2010_secure_deployment_ipv6.pdf

(2413 KB) Pobierz

Special Publication 800-119

Guidelines for the Secure

Deployment of IPv6

Recommendations of the National Institute

of Standards and Technology

Sheila Frankel

Richard Graveman

John Pearce

Mark Rooks

NIST Special Publication 800-119

Guidelines for the

Secure Deployment of IPv6

Recommendations of the National

Institute of Standards and Technology

Sheila Frankel

Richard Graveman

John Pearce

Mark Rooks

C O M P U T E R

S E C U R I T Y

Computer Security Division

Information Technology Laboratory

National Institute of Standards and Technology

Gaithersburg, MD 20899-8930

December 2010

U.S. Department of Commerce

Gary Locke, Secretary

National Institute of Standards and Technology

Dr. Patrick D. Gallagher, Director

UIDELINES FOR THE

ECURE

EPLOYMENT OF

Reports on Computer Systems Technology

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology

(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s

measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of

concept implementations, and technical analysis to advance the development and productive use of

information technology. ITL’s responsibilities include the development of technical, physical,

administrative, and management standards and guidelines for the cost-effective security and privacy of

sensitive unclassified information in Federal computer systems. This Special Publication 800-series

reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative

activities with industry, government, and academic organizations.

National Institute of Standards and Technology Special Publication 800-119

Natl. Inst. Stand. Technol. Spec. Publ. 800-119, 188 pages (Dec. 2010)

Certain commercial entities, equipment, or materials may be identified in this

document in order to describe an experimental procedure or concept adequately.

Such identification is not intended to imply recommendation or endorsement by the

National Institute of Standards and Technology, nor is it intended to imply that the

entities, materials, or equipment are necessarily the best available for the purpose.

iii

UIDELINES FOR THE

ECURE

EPLOYMENT OF

Acknowledgments

The authors, Sheila Frankel of the National Institute of Standards and Technology (NIST), Richard

Graveman of RFG Security, John Pearce of Booz Allen Hamilton and Mark Rooks of L-1 Identity

Solutions (formerly of Booz Allen Hamilton) wish to thank their colleagues who reviewed drafts of this

document and contributed to its technical content.

The authors would like to acknowledge Tim Grance of NIST for his keen and insightful assistance and

encouragement throughout the development of the document. The authors particularly want to thank

Mark Carson, Doug Montgomery and Stephen Nightingale of NIST and Scott Hogg for their careful

review and valuable contributions to improving the quality of this publication.

The authors also appreciate the efforts of those individuals, agencies, and other organizations that

contributed input during the public comment period, including John Baird, DREN; Alistair de B

Clarkson, nCipher; Vint Cerf, Google; John Curran, ARIN; Terry Davis, Boeing; Francois Donze and

Michael Scott Pontillo, HP; Jeffrey Dunn, Chern Liou, and Jeffrey Finke, Mitre; Fernando Gont, the UK

Centre for the Protection of National Infrastructure (UK CPNI); Bob Grillo, US Army; Cecilia Hall, Don

Radeke and Joseph Bertrand, USMC; J. Holland, David Leach, Sam Nguyen, M. Roed, Beth Scruggs, D.

Wellington and Joe Williams, Aerospace Corp.; Ed Jankiewicz, SRI International; Ralph Kenyon, Caida;

Lovell King II, Dept. of State; Joe Klein, IPv6 Security Researcher; Dan Luu, VA; Trung Nguyen, FAA;

Carroll Perkins, Serco-NA; and Martin Radford, University of Bristol.

UIDELINES FOR THE

ECURE

EPLOYMENT OF

Table of Contents

Executive Summary ................................................................................................................. 1

Introduction ................................................................................................................... 1-1

1.1

1.2

1.3

1.4

2.1

2.2

2.3

Authority .................................................................................................................1-1

Purpose and Scope ................................................................................................1-1

Audience ................................................................................................................1-1

Document Structure ...............................................................................................1-1

Early History of IPv6 ...............................................................................................2-1

Limitations of IPv4 ..................................................................................................2-1

Major Features of the IPv6 Specification ................................................................2-2

2.3.1 Extended Address Space ........................................................................... 2-3

2.3.2 Autoconfiguration ....................................................................................... 2-3

2.3.3 Header Structure ........................................................................................ 2-3

2.3.4 Extension Headers ..................................................................................... 2-4

2.3.5 Mandatory Internet Protocol Security (IPsec) Support ................................ 2-4

2.3.6 Mobility ....................................................................................................... 2-4

2.3.7 Quality of Service (QoS)............................................................................. 2-5

2.3.8 Route Aggregation ..................................................................................... 2-5

2.3.9 Efficient Transmission ................................................................................ 2-5

IPv4 and IPv6 Threat Comparison ..........................................................................2-5

Motivations for Deploying IPv6 ...............................................................................2-7

IPv6 Addressing .....................................................................................................3-2

3.1.1 Shorthand for Writing IPv6 Addresses ........................................................ 3-5

3.1.2 IPv6 Address Space Usage ....................................................................... 3-6

3.1.3 IPv6 Address Types ................................................................................... 3-7

3.1.4 IPv6 Address Scope................................................................................... 3-7

3.1.5 IPv4 Addressing ......................................................................................... 3-9

3.1.6 IPv4 Classless Inter-Domain Routing (CIDR) Addressing ........................ 3-10

3.1.7 Comparing IPv6 and IPv4 Addressing ...................................................... 3-11

IPv6 Address Allocations ......................................................................................3-12

3.2.1 IPv6 Address Assignments ...................................................................... 3-12

3.2.2 Obtaining Globally Routable IPv6 Address Space .................................... 3-14

IPv6 Header Types, Formats, and Fields..............................................................3-16

IPv6 Extension Headers .......................................................................................3-18

Internet Control Message Protocol for IPv6 (ICMPv6) ..........................................3-22

3.5.1 ICMPv6 Specification Overview ............................................................... 3-22

3.5.2 Differences between IPv6 and IPv4 ICMP ................................................ 3-25

3.5.3 Neighbor Discovery .................................................................................. 3-26

3.5.4 Autoconfiguration ..................................................................................... 3-28

3.5.5 Path Maximum Transmission Unit (PMTU) Discovery .............................. 3-29

3.5.6 Security Ramifications .............................................................................. 3-30

IPv6 and Routing ..................................................................................................3-34

3.6.1 Specification Overview ............................................................................. 3-34

3.6.2 Security for Routing Protocols .................................................................. 3-35

Introduction to IPv6 ....................................................................................................... 2-1

2.4

2.5

3.1

IPv6 Overview ................................................................................................................ 3-1

3.2

3.3

3.4

3.5

3.6

Plik z chomika:

musli_com

2010_secure_deployment_ipv6.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: