ITU-T SERIES X SUPP 23-2014 ITU-T X 1037 C Supplement on security management guidelines for the implementation of an IPv6 environment in telecommunications organizations (Study Gro.pdf

1、 I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n ITU-T Series X TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU Supplement 23 (09/2014) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY ITU-T X.1037 Supplement on security management guidelines for the implementat

2、ion of an IPv6 environment in telecommunications organizations ITU-T X-series Recommendations Supplement 23 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X

3、.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network s

4、ecurity X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1

5、169 Networked ID security X.1170X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERS

6、ECURITY INFORMATION EXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X

7、.1580X.1589 CLOUD COMPUTING SECURITY Overview of cloud computing security X.1600X.1601 Cloud computing security design X.1602X.1639 Cloud computing security best practices and guidelines X.1640X.1659 Cloud computing security implementation X.1660X.1679 Other cloud computing security X.1680X.1699 For

8、 further details, please refer to the list of ITU-T Recommendations. X series Supplement 23 (09/2014) i Supplement 23 to ITU-T X-series Recommendations ITU-T X.1037 Supplement on security management guidelines for the implementation of an IPv6 environment in telecommunications organizations Summary

9、Supplement 23 to ITU-T X-series Recommendations provides security management guidelines for the implementation of IPv6 environment in telecommunication organizations in order to ensure the protection of information in the networks and protection of the supporting network infrastructure when transiti

10、oning from IPv4 to IPv6 and implementing an IPv6 environment. History Edition Recommendation Approval Study Group Unique ID* 1.0 ITU-T X Suppl. 23 2014-09-26 17 11.1002/1000/12332 _ * To access the Recommendation, type the URL http:/handle.itu.int/ in the address field of your web browser, followed

11、by the Recommendations unique ID. For example, http:/handle.itu.int/11.1002/1000/11830-en. ii X series Supplement 23 (09/2014) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications, information and communication technolog

12、ies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommun

13、ication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas o

14、f information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this publication, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating

15、agency. Compliance with this publication is voluntary. However, the publication may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the publication is achieved when all of these mandatory provisions are met. The words “shall“ or some othe

16、r obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the publication is required of any party. INTELLECTUAL PROPERTY RIGHTSITU draws attention to the possibility that the practice or implementa

17、tion of this publication may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the publication development process. As of the

18、 date of approval of this publication, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this publication. However, implementers are cautioned that this may not represent the latest information and are therefore strongly urged to consult t

19、he TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2014 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. X series Supplement 23 (09/2014) iii Table of Contents Page 1 Scope . 1 2 References . 1 3 Defini

20、tions 1 4 Abbreviations and acronyms 1 5 Conventions 2 6 Overview . 2 7 Considerations of IPv4 and IPv6 2 7.1 IPv6 features . 2 7.2 Transition from IPv4 to IPv6 3 7.3 Providers do everything 3 7.4 Dual stack approach . 3 7.5 Total migration to IPv6 4 8 Information security management for IPv6 deploy

21、ment 4 8.1 Overview 4 8.2 Business impact analysis 5 8.3 Risk assessment 5 8.4 IPv6 strategy development and implementation 6 8.5 Auditing and review . 6 9 Examples of practical security controls for IPv6 deployment 7 9.1 Overview 7 9.2 Information security policies 7 9.3 Organization of information

22、 security . 7 9.4 Asset management 7 9.5 Access control 7 9.6 Physical and environmental security 10 9.7 Operations security for IPv6 migration 11 9.8 Communications and operations security . 11 9.9 Systems acquisition, development and maintenance 11 9.10 Information security incident management 13

23、X series Supplement 23 (09/2014) 1 Supplement 23 to ITU-T X-series Recommendations ITU-T X.1037 Supplement on security management guidelines for the implementation of an IPv6 environment in telecommunications organizations 1 Scope This Supplement provides security management guidelines for the imple

24、mentation of IPv6 environment in telecommunications organizations in order to ensure the protection of information in the networks and protection of the supporting network infrastructure when transitioning from IPv4 to IPv6 and implementing IPv6 environment. 2 References ITU-T X.1037 Recommendation

25、ITU-T X.1037 (2013), IPv6 technical security guidelines. ITU-T X.1051 Recommendation ITU-T X.1051 (2008), Information technology Security techniques Information security management guidelines for telecommunications organizations based on ISO/IEC 27002. IETF RFC 2460 IETF RFC 2460 (1998), Internet Pr

26、otocol, Version 6 (IPv6) Specification. IETF RFC 4941 IETF RFC 2460 (2007), Privacy Extensions for Stateless Address Autoconfiguration in IPv6. IETF RFC 5722 IETF RFC 5722 (2009), Handling of Overlapping IPv6 Fragments. 3 Definitions The definitions given in ITU-T X.1037 apply. 4 Abbreviations and a

27、cronyms This Supplement uses the following abbreviations and acronyms: DAD Duplicate Address Detection DB Database DHCPv6 Dynamic Host Configuration Protocol version 6 DNS Domain Name System DoS Denial-of-Service ICMP Internet Control Message Protocol ICMPv6 Internet Control Message Protocol version

28、 6 ID Identifier IPv4 Internet Protocol version 4 IPv6 Internet Protocol version 6 IT Information Technology L2 Layer 2 L3 Layer 3 LAN Local Area Network MAC Media Access Control MITM Man-In-The-Middle MLD Multicast Listener Discovery NA Neighbour Advertisement 2 X series Supplement 23 (09/2014) NAT

29、 Network Address Translation NDPMon Neighbour Discovery Protocol Monitor NS Neighbour Solicitation OS Operating System RA Router Advertisement SEND Secure Neighbour Discovery SLAAC Stateless Address Auto Configuration VPN Virtual Private Network 5 Conventions None. 6 Overview The Internet protocol v

30、ersion 6 (IPv6) is intended to succeed IPv4, which is the protocol currently used to direct almost all of the Internet traffic. The Internet operates by transferring data between hosts using an addressing scheme, such as IPv4 or IPv6, to specify their source and destination addresses. Each host, com

31、puter or other device on the Internet, requires an IP address in order to communicate. The growth of the Internet has created a need for more addresses than are possible with IPv4. IPv4 has allocated a space of 32 bits for IP addresses, which means that overall 232 (4 294 967 296) addresses exist in

32、 the IPv4 space. However, the IPv4 address space becomes exhausted with the overall growth of the Internet. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with this long-anticipated IPv4 address exhaustion and is described in IETF RFC 2460. IPv6 uses 128-bit addresses, for

33、an address space of 2128 (approximately 3.41038) addresses. This equates to 665 570 793 348 866 943 898 599 addresses per square meter of the earth surface, and is equivalent to every individual on this earth having more than 40 000 IPv6 subnets assigned this will therefore be sufficient for many mo

34、re devices and users to use the Internet. This expansion allows for many more devices and users on the Internet as well as extra flexibility in allocating addresses and efficiency for routing traffic. Despite of the well-known problem of IP address exhaustion, organizations in large parts of the wor

35、ld have been hesitant in changing over from IPv4 to IPv6. Organizations need to develop a migration strategy from IPv4 to IPv6, especially for ensuring continued communication around the world. However, IPv6 deployment is not easy to manage. There are a number of considerations an organization shoul

36、d take into account, and this supplement describes some of important processes required for information security management. 7 Considerations of IPv4 and IPv6 7.1 IPv6 features The main objective for successful transition is to allow IPv6 and IPv4 hosts to interoperate. A second objective is to allo

37、w IPv6 hosts and routers to be deployed in the Internet in a highly diffuse and incremental fashion, with few interdependencies. The third objective is an easy transition for end-users, system administrators and network operators. The IPv6 transition mechanisms are a set of protocol mechanisms imple

38、mented in hosts and routers, with some operational guidelines for addressing and deployment, designed to make the transition to work with as little disruption as possible. These will ensure that IPv6 hosts can interoperate with IPv4 X series Supplement 23 (09/2014) 3 hosts in the Internet up until t

39、he time when IPv4 addresses run out. The IPv6 transition mechanisms provide a number of features, including: Incremental upgrade and deployment: Individual IPv4 hosts and routers may be upgraded to IPv6 one at a time without requiring other hosts or routers to be upgraded at the same time. New IPv6

40、hosts and routers can be installed one-by-one. Minimal upgrade dependencies: The domain name system (DNS) server must first be upgraded to handle IPv6 address records before upgrading hosts. Easy addressing: For IPv4 hosts or routers being upgraded to IPv6, they may continue to use their existing ad

41、dress. So, no need for new address assignment. Minimal operational upgrade cost and training expenses: Little or no preparation work is needed in order to upgrade existing IPv4 systems to IPv6, or to deploy new IPv6 systems. 7.2 Transition from IPv4 to IPv6 There are several options an organization

42、can chose from when transitioning over from IPv4 to IPv6. However, any decision should be well thought out, and the organization should ensure that the strategy chosen fulfils their requirements, is feasible to implement and provides the organization with appropriate information security during and

43、after the transition. The three main options for transition are: 1) Providers do everything (see clause 7.3); 2) Dual strategy in parallel (see clause 7.4); 3) Total migration from IPv4 to IPv6 (see clause 7.5). 7.3 Providers do everything The benefit of this approach is that the organization can ke

44、ep its IPv4 addresses and uses everything as usual. The provider will use network address translation (NAT) to translate from IPv6 to IPv4 or vice versa. Pros: This option does not need extra modification or reconfiguration in the organization; There is no need to change the internal IP version; int

45、ernally, everything can just continue running as before. Cons: A lot of reliability on the provider; The organization needs to coordinate ALL of its services with that provider. Security considerations: Additional access control needs to be implemented to prevent improper usage by malicious users; I

46、mproper address translation implementation may be subject to buffer overflow attack this can be an issue related to the provider (see ITU-T X.1037); There are restrictions on the use of this solution, some of which negatively impact the security features of IPv6; These translation techniques are com

47、plicated and are intended to be used as a last resort. 7.4 Dual stack approach IPv6 was delivered with a lot of migration techniques but many were ultimately rejected and today a small set of practical approaches is left. One technique, called dual stack, involves running IPv4 and 4 X series Supplem

48、ent 23 (09/2014) IPv6 concurrently. End-hosts and network devices run both protocols, and if IPv6 communication is detected that is the favoured protocol. Pros: The end user is in control of all changes in its infrastructure; No need to change internal IP version. Cons: Double address administration

49、 is required on firewalls, DNS servers and edge routers. Security considerations: Organizations that run dual-stack device will have to deal with the vulnerabilities of both protocols; Dual-stack operation can raise other security problems if consistent security policies are not created for both IPv6 and IPv4 traffic. For example, if a firewall is not configured to apply the same level of screening to the IPv6 packets as fo