ipv6 환경의 보안 위협 및 공격 분석 - etri
TRANSCRIPT
Microsoft Word - 4[1]..doc37
IPv6 An Analysis of Security Threat and Network Attack in IPv6
(B.H. Jung)
(J.D. Lim)
(Y.H. Kim)
(K.Y. Kim)
IPv6 IPv6
. IPv6 IPv4 IPsec
IPv6 , IPv6
. IPv6
/
.
.
. IPv6
. IPv6
. IPv6
.
38
, BcN,
PC ,
TV, ,
IP
. IPv4
IP
, IPv4 2022
.
, , 2000
IPv6
. ,
IPv6
, 2005 4 “Coalition Sum-
mit for IPv6” , ,
IPv6
“Metronnet6”
.
IT839 IPv6
IPv6 (WiBro, VoIP,
) [1].
2006
. , , ,
BSD, IPv6
. ,
IPv6
(ISP) IPv6
. ,
IPv4 IPv6
IPv6
. IPv6 ,
. IPv6 IPv4 IPsec
IP
. , IP
IPv6
IPv4 . ,
IPv4/IPv6 IPv4
IPv6
. IPv6
. , IETF
IPv6
, IPv4/IPv6
,
.
IPv6
, SNMP, RMON,
Cisco NetFlow[2] IPv6
, /IDS/IPS
IPv6
. , IPv6
IPv6 .
. IPv6
IPv6
( 1) IPv4
IPv6
. IPv6
128
IPv6
. , IPv4 IPv6
.
IPv6: IPv6 IETF IPv6
1988
IP , IP
IPv6 .
39
.
. IPv4 ping sweep, port scan
.
IPv6 ping sweep, port scan
IPv6 . ,
IPv4 8 28
, IPv6
64 264 . ,
IPv6 MAC EUI-64
. , DNS
DNS
. IPv6
(, DHCP , NTP
) .
2) (Unauthorized access)
4
. IPv6 IPsec AH ,
.
IPv4 IPv6
. ,
. , MIPv6
(home agent)
. , ICMPv6
IPv6
.
ICMPv6 type 2, ICMPv6 type 130-
132, ICMPv6 type 133/134, ICMPv6 type 135/
136, ICMPv6 type 4 .
IPv6
- .
DNS NTP IPv6
.
fragmentation)
NIDS
. IPv6
. IPv4
, RFC2460
IPv6 MTU 1280
( ) .
4) 3 4 (Layer 3/4 spoofing)
IPv4 DoS, ,
IP . RFC2827
(ingress filtering)
. IPv6
RFC2827
. , , IPv4 IPv6
6to4
.
L7 Attacks L3/4 Spoofing
Unauthorized Access Rogue Devices
22 1 2007 2
40
DHCP
. , ARP IP-MAC
. IPv6 state-
less ,
. stateless
, “
” .
ARP IPv6 ICMPv6 ND
. IETF SEND
.
tion attacks: smurf)
. IPv6 IP-directed broadcast
. RFC2463 IPv6
ICMPv6
. ,
.
ICMP
.
. IPv4 MD5
. IPv6 BGP
TCP MD5 , IS-IS
RFC3567
, OSPFv3 RIPng
IPsec AH/ESP .
8)
, IPv6
.
DoS
.
IPsec
. ,
IPsec
.
IPv4 IPv6 .
12) (Rogue devices)
, DHCP, DNS ,
. IPsec
.
13) Man-in-the-middle
. IKEv2
.
.
41
.
IPsec
ESP
. ESP
, AH
ESP IPv6 /
.
ESP ( )
. ESP
.
.
RFC2462 IPv6 Stateless Address Auto-
configuration stateless
IPv6
ID
IPv6 .
ID IPv6
.
,
, IPv6
. IPv6 ID
.
IPv6
DAD
.
DAD .
DAD
ID IPv6
DAD
. RFC2462 IPv6 DAD
[3]. DAD
.
3. ND
RFC2461 2462 IPv6 ND
RFC2461
22 1 2007 2
42
[3]-[5]. ND ARP
stateless .
. /
1) NS/NA
IPv4 ARP
NS/NA source link-layer
target link-layer
.
.
2) NUD
NUD
. NS/NA
victim
, victim
NUD
. NUD
victim
.
victim NUD
NA
NS/NA
.
. /
1)
.
.
.
.
2)
RFC2461 IPv6
1 on-link
.
vic-
tim
on-link
.
.
( )
.
.
4) On-link
RA
on-link 1
/ IPv6
43
. IPv6
1
ND (ARP)
.
5)
RA
ID IPv6
. RA
IPv6
.
6)
IPv6
. RA
RA
.
4. IPv6
.
IPv6 0
, IPv4 loose source
routing .
.
IPv6
.
.
ICMP traceback
ICMP
traceback
.
, ICMP
traceback
.
1)
IPv6 IP
fragmentable TCP
22 1 2007 2
44
ment offset overlapping
IPv4
fragment offset overlapping
[6]. ,
.
.
fragment ID
.
.
.
3) Fragmentation
IDS
. , RFC2460 IPv6 Specification
IPv6
.
(offset)
.
RFC2460
. RFC2460 hop-by-hop
.
,
.
RFC
.
IPv6
CoA
. IPv6
.
.
. HAO
RFC3775 Mobile IPv6
2
( 0)
[7].
. HAO
IPv6
.
/ IPv6
45
.
.
HAO
.
.
IPv6
. ,
.
,
.
. ,
,
.
.
CN
, HA victim HA
. CN
CN victim
.
CoA , CN
CoA
DoS . CN
victim CoA
DDoS .
CN
, CN
(DoS
).
.
.
. IPv6
IPv6 IPv4
IPv4
IPv6 .
,
ICMPv4 ICMPv6
.
, IPv6 IPv4
TCP SYN flooding, TCP ISN, UDP flooding
. IPv6
flooding
imps6-tools
. ICMPv4 ICMPv6
, IPv4
IPv6
.
IPv6
IPv4
, IPv4
.
2. IPv4/IPv6
22 1 2007 2
46
[8]. IPv4/IPv6
(dual stack), IPv6-
to-IPv4 , (translation)
. IPv6
,
IPv6-to-IPv4
, IPv6-to-IPv4
[9]. IPv6-
to-IPv4 , IPv4
IPv6 IPv4
IPv6
Relay6, 6tunnel, nt6tun-
nel, asybo .
IPv6
IPv6
backdoor trojan
. IPv6-to-IPv4
6To4DDoS,
6tunneldos
IPv6 IPv4
. , 6to4
(victim)
,
reflection ,
IPv6 ser-
vice theft .
3. IPv6
IPv6
IPv4
.
IPv6 IP
IPv4
.
IP flow label
, (auto-configuration)
, NS/NA
. IP flow label
, IPv6 IP flow
label flow
, flow
[10].
, IPv6
RA
IP
,
. , NIC
IP
,
. ,
DAD
,
. IP
.
NS/NA , NS/NA
[11]. ,
NS source link-layer
address NA
target link-layer address
.
. THC IPv6
THC[12] IPv6
. IPv6 .
/ IPv6
47
. A B
B MAC
(ff02::1) ICMPv6 ND( :
NS) , B NA
A .
NA MAC
A B
.
MAC
. MAC
ICMP
IPv6
.
, IP
.
IPv6
ND( : NS)
(ff02::1) .
NA
. thc-ipv6 dos-new-ipv6 DAD
DAD
NA
.
.
(ff02::1)
RA ICMPv6
. RA
. ICMPv6 thc-
ipv6 fake_router6 RA
.
. IPv4
ICMP echo request 3
1. ND 2. NS
Multicast Address query = Who-has IP B?
parasite6 : Answer to every NS, claim to be every system on the LAN
2. NA: ICMP Type = 136 Src = B Dst = A Data = Link Layer
Address
inet6 addr: 2001:220:804:20::3/64 Scope:Global
A B
1. ND
Multicast Address query = Who-has IP A?
dos-new-ipv6 : Answer to every NS, claim to be every system on the LAN
2. No reply if nobody owns the
IP Address
A
1. RS 2. RA
1. RS: ICMP Type = 133 Src = :: Dst = FF02::2 query = please send RA
fake_router6 : Sets any IP as default router
2. RA: ICMP Type = 134 Src = Router Link- local Address Dst = FF02::1 Data = options, prefix, lifetime, autoconfig flag
( 4) THC : fake_router6
A
48
. ICMP echo re-
quest victim
victim
. thc-ipv6 smurf6 ICMP6
.
• Fake_mipv6: MIPv6
. IPv6
(covert channel) TCP/
IP
[13],[14].
IRC
.
0
1 .
.
• DO: MIPv6 BU ,
[15]. 2003 Thomas
Graf http://trash.net/
~reeler/j6p.tar.bz2 .
DO option type 2
00
. 01 .
, 00
.
IPv6-over-IPv4
. SIT, 6to4,
Teredo[16] .
, 6to4
.
, 6to4 2002::/16
, 41
. ,
UDP Teredo
.
.
ESP
,
IPsec
,
(distributed firewall or personal
firewall) IPsec
. RFC3041[17]
1. ND 2. NS
1. ER: ICMP type = 128 (Echo Request) Src = B Dst = A (or All-Node Multicast
Address)
2. ER: ICMP type = 129 (Echo Reply) Src = A Dst = B
( 5) THC : smurf6
A B
49
IP , DAD
IPsec AH
DAD
/
. ND
, ND
IPv6
. ,
SEND
/
. IPv6
,
,
, fragment overlapping,
IPv6
, / .
2. , /
,
IPv6 , ICMPv4
ICMPv6 (Type 2, 4, 130-136)
, 1280
, IPv6 , IPv4/
IPv6
. ,
static
ND , BGP, IS-IS
,
OSFPv4, RIPng IPsec , 6to4
[18].
.
.
IPv6 , IPv6
, IPv6
, IPv6
.
IPv6 ,
IPv6
.
IPv6
, IPv6
.
ACL Access Control List
BcN Broadband convergence Network
50
[2] Cisco NetFlow, http://www.cisco.com/warp/public/
ress Autoconfiguration,” RFC2462, Dec. 1998.
[4] P. Nikander, J. Kempf, and E. Nordmark, “RFC3756:
IPv6 Neighbor Discovery (ND) Trust Models and
Threats,” IETF, May 2004.
bor Discovery for IP Version 6 (IPv6),” RFC2461,
Dec. 1998.
sion 6 (IPv6) Specification,” RFC2460, Dec. 1998.
[7] D. Johnson, C. Perkins, and J. Arkko, “Mobility Sup-
port in IPv6,” RFC3775, June 2004.
[8] R. Gilligan and E. Nordmark, “RFC2893: Transition
Mechanisms for IPv6 Hosts and Routers,” IETF,
Aug. 2000.
Internet Security Systems, 2003.
[10] J. Rajahalme, A. Conta, B. Carpenter, and S. Deer-
ing, “RFC3697: IPv6 Flow Label Specification,”
IETF, Mar. 2004.
Neighbor Discovery for IP Version 6,” IETF, Dec.
1998.
fault.net/
Steve J. Chapin, “Covert Channels in IPv6,” Work-
shop on Privacy Enhancing Technologies, 2005.
[14] D. Llamas, C. Allison, and A. Miller, “Covert Chan-
nels in Internet Protocols: A Survey,” Workshop on
Privacy Enhancing Technologies, 2005.
The Swiss Unix User Group, Switzerland, http://
gray-world.net/papers/messip6.txt, 2003.
through NATs,” RFC4380, Feb. 2006.
[17] T. Narten and R. Draves, “Privacy Extensions for
Stateless Address Autoconfiguration in IPv6,” RFC
3041, Jan. 2001.
, 21 5, 2006, pp.163-170.
I.
III. IPv6
IV. IPv6
V. IPv6
VI.
IPv6 An Analysis of Security Threat and Network Attack in IPv6
(B.H. Jung)
(J.D. Lim)
(Y.H. Kim)
(K.Y. Kim)
IPv6 IPv6
. IPv6 IPv4 IPsec
IPv6 , IPv6
. IPv6
/
.
.
. IPv6
. IPv6
. IPv6
.
38
, BcN,
PC ,
TV, ,
IP
. IPv4
IP
, IPv4 2022
.
, , 2000
IPv6
. ,
IPv6
, 2005 4 “Coalition Sum-
mit for IPv6” , ,
IPv6
“Metronnet6”
.
IT839 IPv6
IPv6 (WiBro, VoIP,
) [1].
2006
. , , ,
BSD, IPv6
. ,
IPv6
(ISP) IPv6
. ,
IPv4 IPv6
IPv6
. IPv6 ,
. IPv6 IPv4 IPsec
IP
. , IP
IPv6
IPv4 . ,
IPv4/IPv6 IPv4
IPv6
. IPv6
. , IETF
IPv6
, IPv4/IPv6
,
.
IPv6
, SNMP, RMON,
Cisco NetFlow[2] IPv6
, /IDS/IPS
IPv6
. , IPv6
IPv6 .
. IPv6
IPv6
( 1) IPv4
IPv6
. IPv6
128
IPv6
. , IPv4 IPv6
.
IPv6: IPv6 IETF IPv6
1988
IP , IP
IPv6 .
39
.
. IPv4 ping sweep, port scan
.
IPv6 ping sweep, port scan
IPv6 . ,
IPv4 8 28
, IPv6
64 264 . ,
IPv6 MAC EUI-64
. , DNS
DNS
. IPv6
(, DHCP , NTP
) .
2) (Unauthorized access)
4
. IPv6 IPsec AH ,
.
IPv4 IPv6
. ,
. , MIPv6
(home agent)
. , ICMPv6
IPv6
.
ICMPv6 type 2, ICMPv6 type 130-
132, ICMPv6 type 133/134, ICMPv6 type 135/
136, ICMPv6 type 4 .
IPv6
- .
DNS NTP IPv6
.
fragmentation)
NIDS
. IPv6
. IPv4
, RFC2460
IPv6 MTU 1280
( ) .
4) 3 4 (Layer 3/4 spoofing)
IPv4 DoS, ,
IP . RFC2827
(ingress filtering)
. IPv6
RFC2827
. , , IPv4 IPv6
6to4
.
L7 Attacks L3/4 Spoofing
Unauthorized Access Rogue Devices
22 1 2007 2
40
DHCP
. , ARP IP-MAC
. IPv6 state-
less ,
. stateless
, “
” .
ARP IPv6 ICMPv6 ND
. IETF SEND
.
tion attacks: smurf)
. IPv6 IP-directed broadcast
. RFC2463 IPv6
ICMPv6
. ,
.
ICMP
.
. IPv4 MD5
. IPv6 BGP
TCP MD5 , IS-IS
RFC3567
, OSPFv3 RIPng
IPsec AH/ESP .
8)
, IPv6
.
DoS
.
IPsec
. ,
IPsec
.
IPv4 IPv6 .
12) (Rogue devices)
, DHCP, DNS ,
. IPsec
.
13) Man-in-the-middle
. IKEv2
.
.
41
.
IPsec
ESP
. ESP
, AH
ESP IPv6 /
.
ESP ( )
. ESP
.
.
RFC2462 IPv6 Stateless Address Auto-
configuration stateless
IPv6
ID
IPv6 .
ID IPv6
.
,
, IPv6
. IPv6 ID
.
IPv6
DAD
.
DAD .
DAD
ID IPv6
DAD
. RFC2462 IPv6 DAD
[3]. DAD
.
3. ND
RFC2461 2462 IPv6 ND
RFC2461
22 1 2007 2
42
[3]-[5]. ND ARP
stateless .
. /
1) NS/NA
IPv4 ARP
NS/NA source link-layer
target link-layer
.
.
2) NUD
NUD
. NS/NA
victim
, victim
NUD
. NUD
victim
.
victim NUD
NA
NS/NA
.
. /
1)
.
.
.
.
2)
RFC2461 IPv6
1 on-link
.
vic-
tim
on-link
.
.
( )
.
.
4) On-link
RA
on-link 1
/ IPv6
43
. IPv6
1
ND (ARP)
.
5)
RA
ID IPv6
. RA
IPv6
.
6)
IPv6
. RA
RA
.
4. IPv6
.
IPv6 0
, IPv4 loose source
routing .
.
IPv6
.
.
ICMP traceback
ICMP
traceback
.
, ICMP
traceback
.
1)
IPv6 IP
fragmentable TCP
22 1 2007 2
44
ment offset overlapping
IPv4
fragment offset overlapping
[6]. ,
.
.
fragment ID
.
.
.
3) Fragmentation
IDS
. , RFC2460 IPv6 Specification
IPv6
.
(offset)
.
RFC2460
. RFC2460 hop-by-hop
.
,
.
RFC
.
IPv6
CoA
. IPv6
.
.
. HAO
RFC3775 Mobile IPv6
2
( 0)
[7].
. HAO
IPv6
.
/ IPv6
45
.
.
HAO
.
.
IPv6
. ,
.
,
.
. ,
,
.
.
CN
, HA victim HA
. CN
CN victim
.
CoA , CN
CoA
DoS . CN
victim CoA
DDoS .
CN
, CN
(DoS
).
.
.
. IPv6
IPv6 IPv4
IPv4
IPv6 .
,
ICMPv4 ICMPv6
.
, IPv6 IPv4
TCP SYN flooding, TCP ISN, UDP flooding
. IPv6
flooding
imps6-tools
. ICMPv4 ICMPv6
, IPv4
IPv6
.
IPv6
IPv4
, IPv4
.
2. IPv4/IPv6
22 1 2007 2
46
[8]. IPv4/IPv6
(dual stack), IPv6-
to-IPv4 , (translation)
. IPv6
,
IPv6-to-IPv4
, IPv6-to-IPv4
[9]. IPv6-
to-IPv4 , IPv4
IPv6 IPv4
IPv6
Relay6, 6tunnel, nt6tun-
nel, asybo .
IPv6
IPv6
backdoor trojan
. IPv6-to-IPv4
6To4DDoS,
6tunneldos
IPv6 IPv4
. , 6to4
(victim)
,
reflection ,
IPv6 ser-
vice theft .
3. IPv6
IPv6
IPv4
.
IPv6 IP
IPv4
.
IP flow label
, (auto-configuration)
, NS/NA
. IP flow label
, IPv6 IP flow
label flow
, flow
[10].
, IPv6
RA
IP
,
. , NIC
IP
,
. ,
DAD
,
. IP
.
NS/NA , NS/NA
[11]. ,
NS source link-layer
address NA
target link-layer address
.
. THC IPv6
THC[12] IPv6
. IPv6 .
/ IPv6
47
. A B
B MAC
(ff02::1) ICMPv6 ND( :
NS) , B NA
A .
NA MAC
A B
.
MAC
. MAC
ICMP
IPv6
.
, IP
.
IPv6
ND( : NS)
(ff02::1) .
NA
. thc-ipv6 dos-new-ipv6 DAD
DAD
NA
.
.
(ff02::1)
RA ICMPv6
. RA
. ICMPv6 thc-
ipv6 fake_router6 RA
.
. IPv4
ICMP echo request 3
1. ND 2. NS
Multicast Address query = Who-has IP B?
parasite6 : Answer to every NS, claim to be every system on the LAN
2. NA: ICMP Type = 136 Src = B Dst = A Data = Link Layer
Address
inet6 addr: 2001:220:804:20::3/64 Scope:Global
A B
1. ND
Multicast Address query = Who-has IP A?
dos-new-ipv6 : Answer to every NS, claim to be every system on the LAN
2. No reply if nobody owns the
IP Address
A
1. RS 2. RA
1. RS: ICMP Type = 133 Src = :: Dst = FF02::2 query = please send RA
fake_router6 : Sets any IP as default router
2. RA: ICMP Type = 134 Src = Router Link- local Address Dst = FF02::1 Data = options, prefix, lifetime, autoconfig flag
( 4) THC : fake_router6
A
48
. ICMP echo re-
quest victim
victim
. thc-ipv6 smurf6 ICMP6
.
• Fake_mipv6: MIPv6
. IPv6
(covert channel) TCP/
IP
[13],[14].
IRC
.
0
1 .
.
• DO: MIPv6 BU ,
[15]. 2003 Thomas
Graf http://trash.net/
~reeler/j6p.tar.bz2 .
DO option type 2
00
. 01 .
, 00
.
IPv6-over-IPv4
. SIT, 6to4,
Teredo[16] .
, 6to4
.
, 6to4 2002::/16
, 41
. ,
UDP Teredo
.
.
ESP
,
IPsec
,
(distributed firewall or personal
firewall) IPsec
. RFC3041[17]
1. ND 2. NS
1. ER: ICMP type = 128 (Echo Request) Src = B Dst = A (or All-Node Multicast
Address)
2. ER: ICMP type = 129 (Echo Reply) Src = A Dst = B
( 5) THC : smurf6
A B
49
IP , DAD
IPsec AH
DAD
/
. ND
, ND
IPv6
. ,
SEND
/
. IPv6
,
,
, fragment overlapping,
IPv6
, / .
2. , /
,
IPv6 , ICMPv4
ICMPv6 (Type 2, 4, 130-136)
, 1280
, IPv6 , IPv4/
IPv6
. ,
static
ND , BGP, IS-IS
,
OSFPv4, RIPng IPsec , 6to4
[18].
.
.
IPv6 , IPv6
, IPv6
, IPv6
.
IPv6 ,
IPv6
.
IPv6
, IPv6
.
ACL Access Control List
BcN Broadband convergence Network
50
[2] Cisco NetFlow, http://www.cisco.com/warp/public/
ress Autoconfiguration,” RFC2462, Dec. 1998.
[4] P. Nikander, J. Kempf, and E. Nordmark, “RFC3756:
IPv6 Neighbor Discovery (ND) Trust Models and
Threats,” IETF, May 2004.
bor Discovery for IP Version 6 (IPv6),” RFC2461,
Dec. 1998.
sion 6 (IPv6) Specification,” RFC2460, Dec. 1998.
[7] D. Johnson, C. Perkins, and J. Arkko, “Mobility Sup-
port in IPv6,” RFC3775, June 2004.
[8] R. Gilligan and E. Nordmark, “RFC2893: Transition
Mechanisms for IPv6 Hosts and Routers,” IETF,
Aug. 2000.
Internet Security Systems, 2003.
[10] J. Rajahalme, A. Conta, B. Carpenter, and S. Deer-
ing, “RFC3697: IPv6 Flow Label Specification,”
IETF, Mar. 2004.
Neighbor Discovery for IP Version 6,” IETF, Dec.
1998.
fault.net/
Steve J. Chapin, “Covert Channels in IPv6,” Work-
shop on Privacy Enhancing Technologies, 2005.
[14] D. Llamas, C. Allison, and A. Miller, “Covert Chan-
nels in Internet Protocols: A Survey,” Workshop on
Privacy Enhancing Technologies, 2005.
The Swiss Unix User Group, Switzerland, http://
gray-world.net/papers/messip6.txt, 2003.
through NATs,” RFC4380, Feb. 2006.
[17] T. Narten and R. Draves, “Privacy Extensions for
Stateless Address Autoconfiguration in IPv6,” RFC
3041, Jan. 2001.
, 21 5, 2006, pp.163-170.
I.
III. IPv6
IV. IPv6
V. IPv6
VI.