Mark Allman - CLAB16

Mark Allman / ICSI

@mallman_icsi

Updated on Oct 27, 2020

Home Contact Information Schedule

Papers Talks Software Data Projects

Teaching Students

Professional Activities Group Blog

Fun and Trivia

Jakub Czyz, Matthew Luckie, Mark Allman, Michael Bailey. Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy. Network and Distributed System Security Symposium, February 2016.
PDF | Jake's Slides
Abstract:

There is growing operational awareness of the challenges in securely operating IPv6 networks. Through a measurement study of 520,000 dual-stack servers and 25,000 dual-stack routers, we examine the extent to which security policy codified in IPv4 has also been deployed in IPv6. We find several high-value target applications with a comparatively open security policy in IPv6 including: (i) SSH, Telnet, SNMP, are more than twice as open in IPv6 as they are in IPv4, (ii) nearly half of routers with BGP open, were only open in IPv6, (iii) in the server dataset, SMB was twice as open in IPv6 as in IPv4. We conduct a detailed study of where port blocking policy is being applied and find that protocol openness discrepancies are consistent within network boundaries, suggesting a systemic failure in organizations to deploy consistent security policy. We successfully communicate our findings with ten different network operators and all ten confirm that the relative openness was unintentional. Eight of the ten immediately deployed a congruent IPv6 security policy, reflecting real operational concern. Finally, we revisit the belief that the security impact of this comparative openness in IPv6 is mitigated by the infeasibility of IPv6 network-wide scanning\textemdash we find that, for both of our datasets, host addressing practices make discovering these high-value hosts feasible by scanning alone. To help operators accurately measure their own IPv6 security posture, we make our scanning system publicly available.

BibTeX:
@inproceedings{CLAB16,
    author    = "Jakub Czyz and Matthew Luckie and Mark Allman and Michael Bailey",
    title     = "{Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy}",
    booktitle = "Network and Distributed System Security Symposium",
    year      = 2016,
    month     = feb,
}

PRINT NOTHING

"We are what we repeatedly do. Excellence, then, is not an act, but a habit." --Aristotle