IPv6: The End of Security As We Know It

Wednesday, September 21, 2011

Craig S Wright

8b5e0b54dfecaa052afa016cd32b9837

Many people have seen IPv6 as a simple addressing extension to the existing internet and see few changes to the way we secure systems.

These people cannot be further from the truth. IPv6 will change the way we think about security. We need to start planning now or we will be left in the dust.

This is another topic I will be addressing in the coming weeks and months (so many security topics, so little time).

IPv6 substantially changes how IP interacts with the link layer, in particular Ethernet. ARP will go away and be replaced by NDP, which is ICMPv6 based and we also need to look to protocols such as SEND to secure NDP or we will fall prey to the same class of attacks we faced in IPv4 over hub shared networks (and for that matter now in the world of wireless).

I will explain what SEND and NDP are in the next couple posts this week. For now, I ask you to trust me when I say they are important.

First, I will discuss a couple issues that we really need to start planning for. IPv6 has been around for a long time (15 plus years is a long time in IT), but it is only just starting to be widely deployed. The issues we will face need to be addressed now or we will discover holes in our networks and systems and these will be exploited before we even note that they are a concern.

Many of the issues in Security and Risk are really about managing problems before they grow to large. IPv6 is just this, a potential issue as well as a potential benefit. How we manage it determines the outcome.

IPv6 Improvements

There are many improvements to IPv6 when considered against IPv4. Some of the commonly noted ones include:

  • Expanded address space.
  • Extended routing (more levels of addressing hierarchy, simple auto-configuration of addresses).
  • Improved scalability of multicast routing.
  • Simplified header (lesser header fields compared to IPv4 to lower processing costs, dropped header fields are now available as optional extension headers).
  • Support for optional extension headers (allows for faster processing because extension headers are not examined by routers, allows for arbitrary length of IPv6 header).
  • Support for authentication and privacy through encryption.
  • Support for source routes (Source Demand Routing Protocol (SDRP)).
  • Quality of service capabilities.

There are also some less commonly discussed security enhancements that we will cover in the forthcoming posts:

  • New privacy extended IPv6 addresses generated CGA (cryptographically generated addresses)
  1. maintains privacy
  2. accountability possible by link administrators
  • New: Host ID can be used as a token to access to a network.

For today, we will discuss a couple topics that many people have overlooked.

IPv6 and Scanning

The new addressing scheme being implemented with IPv6  implies that the number of available and allocated addresses is REALLY big. So big that the existing methods of Brute force/random scanning makes no sense [RFC5157].

There are ways to discover hosts... but they are not based random scanning any more.

The typical IP/v6 network is issued with a (/64) CIDR. This is why scanning is in practice much less feasible. Also automated attacks, e.g. network worms that pick random host addresses to propagate to, are going to be hampered.

When there are 1.84467+19 (this is 1.8 with 19 zeros) host addresses, finding a host in an IPv6 network is 10 billion times more difficult than scanning the entire deployed IPv4 Internet!

Worse, even if we could, it would either end as a DDoS or detection very quickly.

From this, we can see that random scanning network worms will not be feasible. They have been disappearing in any even,but IPv6 spells the end of the random scanning worm.

In IPv6, every Subnet Size is much larger. As noted, default subnets in IPv6 have 2^64 addresses. Exhaustive scan on every address on a subnet is no longer reasonable (if 1,000,000 address per second then > 500,000 years to scan) and even NMAP support for IPv6 network scanning is limited.

Worse, the new privacy extended CGA IPv6 addresses are regenerated faster than they can be scanned. We will cover this in coming posts.

IPv6 Scanning methods are HAVE to change

Public servers will still need to be DNS reachable giving attacker some hosts to attack. As such, DNS will become even more of a target than it ever has been. Not only is DNS an attack vector, it is one of the few means to recon hosts. DNSSec is critical now.

Zone transfer and interception attacks will be more and more common when IPv6 starts to be widely deployed. It is one of the simplest methods of discovering hosts. It is about time we start to Deny DNS zone transfers! DNS splitting is more important than ever with IPv6.

The next issue is human as always. Administrators may adopt easy to remember addresses (::1,::2,::53, or simply IPv4 last octet) to simplify management as they did with IPv4. This is a bad approach. In IPv6 we need to start using the multicast registration controls and learn to manage systems by their multicast groups.

Other un-thought-of scanning methodologies will come as EUI-64 address has “fixed part” and the Ethernet card vendors address (the MAC) can be guessed. The 48 bits in a MAC are not random and the pool of numbers in this are far smaller than the implied 2^48 bits.

This also means we will find new techniques to harvest addresses being developed by attackers. Addresses can be  harvested from logs and DNS zones and these will become the target of attacks in their own right.

Further, in compromising routers at key transit points in a network, an attacker can learn new addresses to scan. The difficult part of scanning in IPv6 is finding the host. Once the host is discovered, it can be attacked as normal (with some exceptions based on mobility controls).

The multicast groups also great a target. A new attack vector is created in order to discover routers hen we look at multicast groups such as “All node/router …. addresses”. IPv6 supports new multicast addresses that can enable an attacker to identify key resources on a network and attack them. For example,

  • all nodes (FF02::1),
  • all routers (FF05::2) and
  • all DHCP servers (FF05::5)

If multicasts are not secured, the attacker can recon a network and bypass the need to discover hosts the hard way. As a result, it is really important that these addresses are filtered at the border in order to make them unreachable from the outside. This should be set as a default if no IPv6 multicasting is enabled. The difficulty here is that IPv6 creates diffused networks.

Firewalls will also change in radical ways.

The Death of SSL

Next, there is one area I have seen very little (if anything) on so far. This is how IPv6 will destroy the notion of application based security.

I will address this in more depth tomorrow, but the thing to think about is that IPv6 has mandatory support for IPv6 and a cryptographically based host identification and authorization scheme.

This makes SSL, TLS and other protocol redundant.

More, application layer encryption is based on the encryption stack in the application. Each time we re-deploy the same crypto requirements over and over, we add more avenues for mistakes. Crypto is hard. If we can do it once in the O/S and not at each layer we all win.

The Conclusion…. for today

Basically, IPv6 can make us more secure, but only if we do it right. Web attacks will not go away and NULL (or 0-bit encryption cyphers) can still be deployed by unobservant administrators, but there is a way forward if we start planning now.

About the Author:

Craig Wright is the VP of GICSR in Australia. He holds both the GSE, GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law, A Masters Degree in mathematical statistics from Newcastle as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Sturt University where he lectures subjects in a Masters degree in digital forensics. He is writing his second doctorate, a PhD on the quantification of information system risk at CSU.

Possibly Related Articles:
24374
Network->General
Information Security
Encryption DNSSEC Network Security Scanning Attack Vector IPv6
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.