Sunday, 20 April 2014

Book Review: IPv6 Security

Last February, RFC 7123 was published which outlines a number of key security issues with IPv6 and some of the potential approaches to mitigating them. Seeing as I haven't come across many IPv6 networks yet in my travels, I figured it was as good a time as any to get up to speed on IPv6 security in general.

As I started out working on networking with Cisco kit, I've always gone back to their books whenever I need a re-fresher on what's feasible in the world of networking and not surprisingly when I checked the Cisco Press website, IPv6 Security sounded like exactly what I was looking for! Also, after a bit more research I saw that it got an excellent review from Richard Bejtlich a few years ago, which is always a good sign!

The book starts off by introducing the fundamental security issues within IPv6 and then walks through in detail the issues at the protocol header layer before moving to discuss security issues at the local link level, perimeter security and filtering

During the first few chapters there were two aspects that I really liked. Firstly, the authors constantly try to link IPv6 vulnerabilities and attacks to similar IPv4 issues, which makes it very easy to get your head around the issues if you're familiar with attacks against IPv4. Secondly, for each vulnerability the authors demonstrate the attack using tools such as scapy6, phonoelit, thc-ipv6 and then show how various features within IOS can be used to mitigate or reduce the impact of the issue. This really drives home how feasible the attacks are and also shows what logs you should look out for to detect attacks.

However, for me the book lost it's way a bit in chapters 6 to 8 which cover network device hardening, host based security and IPSec. For me these chapters covered too much of an overview of each topic and not enough specifics for IPv6 security issues.

Thankfully, things get very much back on track for the remainder of the book, which security issues within IPv6 Mobility, dual stack systems, tunnels and monitoring, all of which are great chapters.

Overall, if you're familiar with the basics of IPv6 and Cisco IPv4 network security functionality within IOS, this is an easy and light read that will get you up to speed very quickly both on the fundamental security issues with IPv6 and the controls that Cisco have available on their kit.

As such, I highly recommend it if you're looking for a solid intro to IPv6 security. I really enjoyed it.

Following on from this book, I'd recommend having a look at the presentations from last years IPv6 Hacker's meeting in Berlin and I'm hearing great things about the Hacking IPv6 Networks course home from SI6 networks so may have to give that a look!

Amazon: http://www.amazon.com/IPv6-Security-Scott-Hogg/dp/1587055945
Cisco Press: http://www.ciscopress.com/store/ipv6-security-9781587055942