Upload
mabel-marshall
View
315
Download
0
Embed Size (px)
Citation preview
IPv6 之服務品質與安全
1. QoS( 簡介與架構 )2.安全 ( 架構、 IPsec 、威脅、相
關 RFC)
Introduction to QoS
Quality: reliable delivery of data “better than normal.” Data loss, latency (jitter), bandwidth, … In general: an efficient use of network resources.
Service: something offer to the final user. End-to-end communication Client-server applications Data transport, etc. Concept: service guarantee, SLA.
“Quality of Service is a measurement of the network behavior with respected to certain characteristics of defined services.” An ambiguous term with a difficult interpretati
on.But still some common concept to all definiti
ons of QoS: Traffic and type of service differentiation. Users may be able to treat one or more traffic c
lasses differently.
How to Get QoS?
Advantages of RSVP
Characteristics of RSVP
RSVP Operations
QoS Support in IPv6Two QoS-related fields in IPv6 header
20-bit flow label Geared to IntServ, but may have other uses
e.g. Implemented in Lancaster RSVP media server
8-bit Traffic Class indicator Geared to DiffServ
e.g. implemented in Thomson IPv6 edge device
Header of IPv6
Two extended headers that can help QoSRouting header
Hop-by-hop headerNext Header Hdr Ext Len
Router Alert Option00 Len=2 Value (Oct.)
Comparison of headers (v4 vs v6)
Version Traffic Traffic ClassClass Flow LabelFlow Label
Payload LengthPayload LengthNext Next
HeadeHeaderr
Hop Hop LimitLimit
Source Address
Destination Address
ProtocolProtocol
Type of Type of ServiceService
PaddingPadding
Header Header ChecksumChecksum
Fragment Fragment OffsetOffset
Total LengthTotal Length
OptionsOptionsDestination Address
Source Address
Time to Time to LiveLive
FlagsFlagsIdentificationIdentification
IHIHLL
Version
IPv4 Header IPv6 Header
—Field’s Name Kept from IPv4 to IPv6
—Fields Not Kept in IPv6
—Name and Position Changed in IPv6
—New Field in IPv6
Leg
end
IPv6 Securities
Discussions around IPv6 security have centered on IpsecThough IPsec is mandatory in IPv6, the same issues
with IPsec deployment remain from IPv4: Configuration complexity Key management
Security in IPv6 is a much broader topic than just IpsecEven with IPsec, there are many threats which still r
emain issues in IP networking
Types of Threats (1/2)
Reconnaissance—provide the adversary with information enabling other attacksUnauthorized Access—exploit the open transport policy inherent in the IPv4 protocolHeader Manipulation and Fragmentation—evade or overwhelm network devices with carefully-crafted packetsLayer-3–Layer-4 Spoofing—modify the IP address and port information to mask the intent or origin of the trafficARP and DHCP Attacks—subvert the host initialization process or a device the host accesses for transitBroadcast Amplification Attacks (Smurf)—amplify the effect of an ICMP flood by bouncing traffic off of a network which inappropriately processes directed ICMP echo trafficRouting Attacks—disrupt or redirect traffic flows in a network
Types of Threats (2/2)
Viruses and Worms—attacks which infect hosts and optionally automate propagation of the malicious payload to other systemsSniffing—capturing data in transit over a networkApplication Layer Attacks—broad category of attacks executed at Layer 7Rogue Devices—unauthorized devices connected to a networkMan-in-the-Middle Attacks—attacks (generally crypto-based) which involve interposing an adversary between two communicating partiesFlooding—sending bogus traffic to a host or network designed to consume enough resources to delay processing of valid traffic
Threats against IPv6 – comparing with IPv4
Two Ways of IP Security could be used
1. Transport mode: implemented directly between remote systems but remote systems must support IP Security.
2. Tunnel mode: implemented between intermediate systems that is used for encapsulating insecure IP datagrams.
IP Datagram
IP Security Datagram(Transport Mode)
IP Security Datagram(Tunnel Mode)
Transport and Tunnel Mode
How is IP Security transmitted?
Four Main Functionalities of IPSec
1. Security Associations (SA) 2. Authentication only
(Authentication Header or AH) 3. Encryption and authentication
known as Encapsulating Security Payload (ESP)
4. Key management
Transport and Tunnel mode Functionalities:
Authentication Header (AH)
The IP Authentication Header (AH) is used to provide connectionless integrity and data origin authentication for IP Datagrams and to provide protection against replay attack. AH is based on the use of the integrity check value with an algorithm specified in the SA. It avoids IP-Spoofing attack.
IP Security Authentication Header
Authentication Data
Encapsulating Security Payload (ESP)
The Encapsulating Security
Payload provides confidentiality, authentication, and data integrity. An ESP can be applied alone or in combination with an AH.
Encapsulating Security Payload includes:
1. Security Parameter Index (SPI): Identification of the SA of this datagram
2. Sequence Number: Counter which is incremented with each packet
3. Payload Data: Encrypted Data of the IP protocol 4. Padding: Extra bytes needed if the encryption
algorithm needs complete text blocks 5. Pad length: Number of padding bytes 6. Next Header: Data protocol in the payload data 7. Authentication Data: ICV computed over all the
datagram (Except Authentication Data Field)
Encapsulating Security Payload(ESP)
ESP Computation
Key Management
The key management portion of IP Security involves the determination and distribution of secret keys.
Two types of key management supported:• Manual• Automated
ISAKMP/Oakley (by default)
Oakley Key Determination Protocol
1. It employs a mechanism known as cookies to thwart clogging attacks
2. It enables the two parties to negotiate a group 3. It uses nonces to ensure against reply attacks 4. It enables the exchange of Diffie-Hellman public key
values 5. It authenticates the Diffie-Hellman exchange to thwa
rt man-in-the-middle attacks
Oakley is designed to retain the advantages of Diffie-Hellman while countering its weaknesses. The Oakley algorithm is characterized by five important features:
ISAKMP
ISAKMP defines procedures and packet formats to establish, negotiate, modify, and delete security association as part of SA establishment, ISAKMP defines payloads for exchanging key generation and authentication data.
The header format of ISAKMP message consists of:Initiator Cookie (64 bits), Responder Cookie (64 bits), Next Payload (8 bits), Major Version (4 bits), Minor Version (4 bits), Exchange Type (8 bits), Message ID (32 bits), Length(32 bits).
Five Default Exchange Types of ISAKMP (1)
1. Base Exchange allows key exchange and authentication material to be transmitted together.
2. Identity Protection Exchange expands the Base Exchange to protect the user's identities.(First key exchange then authentication)
3. Authentication Only Exchange is used to perform mutual authentication,
without a key exchange
Five Default Exchange Types of ISAKMP (2)
4. Aggressive Exchange minimizes the number of exchanges at the
expense of not providing identity protection
5. Informational Exchangeis used for one-way transmittal of information for SA management
RFCs related to IP Security (1)
RFC2003 C. Perkins, "IP Encapsulation within IP“ RFC2401 S. Kent, R. Atkinson, “Security Architecture for the I
nternet Protocol” RFC2402 S. Kent, R. Atkinson, "IP Authentication Header“ RFC2406 S. Kent, R. Atkinson, "IP Encapsulating Security Payl
oad (ESP)“ RFC2407 Piper,D.,"The Internet IP Security Domain of Interpr
etation for ISAKMP" RFC2408 Maughan,D.,Schertler,M.,Schneider,M.,Turner,J.,"In
ternet Security Association and Key Management Protocol(ISAKMP)"
RFC2409 Harkins, D.,Carrel,D.,"The Internet Key Exchange(IKE)"
RFCs related to IP Security (2)
RFC2411 R. Thayer, N. Doraswamy, R. Glenn, "IP Security Document Roadmap"
RFC2412 Orman, H., "The Oakley Key Determination Protocol“
RFC2428 M. Allman, S. Ostermann, C. Metz, "FTP Extensions for IPv6 and NATs “
RFC2452 M. Daniele "IP Version 6 Management Information Base for the Transmission Control Protocol"
RFC2454 M. Daniele "IP Version 6 Management Information Base for the User Datagram Protocol"
RFC2460 S. Deering, R. Hinden "Internet Protocol, Version 6 (IPv6) Specification“
RFC2461 T. Narten, E. Nordmark, W. Simpson " Neighbor Discovery for IP Version 6 (IPv6)"