Threat assessment

The transition to IPv6, still in its early stages, presents security challenges for everyone working in the IT industry. Danny McPherson discusses a few of the issues.

By Danny McPherson, Network World | Monday, 20 June 2011
February 3 came and went without much fanfare, but it was a milestone for internet stakeholders, whether they knew it or not. On that Thursday, the last available IPv4 addresses were allocated by the Internet Assigned Numbers Authority (IANA). Though some Regional Internet Registries (RIRs) have a reasonable inventory of IP addresses that could last another year or two, the days of “new” IPv4 address allocations are largely over.

Now that we’re largely depleted of IPv4 allocations, it’s time to get serious about adopting the next Internet Protocol, IPv6. With a 128-bit address space – compared witg IPv4’s 32-bit space – IPv6 can accommodate the ongoing and exponential growth of the internet, which currently is adding about a million new devices every hour. In fact, compared with the 4.3 billion IP addresses that IPv4 allows, IPv6 will enable another 340 trillion, trillion, trillion addresses – enough to accommodate global internet demand for the foreseeable future.

Coupled with the continued deployment of DNS Security Extensions, IPv6 will ultimately provide the stable and secure base for the future internet. But for the transition from IPv4 to IPv6 to be successful, everyone from infrastructure operators and service providers to application developers and users will have to work together on a range of activities, from developing IPv6 with function IPv4 parity to refining interworking and transitional co-existence with IPv4.

A crucial part of that effort will involve security. The rollout of IPv6 introduces some unique security challenges and while the following is by no means comprehensive, it does point to some problem areas that the industry will need to address. Because we’re still in the early stages, the solutions to some of these risks will only come after real-world use leads to proven best practices.

Vulernable Transactions
Because IPv4 and IPv6 are not “bits on the wire” compatible, protocol translation is seen as a path to wider deployment, requiring transactions be mediated as they move through the network. Imagine a postal sorter at a transfer facility who must open every IPv4 envelope to put each letter in an IPv6 one to ensure it reaches the correct address, at times changing content in the documents contained within in order to coincide with the new IPv6 external envelop information. Each time this happens, an opportunity arises for a poor implementation or a bad actor to tickle or exploit a potential vulnerability. This will require more boxes to maintain transaction state, complicating the network, and possibly force security staff to only enable transition mechanisms (such as tunneling) after they have been thoroughly evaluated.

Huge network segments
The current recommended prefix length for an IPv6 subnet is /64 (264), which can accommodate some 18 quintillion hosts on a single segment, enabling virtually unlimited LAN growth and new challenges. It would take years to scan a single IPv6 /64 block for vulnerabilities, while a single /24 IPv4 subnet 28 would only take seconds. A better approach than a comprehensive scan may be to utilise only the first /118 (the same number of hosts as a /22 in IPv4) of addresses to narrow the range of the scan, or allocate addresses explicitly and deny all others implicitly. This will make careful IP management and monitoring even more crucial than it is today.

ND-attacks
Neighbour discovery (ND) in IPv6 utilises five different types of Internet Control Message Protocol version 6 (ICMPv6) messages to determine the link layer addresses of neighbours on the attached links, and to discover neighbours willing to forward packets on their behalf, among other things. While ND is useful it can also present opportunities to attackers. ND attacks will quite likely replace IPv4 counterparts such as ARP spoofing. IT managers will have to keep ports disabled unless explicitly provisioned, implement link layer access control and security mechanisms, and be sure to disable IPv6 completely where it’s not in use.

DDoS hazards
Firewalls and security gateways choking on large extension headers could fall prey to distributed denial of service attacks. The IP options function has been implemented in IPv6 through extension headers that follow the main header and specify destination, authentication and other options. IPv6 traffic with large numbers of extension headers could overwhelm firewalls and security gateways, or perhaps even introduce router forwarding performance degradation, and thus serve as a potential vector for DDoS and other attacks. Disabling “IPv6 source routing” on routers may be necessary to protect against DDoS threats, and explicitly codifying which extension headers are supported and checking network equipment for proper implementation is critical. In general, IPv6 adds many more components to be filtered or require scoped propagation, to include some extension headers, multicast addressing, and increased uses for ICMP.

Transition overload
Existing security fixes may only be applied to IPv4 support, yet most kernels will prefer IPv6 interfaces before IPv4 when engaging in such activities as DNS lookups in order to foster more rapid IPv6 deployment. Indeed, the dynamic between IPv6 and IPv4 could result in a doubling of traffic for each DNS lookup and result in large amounts on unnecessary DNS traffic in order to optimise for user experience. OS and content vendors frequently put hacks in place to mitigate or optimise for this behavior, which creates added system load and state. Additionally, it should certainly be observed that with new IPv6 stacks being accessible new vulnerabilities are sure to surface. Dual-stacking during a long transitional coexistence period, and inter-dependences between routers, end systems, and network services such as the DNS are sure to serve as fertile ground for miscreants.

IPSec
Even IPSec could pose problems when tunneling to other networks. IP Security (IPSec) makes it possible to authenticate the sender, provide integrity protection, and encrypt IP packets to provide confidentiality of transmitted data. IPSec was an optional feature for IPv4, but it’s mandatory with IPv6. In tunnel mode – which essentially creates a VPN for network-to-network, host-to-network and host-to-host communications – the entire packet is encapsulated into a new IP packet and given a new IP header. But a VPN connection with a network that’s beyond the originator’s control could result in security exposures or be used to exfiltrate data, etc. Because the negotiation and management of IPSec security protections and the associated secret keys are handled by additional protocols (such as Internet Key Exchange – IKE) and adds complexity, it isn’t likely IPSec will be any more widely supported with IPv6 than it is with IPv4 initially.

It will be some time before IPv6 is universally deployed and IPv4 devices begin to decline. But the entire IT industry will have little choice but to develop and propagate the best practices that will make the next generation of IP addresses stable, reliable and secure, and that starts with the awareness and knowledge of network and security staff.

Danny McPherson is the CSO of Verisign Inc. a provider of internet infrastructure services.