Duration: 01.04.2011 - 31.07.2013
The transition from the currently used internet protocol version IPv4 to the official successor protocol IPv6 is an important technical requirement for the ongoing development of communication and network infrastructures within the next years. The changeover from IPv4 to IPv6 hits the network infrastructure of our information society. At present for example the Federal Ministry of the Interior prepares the wide employment of IPv6. Therefore the security of IPv6 networks is of high social relevance and importance. Within the standard IPv6 indeed demands the use of IPsec, but it does not automatically become a "safe" protocol thereby. From new protocols like the Neighbor Discovery Protocol [1], the address configuration [2] and novel protocol approaches in fragmenting and in ICMPv6, new safety risks resulted.
Currently a deficit on tools for the analysis of the threat level in IPv6 networks exists.
The same applies for the testing of the protective effect of IPv6 firewalls and Intrusion
Detection Systems. Since IPv4 is not compatible to IPv6, existing tools cannot be used for this task.
Particularly adapted tools for IPv6 are not available so far or only in reduced form,
so that potential security breaches or vulnerabilities may occur during the employment
of IPv6. New protocol attributes like the address autoconfiguration offer novel possibilities
for attacks that are not recognized by any Intrusion Detection System (IDS) so far.
The mentioned safety risks need to be counteracted with the development of powerful
tools for the safety analysis.
It is to be expected that with the progressive deployment and operation of IPv6 networks
further vulnerabilities within the protocols and their implementations are revealed.
IPv6-Dark and - Honeynets are suitable tools in order to be able to recognize and analyze
such vulnerabilities.
In the context of this project the potential risks for existing IPv6 networks should be identified by the usage of IPv6 honeypots and darknets. Therefore an IPv6 darknet is installed that will log all network activities within an unused/unallocated IPv6 subnet and make the results available for analysis. In addition an IPv6 honeypot will be developed throughout the project.
For a network administrator it is necessary to possess reliable test tools which provide reliable information about the fact whether the assigned protective mechanisms meet the requirements or not. For IPv4 a set of free and commercial tools exists, like e.g. Nessus [3] and Nmap [4] which however feature either no or only reduced IPv6 options. A further aim of the project is therefore the development of a validation tool for the testing of f irewall configurations (ICMPv6, multicast, routing header, IPsec, fragmentation, etc.) and IDS systems.
Traditional firewall concepts are applied on network gateways. Thus local attacks are either
not or only coincidentally recognized by these devices. The open source IDS Snort [5] enables
the user to place intrusion detection sensors also in distributed and switched network
infrastructures. These sensors get along without expensive special hardware and do work on
traditional, inexpensive systems (PC, notebook) as well.
For the recognition of attacks on the Neighbor Discovery Protocol [1] and the address
configuration [2] an own IPv6 preprocessor for Snort is to be developed during the project.
Subsequently, the Snort IPv6 recognition components are ported for the employment in embedded
systems with initial costs of less than 200 EUR.
This Embedded Snort Sensor should enable private people, small and medium enterprises and
public institutions to analyse their IPv6 network and can e.g. also be used for the protection
of sensor networks.
Finally the developed tools will be tested in co-operation with the industrial partner EANTC, in order to accomplish both IPv6 protocol and firewall load tests. The operation of a darknet and an IPv6 honeypot will supply informative results over the current threat situation.
Literatur:
[1] |
T. Narten, E. Nordmark, W. Simpson, and H. Soliman. |
[2] |
S. Thomson, T. Narten, and T. Jinmei. |
[3] |
Nessus. Network vulnerability scanner. |
[4] |
Nmap. Network security scanner. |
[5] |
Snort. Open source network intrusion detection system. |