So you've got IPv6 address space. Can you defend it?

Internet Protocol version 6 (IPv6) is the successor of Internet Protocol version 4 (IPv4). IPv6 will become the next standard networking protocol on the Internet. It brings with it a great increase in address space, changes to network operations, and new network security concerns. In this thesis we examine IPv6 from a security perspective. The security of IPv6 is important to all protocols that use IPv6 on the Internet. The goal of this thesis is to introduce the reader to existing IPv6 security challenges, demonstrate how IPv6 changes network security and show how IPv6 is being improved.Master i InformatikkMAMN-INFINF39

Tactical communication systems based on civil standards: Modeling in the MiXiM framework

In this paper, new work is presented belonging to an ongoing study, which evaluates civil communication standards as potential candidates for the future military Wide Band Waveforms (WBWFs). After an evaluation process of possible candidates presented in [2], the selection process in [1] showed that the IEEE 802.11n OFDM could be a possible military WBWF candidate, but it should be further investigated first in order to enhance or even replace critical modules. According to this, some critical modules of the physical layer has been further analyzed in [3] regarding the susceptibility of the OFDM signal under jammer influences. However, the critical modules of the MAC layer (e.g., probabilistic medium access CSMA/CA) have not been analysed. In fact, it was only suggested in [2] to replace this medium access by the better suited Unified Slot Allocation Protocol - Multiple Access (USAP-MA) [4]. In this regard, the present contribution describes the design paradigms of the new MAC layer and explains how the proposed WBWF candidate has been modelled within the MiXiM Framework of the OMNeT++ simulator.Comment: Published in: A. F\"orster, C. Sommer, T. Steinbach, M. W\"ahlisch (Eds.), Proc. of 1st OMNeT++ Community Summit, Hamburg, Germany, September 2, 2014, arXiv:1409.0093, 201

Covert6: A Tool to Corroborate the Existence of IPv6 Covert Channels

Covert channels are any communication channel that can be exploited to transfer information in a manner that violates the system’s security policy. Research in the field has shown that, like many communication channels, IPv4 and the TCP/IP protocol suite have been susceptible to covert channels, which could be exploited to leak data or be used for anonymous communications. With the introduction of IPv6, researchers are acutely aware that many vulnerabilities of IPv4 have been remediated in IPv6. However, a proof of concept covert channel system was demonstrated in 2006. A decade later, IPv6 and its related protocols have undergone major changes, which has introduced a need to reevaluate the current state of covert channels within IPv6. The current research demonstrates the corroboration of covert channels in IPv6 by building a tool that establishes a covert channel against a simulated enterprise network. This is further validated against multiple channel criteria

A New Model for Testing IPv6 Fragment Handling

Since the origins of the Internet, various vulnerabilities exploiting the IP fragmentation process have plagued IPv4 protocol, many leading to a wide range of attacks. IPv6 modified the handling of fragmentations and introduced a specific extension header, not solving the related problems, as proved by extensive literature. One of the primary sources of problems has been the overlapping fragments, which result in unexpected or malicious packets when reassembled. To overcome the problem related to fragmentation, the authors of RFC 5722 decided that IPv6 hosts MUST silently drop overlapping fragments. Since then, several studies have proposed methodologies to check if IPv6 hosts accept overlapping fragments and are still vulnerable to related attacks. However, some of the above methodologies have not been proven complete or need to be more accurate. In this paper we propose a novel model to check IPv6 fragmentation handling specifically suited for the reassembling strategies of modern operating systems. Previous models, indeed, considered OS reassembly policy as byte-based. However, nowadays, reassembly policies are fragment-based, making previous models inadequate. Our model leverages the commutative property of the checksum, simplifying the whole assessing process. Starting with this new model, we were able to better evaluate the RFC-5722 and RFC-9099 compliance of modern operating systems against fragmentation handling. Our results suggest that IPv6 fragmentation can still be considered a threat and that more effort is needed to solve related security issues

So you've got IPv6 address space. Can you defend it?

Internet Protocol version 6 (IPv6) is the successor of Internet Protocol version 4 (IPv4). IPv6 will become the next standard networking protocol on the Internet. It brings with it a great increase in address space, changes to network operations, and new network security concerns. In this thesis we examine IPv6 from a security perspective. The security of IPv6 is important to all protocols that use IPv6 on the Internet. The goal of this thesis is to introduce the reader to existing IPv6 security challenges, demonstrate how IPv6 changes network security and show how IPv6 is being improved

The effectiveness of evasion techniques against intrusion prevention systems

Evaasioita ja evaasiokombinaatiota käytetään naamioimaan hyökkäyksiä, jotta tietoturvalaitteet eivät havaitsisi niitä. Diplomityössä tutkitaan näiden tekniikoiden tehokkuutta uusimpia tunkeutumisenestojärjestelmiä vastaan. Yhteensä 11 tunkeutumisenestojärjestelmää tutkittiin, joista 10 on kaupallista ja yksi ilmainen. Tutkimuksessa suoritettiin neljä koetta. Jokainen koe sisälsi miljoona hyökkäystä, jotka suoritettiin jokaista tunkeutumisenestojärjestelmää vastaan satunnaisin evaasioin ja evaasiokombinaatioin. Käytetty hyökkäys pysyi samana yksittäisen kokeen aikana, mutta jokainen hyökkäys oli naamioitu eri evaasiotekniikoin. Yhtenäistettyjä konfiguraatioita käytettiin, jotta saataisiin vertailukelpoisia tuloksia. Tulokset osoittavat, että evaasiotekniikat ovat toimivia suurinta osaa testattuja tunkeutumisenestojärjestelmiä vastaan. Vaikka osa evaasiotekniikoista on peräisin 1990-luvulta, ne voidaan saada hienosäädettyä huijaamaan suurinta osaa testatuista laitteista. Yksi evaasiotekniikka ei ole aina riittävä, jotta voitaisiin välttää hyökkäyksen havainnointi. Monen eri tekniikan yhdistäminen lisää kuitenkin todennäköisyyttä löytää tapa kiertää havainnointi.Evasions and evasion combinations are used to masquerade attacks in order to avoid detection by security appliances. This thesis evaluates the effectiveness of these techniques against the state of the art intrusion prevention systems. In total, 11 intrusion prevention systems were studied, 10 commercial and 1 free solution. Four experiments were conducted in this study. Each of the experiments contained a million attacks that were performed with randomized evasions and evasion combinations against each intrusion prevention system. The used attack stayed the same during a single experiment, but each attack was disguised with different evasion techniques. Standardized configurations were used in order to produce comparable results. The results indicate that evasion techniques are effective against the majority of tested intrusion prevention systems. Even though some of the techniques are from the 1990s, they can be fine-tuned to fool most of the tested appliances. One evasion technique is not always enough to avoid detection, but combining multiple techniques increases the possibility to find a way to evade detection

Based on MIPv6 with Support to Improve the Mobile Commerce Transaction

Mobile Commerce is anticipated to be the next business revolution. Under the trend of mobile age, a person begins to realize the benefits of transaction by mobility operations. We can access information, shop and bank on line, work from home and speak and send messages via mobile appliances throughout all over the world. The research that is mobile transaction managing on database has begun since 1950 and skips the Link and Network Layer with support to improve mobile commerce. This paper focus on how effectually to make the new generation of mobile network protocol apply on mobile commerce and improve the mainly four properties required by mobile transactions. The four properties are respectively atomicity, consistency, isolation and durability. The purpose based on the mobile commerce environment and making mobile transactions complete and personal by means of the Destination Extension Header based on IPv6 and the Java Transaction Service. After experiment and testing, this paper verify that we improve the mobile commerce environment and make the mobile transaction more complete with the optimization of the Destination Extension Header based on IPv6 and the Java Transaction Service under the comparison with the environment on IPv4

Non-Trivial Off-Path Network Measurements without Shared Side-Channel Resource Exhaustion

Most traditional network measurement scans and attacks are carried out through the use of direct, on-path network packet transmission. This requires that a machine be on-path (i.e, involved in the packet transmission process) and as a result have direct access to the data packets being transmitted. This limits network scans and attacks to situations where access can be gained to an on-path machine. If, for example, a researcher wanted to measure the round trip time between two machines they did not have access to, traditional scans would be of little help as they require access to an on-path machine to function. Instead the researcher would need to use an off-path measurement scan. Prior work using network side-channels to perform off-path measurements or attacks relied on techniques that either exhausted the shared, finite resource being used as a side-channel or only measured basic features such as connectivity. The work presented in this dissertation takes a different approach to using network side-channels. I describe research that carries out network side-channel measurements that are more complex than connectivity, such as packet round-trip-time or detecting active TCP connections, and do not require a shared, finite resource be fully exhausted to cause information to leak via a side-channel. My work is able to accomplish this by understanding the ways in which internal network stack state changes cause observable behavior changes from the machine. The goal of this dissertation is to show that: Information side-channels can be modulated to take advantage of dependent, network state behavior to enable non-trivial, off-path measurements without fully exhausting the shared, finite resources they use

Measuring IPv6 Extension Headers Survivability with JAMES

peer reviewedThis extended abstract introduces JAMES, a new tool for measuring how IPv6 Extension Headers (IPv6 EH) are processed in the network. JAMES sends specially crafted Paris traceroute packets between a set of controlled vantage points. Early measurement results show that IPv6 EHmay be dropped in the network, depending on their type and the size of the Extension Header