 interest of trying to stay on time, which we've been relatively good at so far, I'm going to introduce our next speaker, Gene Crock, who works on the North American IPv6 task force, and today we'll be giving you your IPv6 primer. Take it away, Gene. Yay! All right, first of all, I'd like to say that anybody who's here and expecting advanced IPv6 stuff, you're at the wrong presentation. It's just going to be a I am going to be covering some more advanced stuff next year, but for right now this is just a quick overview and some of the more interesting things I found security-wise with IPv6. This better? There we go. All right. So anyway, I'm Gene Crock, ISSAP, CISSP, read the slide. YIPv6, in 1992, the IETF decided that we're starting to run out of IPv4 addresses, so they put out a request for comments. In 1993, RFC 1550 was created and then in 1995 it was ratified. IPv6 was chosen as the next generation internet. In comparison with IPv4, IPv4 only has 32 bits of address space, so you have roughly 4.3 billion IP addresses. You got to remember a lot of those are reserved, a lot of those are not used. IPv6 has 128-bit addressing, 3.4 times 10 to the 38 addresses, 340 undecillion for anybody who's interested. What that boils down to is 64 billion IPs for every square centimeter on earth. In continuing on with the comparisons, IPv4 was invented 20-some-odd years ago. It's a great protocol for the time, but we've just outgrown it. There's been several band-aids that have been applied to IPv4 and some of them have actually been back-ported from IPv6. IPsec being one of the major ones. IPv6 integrates them, basically tells us all the mistakes that were made with IPv4 for the most part are fixed in IPv6. It still doesn't mean it's totally secure, though. Stateless auto-configuration, it's kind of like getting a 169 address on Windows. As soon as you boot the computer, if it's IPv6 enabled, you end up with an address. Quality of service was built into IPv6. It's required. Encryption, IPsec, all of it's built into IPv6, and a lot of times it was back-ported to IPv4. This is one of the major ones. I keep hearing that we have these longer addresses and everything else, so it's going to tax the routers. Actually, it's not because it uses a hierarchical routing. Currently, on the backbones, there's 113,000, well, okay, not currently, but as of last year, there's 113,000 routes with IPv6 the most you're ever going to see in the default free zone is A192. Here's a quick graph to see how the routing table has gotten nasty. Roaming becomes a heck of a lot easier. You can use mobile IPv6 in any cast, and your cell phone can actually automatically identify its new router information and just pick up and go. The beauty of this is the fact that you can keep the same IP address. This is one of the major ones. This is going to reestablish end-to-end connectivity. Now, for all you people that think that route is, or excuse me, that NAT is the fix to your security issue, it's not. And as a matter of fact, with NAT, if you're actually trying to do something along the lines of voice over IP, something like that, you have to pull some pretty nasty tricks to make sure that it works. With IPv6, you just be able to contact your endpoint and be good to go. Okay, your current connectivity, 6 bone, which is actually being phased out at the moment, although it's probably going to stay around for quite a few more years, they are trying to get rid of it. It's an experimental IPv6 beta network. IPv6 islands are connected via IPv4 tunnels. Connectivity is either native or via tunnel broker or other tunneling mechanisms. The number of networks just continues to grow. And this website here actually has the status of current connectivity. Global adoption, the earliest adopters have been Japan and China. Japan and China both expect a full conversion to IPv6 by 2005. European Union has been right on their heels. Irresistive adopters, the United States of course, because we've got most of the IPv4 addresses, 70%, and a lot of people claim that it's going to be a pain in the ass to implement. Well, it's not as hard as you think. As far as new developments, although this isn't so new because this was last year, DOD has mandated that all their new infrastructure stuff has to be dual stacked. That was in October of last year. They expect a full conversion by 2008. As far as who's providing IPv6 in the United States, NTT Burrio, Speakeasy is planning on it. They've been talking about it for about a year now. I'm not sure if they're actually going to go through with it or not. And Hurricane Electric. And then the MoonV6 project, which the North American IPv6 Task Force is a good portion of, has also been making great strides to make sure that hardware, software, et cetera, is compliant with IPv6. Here's an IPv6 address. For all of you that like to memorize IPv4 addresses, this might make it a little harder. Each block of the address represents 16 bits. Two words of an IPv6 address are going to cover the entire V4 internet. First word defines the type of address. 3FFE is a six bone address. It's going to be depreciated in lieu of a 2001 address. FE80 is the link local. When you boot up, you're going to have an FE80 address. Colon, colon one. That's going to be local host. And then colon, colon is usually used in your config scripts, whatever. It's equivalent of 0.0.0.0.0. EUI 64, this is how, for the most part, it's determined what your FE80 address is. It's mostly based on your MAC address. And FFFE is inserted in between the third and fourth bytes in the MAC. And 0.0.0B3CF422CE becomes this. Using the MAC address for your IP address has been considered a privacy issue. It's not addressed in the RFC, so they came out with another RFC that addresses the privacy issues and actually randomizes the IPv6 address. 2001 is for production globally routable IP addresses. Hurricane Electric makes a pretty good use of it. 2002 is used for 64 tunneling, which I'm going to get to in a minute. FEC0 is equivalent to your 192.168 addresses, or your 10.1 or 172.16. It is being depreciated in lieu of FC00. FFO1, FFO2, FFO5 are multicast. OS support, FreeBSD, OpenBSD, NetBSD, OSX, which is based on FreeBSD, and BSDI are using the COMI project. It's available at COMI.net. IPv6 is enabled by default on these operating systems. The 2.4 kernel has, it's not a bad implementation. It is kind of buggy though, and it can actually be augmented by USagi. 2.6 kernel actually includes USagi patches by default. Solaris 8 and above has native support, and Novell Network 6 and above has native support using the BSDSock.NLM. Kind of makes you wonder where they got their IPv6 implementation from. Windows 98, 95, ME, there's no Microsoft-supported IPv6 capabilities, but you can get third-party plug-ins for it via Hitachi and Trumpet. NT4 has a very early, ugly IPv6 stack. You actually have to go download a patch for it and install it, et cetera, et cetera. Windows 2000, the stack is a little bit better, but not much. XP and Windows 2003, the IPv6 stacks are built in, and simply typing IPv6 install will go ahead and enable it. One of the main things with Windows XP and Windows 2003 is the fact that, yes, you can get IPv6 IPsack, but it's no encryption. It kind of made me scratch my head a bit. NetSah actually controls IPv6 from the command line. You're top North American IPv6 providers, which I kind of covered in an earlier slide. NTT Vario, FreeNet 6, Hurricane Electric, and possibly Speak Easy, although they still have been dragging their feet. NTT Vario supplies tunneling in areas where they don't provide true IPv6 end-to-end to their customers. Hurricane Electric and FreeNet 6 are tunnel brokers. Anyone with an IPv4 address can tunnel via v6, and you can hit these websites if you're curious about it. Other tunnel brokers are available worldwide, and most only require an online registration. You're tunneling and transitioning mechanisms. You've got to remember that IPv6 and IPv4 are two completely different protocols, but they were designed to work together. So you have an ISATAP, you have tunnel brokers, 64, Torito and Soulproad, some of my personal favorites, NATPT bumping the stack, bumping the API, dual stack transitioning mechanism, or DSTM, Translate Relay Trant, yeah. Transport Relay Translator. Transport and belligerent. How about drunk and belligerent? Many of these use IPv4 as the transport. Here's a quick overview of ISATAP. Quite honestly, I haven't used this that much. It's used mostly for IPv6 connectivity between hosts on land, VLAN or LAN. It requires a 64 gateway for packets that leave the local land. If you want to be able to talk to Google.com, you're going to need some kind of translation mechanism for it. It can be used as an IPv6 NAT, although IPv6 and NAT shouldn't be used in the same sentence. Addresses include the IPv4 address and you can see it here. Okay, tunnel broker is one of the more popular ways to connect to IPv6. It requires IP protocol 41. If you have a Wingsys router, odds are this is not going to work. It doesn't work with NAT at IPv4 hosts, unless it's a one-to-one NAT. Even then, you could see some issues. Personally, I just use a free BSD box. Most tunnel brokers are going to give 48 or 64 and you can see the numbers here for the number of IP addresses that you're going to get for your local network. It's pretty easy to set up and change. It's frequently used as an attack vector since tunnels can be set up in different countries. 6x.NET has a 64 proxy that shows only the IPv6 source address. If you bounce through France for your tunnel broker and then bounce through these guys, odds are they're not going to track you. 64 auto tunneling, also fairly easy to set up. You take your IPv4 address, convert it to hacks and put a 2002 in front of it. It automatically gives you a slash 48. If you want to do automatic, you set your default route to 192.88.99.1. The main problem with this is, okay, I'm from Jacksonville, Florida and the first router that I picked up was in Japan. Personally, I just stay away from the anycast and set your default route manually. It uses BGP to find a near 64 router and connect to the IPv6 Internet. Security is questionable, especially on the automatic 64 because you don't have a choice on where your traffic is going. Now, with the Windows XP thing, I found this kind of interesting. I went over to a friend's house and he's using cable modem, plug into the Internet. I automatically got a routable IPv4 address and I went in and looked and it automatically set up an IPv6 tunnel for me. To me, that's a bit of a security concern. It's not included with OpenBSD, Theo considered it a security risk and honestly, I agree with him. Tirito, one of my personal favorites, allows IPv6 tunneling over UDP. How many people are actually monitoring UDP traffic on their network? If you are, then congrats. Ports can be changed. They use 3544 by default, but let's just say I change it to the DNS port or the Ike port. Microsoft, Linux, they all have implementations, but Microsoft is the only one that has a client. The servers are FreeBSD and Linux. Could very easily be used as an attack factor. Let's just, you know, write a back door into our operating system. Oh, wait, Microsoft already does that. It's a last-ditch IPv6 mechanism. It uses 3FFE, 81 or 83 1F, only, and it doesn't allow tunneling through restricted mats. Silk Road. Silk Road is basically a tunnel broker over UDP. It uses 5188. There are no implementations for it. Again, just like Tirito, it could very easily be used as an attack factor. Allows any address range to be used. It's a very new draft. I mean, this thing came out like three months ago. NATPT. It's part of RFC 2766. IPv6 hosts on a network, send requests to dual stack gateway. The gateway decides whether the packet is v6 or v4, converts to v4 if need be, or just leaves it as v6. Cisco currently has the only major production of it. There are some other ones for previous D and Linux, but a lot of them are very old. I haven't been updated since 2001. It's similar to use an IPX, SPX, only on your network and still being able to go out and surf websites. Bump in the stack, bump in the API. RFC numbers are here. It's used on dual stack hosts to proxy other programs. Security is nasty on this one. XP in 2003 include port proxy. Port proxy can also be used for v4 to v4. Dual stack transitioning mechanism. It's based on dynamic IPv4 over IPv6 tunnels, which at this stage in the game is kind of reverse what we're looking at. But it does allow IPv4 apps to run in an IPv6 environment. The main problem with this is the fact that you still need IPv4 IP addresses. It is multi-platform. There's clients forward on Linux, Windows, NBSD, but it does minimize the need for IPv4 addresses. Transport relay translator. Works as a DNS proxy. TRT takes an address, kind of converts it a bit. There's BSD and Linux implementations. This mostly acts as a server. It's based on TotD and FaithD on BSD or PTRTD on Linux. There's your RFC number. This is actually something I was trying to do on the wireless network here, but I just didn't have time. Too much drinking. Router advertising. It allows your IPv6 border router to broadcast its existence and pass out IP addresses. It's similar to DHCP, but it's not. Because all it can broadcast is default router and address prefixes. It can assign DNS wins, blah, blah, blah, et cetera, et cetera, ad nauseam. Your router advertiser server is available on just about every IPv6 capable operating system. DHCP v6 actually combines the functionality of a router advertiser and DHCP v4. It's currently in alpha stages and most implementations are a couple out there. Cisco's DHCP v6 stack is probably the only one that's considered production quality. Side note, I do not work for Cisco. It provides prefixed delegation and facilitates the distribution of IPs and fault routes and everything else you'd get on v4. Firewalling for IPv6. Pretty much the same on the UNIXs, IPFWPF, IP6 state, IP6 tables for Linux. There's a built-in firewall for XP. It actually runs as a service. If you decide to write a little virus that might stop the service and go ahead and install IPv6, more power to you. There is no IPv6 firewall on Windows 2K3. Damn. Okay, wait a minute. I hosed up this slide. Windows 2003, there is IPv6 support, but there's no support for the firewall. XP, before the advanced networking pack, there was no firewall at all, same as 2K3. One of the major things with your firewall applications, if you feel safe running zone alarm, don't, because most host based intrusion detection systems might pick up 64 to traffic, but they don't defend against native. As far as securing it, well, if you're not using IPv6, block 41 at your border router, and run a scanner, for example, like Etherreal, to make sure that there's no router advertisement and there's no IPv6 traffic on your network. And as always, if you're not using the protocol, don't enable it. DNS records, they're not too much different. You actually have two of them. I just brought up one of them here. You have a Quad-A record, and then you have an A6 record. Not too much different from each other. It's just a matter of saying, okay, this host points to this IP address. Applications, a lot of times, they have to be patched or recompiled, except for the BSDs and a lot of the most current Linux distributions. They can be proxied, as I was saying, with BISBIA. IPv4 only applications can be made to understand IPv6. They do have to be able to handle a colon in the address. And if you're writing an app these days, it should be dual stack capable. Sample code, I'm just going to let y'all take a look. The main differences between IPv4 and IPv6 are the AFINET. AFINET is an IPv4 only call. And then here's a dual stack. If you do PF on specified, protocol family on specified, then it's going to look to the DNS servers for an IPv6 host first. And then if there is no IPv6 host, then it's going to drop back to IPv4. For example, if you're running Apache 1.3, you can get IPv6 support, but you have to patch Apache. Go figure. In Apache 2.0, they build in IPv6 support by default. All you have to do is tell it to listen on any interface on port 80 or port 43. SSHD is kind of similar. Still listen on port 22. This is how I have my SSHD setup personally. Protocol 2. Set up the listen address as colon colon. And here's your 12 steps for overcoming NAT addiction. And I'll just pause for a few minutes and let y'all check out the slides. Okay, are we good to switch to the next one? I'm going to start whistling a theme from Jeopardy. Okay, so are we good now? Here's the other six. By the way, those was ripped completely off the AAA site, or the AA site. I don't know about any of you, but seeing the 12 step program brought back some nasty memories for me. Feel free to laugh if you think it's funny. Okay. I guess it wasn't that funny. Alrighty, so here's some links, and I know I ran through this real quick. Quite honestly, I'm nervous as hell, so let's go ahead and kick into Q&A. Go ahead, you're getting the white shirt. Okay, the question was, what are some things we can do to transition from IPv4 to IPv6? A lot of this is going to depend on what applications you're running currently. Are your applications IPv4 primarily? Then a lot of times you're probably going to want some kind of biz beer, or you're going to want some nap ET or something like that to make sure that your legacy applications are going to be able to run on IPv6. Okay, next. Blue shirt. I think you said can you talk about any problems from mapping addresses from the v4 to the v6 space? Is that what you said? The reverse. Okay. The reverse of what I said. You know, there's always going to be problems in any kind of conversion that you do. We're all human. Anybody who writes code, sorry, you're not perfect. There are going to be security issues with it. Actually, can you catch up with me after the presentation? One second. Is there a way to what? Okay, the question was, is there a way to get provider independent space? Is there a way to get IPv4 independent space? No, I'm asking you that. How's that? Yeah, well, Aaron's taking care of the IPv6 space as well. Okay, the guy that was standing up before. I hate to ask this, but can you come up? The air conditioning is blowing right over this way. I believe FreeSwan has been ported to 6. Raccoon was actually written for IPv6 originally and it was back ported. Well, I know the 2.6 kernel and Linux, they actually prefer Raccoon over FreeSwan. It's a user space program, kind of like FreeSwan is. Yes. Okay, the question was, how can you find out if your ISP is v6 capable? Call them and ask them. Yes, most of them aren't clueless. Right now, there's only several providers that are providing v6 out of space. The ones I listed for the most part, NTT Vario, is about the only one in North America that's v6 capable. Well, Windows sucks anyway. Okay, the question was, can you summarize the state of IPv6 firewalling? State or stateful? Sorry. Little firewalls out there. Goodunk dunk. From you, Gene? Piss off. Can you summarize? Can you catch me afterwards? Yes. That's security through obscurity. Okay, let me repeat this because this is a big deal. Okay, the question was, a lot of people are using NAT basically as a security mechanism to stop intrusions. Sucks to be them. Well, yeah. At your border router, you just go in, you tell it, you want this traffic getting into our local network. It's kind of the same deal as NAT. Can you step up, please? Yeah, we can't hear. Well, the thing is, if somebody's on your local network, you're kind of screwed anyway. Okay, yeah, I can see that scenario, but for what IPv6 is as opposed to what it breaks, I personally feel that IPv6 is a better solution. If you're writing good firewall rules, and obviously after v6 is implemented, there's going to be some better firewalling techniques. If you're writing good firewall rules to begin with, you shouldn't have to worry about it. The problem is a lot of the people implementing stuff really don't know what they're doing, and that's basically why the search for information is so important. Sorry, I spent a lot of time drinking. So, basically what you were saying in the follow-up question was, if you're already using firewalling to protect your network, then really what's changed? Well, if you've implemented the schemes already, then obviously you're going to have to do some better filtering. If you're not using v6 totally, like me personally, I'm not using v6 at home, so I block the protocol. All together. You'd have to have a v6-enabled product. Well, no, I mean FreeBSD, you have IPFW, you have PF, Linux, you have IPv6 tables, or IP6 tables, Microsoft as usual, as usual is behind. Yeah. Okay, the question was would you be better off using, if you had v6 addresses, public v6 addresses, would you be better off giving them to all your hosts on the local network or using something like an FEC0? Okay, part of this ties into what exactly are you using it for? Well, for example, on my local area network at my house, I run public v6 addresses and then just make sure they're firewalled at the border router. Again, it depends on what scenario you're trying to attack. Okay, the question was what's the common use for the FEC0 addresses if you're not running that stuff? If you have a network that's not addressing the internet, if you have a network that is not connected to the internet at all and they just need to talk to each other and that's it. That's basically what your FEC0 is. The question was could you use the FE80 address? I don't see why you couldn't use it. Actually, if your network is not tied to the internet at all and it doesn't have any routable IPs or anything like that, you can use whatever address scheme you want. Same thing with v4 actually. Go ahead. The question was are there any network appliances that would you say establish tunnels for you automatically? I don't know. Would you consider Windows XP an appliance? What's that? Like elixus router or something? Yeah, right. About the only one currently is a production grade Cisco router. I've got two 2507s at my house. And using those, even though you have to enable IPv6 routing just a second. Thanks. Even though you have to enable IPv6 routing on them, I mean as far as your consumer grade, no, there's not. They're strictly IPv4. Go ahead. There wasn't necessarily a question. It was a comment and actually a very good one. The comment was the WRT54G, the Linksys. There are a lot of projects that are out there that are trying to hack it. And actually, yes, you're right. Because they have done hacks for getting IPv6 and IPsec in those commercial consumer grades. Yes. Can you come up? This air conditioning they have the comfort. Right. How does IPv6 address? How does IPv6 address portability? Is that correct? It's not all portable. Like the FE80 addresses, obviously not portable because it just points to a specific host that's not even routable. As far as being able to take your IP addresses and go to another internet provider, you can do that. What's that? Your 2001 is your globally routable IP addresses. Go ahead. You said you're doing what through Sprint? You said you have a tunnel that you broke at home and it goes through Sprint and you said 6-Bone is going away. What's the prefix? 3FFE or 2001? That is going away. 3FFE is the prefix for 6-Bone. We can take a couple more questions. You have about five more minutes. Can you comment on address spoofing without these six? The question was can you comment on address spoofing in IPv6? I'm guessing here. I don't know off the top of my head but I'm guessing that odds are it would be just as easy to spoof IPv6 as it would IPv4. Any more questions? It's bullshit. The question was, that was a very quick answer. I feel useless up here. The question was can you comment on anything from IPv9 out of China? Basically what the deal is, there were some scientists in China that were working on IPv9 but it never really went anywhere. Okay, we can take one more question. One more. Lucky. Also, not nobody wants to answer a question. Good. That means I can go take a leak. Red shirt in the back. Never mind. Thank you very much.