the main classes next
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Classes of IP addresses
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Class A IP addresses
Has an 8 bits network ID starting with 0
24 bits host ID, up to 22 bits may be used for subnetwork ID
Class supports network numbers 1 to 126
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Class B IP addresses
Has 16 bits network ID starting with 1-0
16 bits host ID, up to 14 bits may be used for subnetwork ID
Class supports network numbers from 128.1 to 191.254
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Class C IP addresses
Has 24 bits network ID starting with 1-1-0
8 bits host ID, up to 6 bits may be used for subnetwork ID
Class supports network numbers from 192.1 to 223.254
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Resume of classes
The number of addresses usable for addressing specific
hosts in each network is always 2
N
2
Classful versus Classless Inter-Domain Routing (CIDR)
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
A few more things
Classfull IP addressing
Classless IP Addressing (has 3 categories)
Subnetting
VLSM (Variable Length Subnet Mask)
No longer dependent of 8, 16, 24 network numbers
Prefix length or Netmask is used for routing
CIDR (Classless Inter-Domain Routing)
Used with Supernetting
Supernetting allows route aggregation
CIDR introduces prefix notation or CIDR notation (i:e /24 for class c)
Reduces the size of routing tables
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
What is subnetting
It is making use of the host portion of the address
You borrow bits on the host portion
Allow you to add more networks within your own range
2
n
2 >= Number of subnets required
A subnet is a single LAN segment
Each LAN has a unique subnet number
For the purpose of the exam you must know what it is
You do not need to know all of the details
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
SubNetwork Mask
Subnets masks are a 32 bits structure
They are also expressed in decimal dot notation
Tells which bits are the Network ID and Subnetwork ID
A bit marked as a 1 means it is part of the network or subnet
A bit marked as a 0 means it is part of the host ID
NNNNNNNN.NNNNNNNN.NNNNNNNN.NNNHHHHH
11111111.11111111.11111111.11100000
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Subnetting Scenario
So we have 1 Class C Network (206.15.143.0)
We have 254 host address available (1 to 254)
But what if we need 5 different networks
Each network has no more than 30 hosts each
Do we apply for 4 more Class C licenses?
one for each network
Your ISP might no longer love you and may tell you to get smart!
You would be wasting 224 addresses on each network, a total of
1120 addresses would be wasted ! Not good
Are you out of luck? Subnetting is coming to the rescue
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Our needs
We know we need at least 5 subnets
We are on a class C network with 8 bits for the hosts
We need to borrow some bits from the host portion
So 2
3
- 2 will give us 6 subnet, 3 bits would be sufficient
(8 2 = 6)
The -2 is to deduct the reserved network and broadcast address
We also know we need at least 30 hosts per network
So with 5 (2
5
- 2) bits left it will give us 30 hosts per subnet (network).
This will work, because we can steal the first 3 bits from the hosts portion
of the current address to give to the subnetwork portion and still have 5 bits
(8-3) remaining for the host portion
Lets take a look at how this is done on the next slide
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Borrowing bits
Lets review what portion is what:
We have a Class C address:
NNNNNNNN.NNNNNNNN.NNNNNNNN.HHHHHHHH
With a Subnet mask of:
11111111.11111111.11111111.00000000
We steal/borrow 3 bits from the host portion (in green below):
NNNNNNNN.NNNNNNNN.NNNNNNNN.NNNHHHHH
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
The new netmask
NNNNNNNN.NNNNNNNN.NNNNNNNN.NNNHHHHH
This will change our subnet mask to the following:
11111111.11111111.11111111.11100000
Above is how the computer will see our new subnet mask, but we
need to express it in decimal form as well:
255.255.255.224 (128+64+32=224)
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Subnet addresses
Remember our values:
128 64 32 16 8 4 2 1 Equals
Now our 3 bit configurations:
0 0 1 H H H H H 32
0 1 0 H H H H H 64
0 1 1 H H H H H 96
1 0 0 H H H H H 128
1 0 1 H H H H H 160
1 1 0 H H H H H 192
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Now the easy way
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Antiquated Protocols
Finger
Chargen & Echo
Daytime
Telnet
FTP
SNMP
SMTP
POP3
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
IP Version 4 versus IP Version 6
IP Version 6 aka IPng (Next Generation)
The differences are in five major areas:
Addressing and routing
Security
Network address translation
Administrative workload, and
Mobile Computing
IPv6 includes migration & transition plans
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
IP Version 6 Migration
Over 30 IPv6 RFCs written since 1994
Migration from V4 to V6 will take time
Standard and Procedures for coexistence of both
Tunneling IPv6 within IPv4
Tunneling IPv4 within IPv6
Double stacks used at the same time
Windows 7 is an OS using two stacks
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
IPv6 Advantages (1 of 2)
Huge address space (2
128
)
Makes NAT and it issues no longer necessary
Reduces Configuration and Management
Support Stateless Auto Configuration
Creates a guaranteed unique IP address
Combines LAN MAC with prefix provided by router
DHCP is no longer needed, DHCPV6 can still be used
All host support multicast as a requirement
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
IPv6 Advantages (2 of 2)
Quality of Service (QoS) on VPNs
New 20 bits traffic flow field
IPSEC is required and built-in
Router dont fragment packets, only host
ICMPv6 Router Solicitation and Advertisement
Determine the IP address of the best gateway
It is a requirement
Support a 1280 byte packet size
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
IPv6 Packet Format
Graphic from: http://www.net-security.org/dl/insecure/INSECURE-Mag-30.pdf
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
IPv6 Address Notation
Thanks to Vivek from www.securitytube.net for his great tutorials on IPv6
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
IPv6 Transmission Methods
Unicast
From one station to another station
Multicast (a requirement in IPv6)
From one station to multiple selected stations
Information sent only once over the networks
Anycast
Sent to a group of nodes/stations
Needs to be delivered to at least one node and not all of them
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
IPv6 and Mobility
Mobility is a new feature in IPv6
Mobile nodes can change their location and
addresses without loosing existing connections
through which the nodes are communicating
Supported at Internet Level Thus transparent
Use two types of IP addresses:
The IPv6 address; and
The Mobile IP Address
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
IPv6 Security Issues (1 of 2)
Dual Stack = Dual the amount of issues
Spoofing could be use on the same network segment
Neighbor Discovery prevent it remotely on IPv6
Could be possible if tunneling IPv6 over IPv4
Flooding and Scanning are possible attacks
Vendor of security tools are catching up
They claim to be compliant, but are they?
Smurf attack can be done on Multicast Addresses
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
IPv6 Security Issues (2 of 2)
No security through obscurity as provided by Natting
Must be configured on the firewall instead
Stateless Autoconfiguration
Gives IP address away to anyone
Could be turned on by default
Network Intrusion Detection will be hard to perform
Key management is still necessary
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Other Security Issues
Turn IPv6 OFF if you dont need it
Could be used for covert channels
Tunneling IRC over IPv6 for example
Rogue devices could be setup to assign IPv6 addresses
ICMP6 redirect attacks (See next slide)
Type 0 Routing Header Attack
Packet bounces between two or more router
Amplification Attack, up to 88 fold amplification
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
ICMP6 Redirect Attack
1. A attacker with access to the network sends an Echo Request with the
source address as User 2 and the destination as the User 1.
2. The victim receives this echo request and sends an Echo Reply to User 2.
3. The attacker then creates a redirect packet with the Echo Reply attached.
The packet is constructed with the source as the router and the destination
as User 1 and in this packet tells User 1 to redirect all traffic for User 2 to
the attacker. The Hacker then receives packets from User 1 and can spoof
User 2.
C
o
p
y
r
i
g
h
t
S
e
c
u
r
e
N
i
n
j
a
.
c
o
m
2
0
0
0
-
2
0
1
1
A
l
l
r
i
g
h
t
s
R
e
s
e
r
v
e
d
Questions?
ANY QUESTIONS?
[email protected]
Subject Line: SN SEC+ QUESTION
