IPv6 Security in LANs

March 28, 2011 (at 10 a.m.)

This workshop covers security aspects of IPv6 in LAN environments. We will discuss which threats are relevant, their associated vulnerabilities within IPv6′s architecture and how to address them in a operationally reasonable way.

The main focus lies on the behavior of IPv6 in (potentially large) networks within an organization and on the tunnel technologies many desktop operating systems are equipped with. A number of demos of both attacks and mitigating controls adds some extra benefit for the audience.

Given this is a specific security workshop it is assumed that the participants already dispose of some basic knowledge as for IPv6.

Agenda:

Overall architecture and basic (security) assumptions of IPv6.
IPv6 behavior on the local link and associated security threats.
What to take care of:
- attacks against Neighbor Discovery
- Multicast Listener Discovery
- DHCPv6
- Router Discovery and some analysis as for their practical relevance.
Discussion of RFC 6104 incl. a live demo of RA guard and other approaches, together with a classification of their security benefit and operational feasibility.
Tunnel technologies:
- 6-to-4
- ISATAP
- Teredo
- their default modes of work and what this means for information security.
Outlook on trends in IPv6 and it’s security aspects in the next years.

Target Audience:

Network planners
Sysadmins in IPv6 environments
Security Officers
Auditors

Enno Rey

Enno Rey @Enno_Insinuator is an old school network security guy who has been involved with IPv6 since 1999. In the last years he has contributed to many IPv6 projects in very large environments, both on a planning and on a technical implementation level.

Christopher Werny

Christopher has been involved with IPv6 since 2005 and has performed a number of IPv6 planning, implementation and troubleshooting projects & tasks since then. He leads the network security team at ERNW.