Presented at DEF CON 14 (2006)
Aug. 5, 2006, 10 a.m.
Governments around the world are investing serious time, effort, and money into the next gen Internet, based on IP version 6. With important mandatory and remarkably close deadlines looming for v6 deployment, much yet remains to be understood about its security and socio-economic implications as well as our readiness to fully embrace it. While Europe and Asia have been trailblazing IPv6 industry for years now, the U.S. Government has mandated that its organizations be IPv6-compliant by June 30, 2008, yet the vague definition of compliance has already confused many considering dual-stack, tunneled and/or native environments.
Imagine the bliss of IPv6 telematics, mobility, autoconfiguration, "mandatory IPSec" encrypted traffic and enough IPs to globally address everything with a battery or even a reference to a snippet of code for the world to access. Now imagine your firewalls and IDS sensors being blind to IPSec or even just cleartext 6to4 tunneled traffic. Debunking many myths, such as IPv6 "built-in security", prior to the transition is key as we watch the beloved IPv4 become legacy, say goodbye to NAT and the 6bone and welcome more DNSSEC, tunnel brokers and distributed PKI firewalls?!
This presentation will cover wide-ranging research the authors have conducted and the new paradigm shift necessary to approach IPv6 differently than IPv4, including interviews with some of world's top thinkers about the sleeping giant. Whether it is yet another gov-hyped failed theory like GOSSIB or it is here to stay, you will take away enormous insight into the work that you may be responsible for and dependent on over the next several years.
Alexander Eisen will present the tactical, down-in-the-weeds view of this elegant and extensible yet dangerous protocol. What are the main challenges organizations will face during the inevitable transition? A threat analysis will follow, based on how the attack surface will inherently increase with the introduction of v6, many more IPs, more stacks, lack of smart fully v6-capable firewalls/IDSs and most importantly lack of training and understanding of this technology. Will larger packet size and extension headers give incentive for covert channels? Will multi-homing, multicast and link-local attacks be difficult to restrain? Why might traditional hacker methodology change focus away from scanning and local MITM attacks to going after PKI Certificate Authorities and DNS servers, splitting attacks between the stacks and hiding within tunnels? Many are unaware of existing rogue v6 traffic on their networks and with Teredo's exploitation of NAT via UDP (enabled by default in XP SP1/2, Vista and Longhorn), your ::1 might already be owned... Some large enterprises can barely even inventory all their IP-enabled assets. Mr. Eisen will explain how attackers can use all this as ammunition to take advantage of the necessarily long-lasting, heterogeneous environment that will be required during the transition. Questions like, what should be done right now to block rogue v6 traffic and what defense mechanisms should be employed when v6 traffic is authorized, will be explored. Discussion of wardriving results and the efforts to build a v6 connection at home will also provide some intrigue.
Kenneth Geers will present the political and strategic view of IPv6, including why nation-states view the technology as vital to their national security plans for the future. Stops will be made at the White House, Beijing, Red Square, and Tokyo - all of whom are influencing the development of IPv6 standards in unique ways. He will cover the most current v6 research and deployment events from around the world, including translated summaries of official foreign language IPv6 documents that might otherwise remain inaccessible outside their home countries. DEFCON audience members should know that if some governments get their way on here-to-fore esoteric issues such as traceability due to privacy EUI-64 fields and IPSec certs, global v6 address allocation and portable IPs, they could well lose their last byte of anonymity on the Internet!
Last but not least, a live, on-stage demonstration will take place: the authors will attempt to saw a woman in half, and then try to check their beer inventory and fridge temperature across the continent with the aid of the world's first IPv6-enabled refrigerator add-on device! The demo will show a discovery and port scan of the appliance via the Internet (found at this v6 IP -> 1337:sec:badd:a22:DEF:C012::14), followed by authentication, remote administration, and an SMS message sent to the speaker's mobile phone. Welcome to the v6-pack!!
Kenneth Geers (CISSP, M.A. University of Washington) has worked for many years as a translator, programmer, Web developer, and analyst. The oddest job he has had was working on the John F. Kennedy Assassination Review Board. He also waited tables in Luxembourg, harvested grapes in the Middle East, climbed Mount Kilimanjaro, was bitten by a deadly spider in Zanzibar and made Trappist beer at 3 AM in the Rochefort monastery. Mr. Geers is the author of "Cyber Jihad and the Globalization of Warfare", "Hacking in a Foreign Language: A Network Security Guide to Russia", and "Sex, Lies, and Cyberspace: Behind Saudi Arabia's National Firewall". His website, www.chiefofstation.com, is devoted to the intersection of politics, art, and the Internet. He loves his wife Jeanne, and daughters Isabelle, Sophie and Juliet.
Alexander Eisen (CISSP, M.S. University at Buffalo) has twice been awarded a government Information Assurance Scholarship to complete a multi-disciplinary Computer Science program spanning Cryptography, Cyber Law and Management. Having played in the fields of network red teaming, pen-testing, incident response, forensics and security product evaluation, his passions include exploring pioneering topics in security, researching with academia and being a bilingual grayhat-entrepreneur. Mr. Eisen attempts to give back to the community as an adjunct professor with University of Advanced Technology and an active member of IEEE Computer Society, Infragard, and AFCEA. Wishing to have Kenneth's frequent flyer miles to continue charting his back-country snowboarding adventures across the globe, his other half paints, unicycles and chases his Russian Blue 'pantera' named Jazz.