Rediscovering IPv6 PART7 Protecting IPv6 Protocols

Tomohiro Fujisaki
NTT Information Sharing Platform Laboratories

Last article was about IPsec, an element that is said to be one of the major advantages of IPv6. This article discusses the security of IPv6 itself.

IPv6 is the next version of IPv4, the protocol currently used over the Internet. Therefore, it basically shares the same security issues with IPv4, and the same set of solutions can be applied for the two protocols most of the time. But practically speaking, there are issues that can be eased with IPv6, issues that are more likely to occur with IPv6, and issues that are particular to IPv4/IPv6 mixed network.


Security threats eased with IPv6

One of the threats that are said to be eased with IPv6 is scanning on network nodes. Today, probing nodes on the network and detecting running services to find security vulnerability of these nodes is a conduct often observed on the Internet.

Your nodes are not necessarily exempt from such threats if they are inside firewall. There are incidents in which infected network nodes (PCs, for example) scan other nodes on the same network to spread the infection. With IPv4, a node can easily guess the addresses of other nodes on the same or adjacent networks using its own IP address and network prefix (it won’t be a lot of nodes to scan if an infected node targets IP addresses close to its own).

On the other hand, IPv6 network prefix is 64 bit Hosts on the local segment are somewhere in the remaining 64 bit address space. Adjacent subnets can use any ID in 16 bit space, according to current spec. It is almost impossible to simply scan all the addresses in such vast space.

There is an interesting report on such node scan (*1). This is about the speed of virus infection on IPv6 network. The report says, virus infection using simple random selection of IP address takes only 8 minutes to infect almost all nodes on the network, while it takes 30,000 years in the case of IPv6 (for details of the calculation, refer to the report). The report says it is theoretically difficult to propagate a virus on IPv6 network using random address selection.

The report, however, does not stop there. In actual use of IPv6,

• Subnet size is 64bit, but for stateless address autoconfiguration, attackers need only to consider 48bit, the bit length of MAC address.
• Many nodes are given easy address to remember.
• As it is hard to remember IPv6 addresses, network often relies on DNS or other name resolution systems. Part of the table (i.e. address lists on infected hosts) can be referred to by the attackers.

The report adds that required time can be reduced to about 10 hours if parameters are changed to reflect the above.

With IPv6, node discovery using IP address scanning may indeed be more difficult, network management should not rely on this characteristic.


Security threats specific to IPv6

There are security threats specific to IPv6. Many of these are related to functions that are particular to IPv6.

One of the significant issues seen on IPv6 networks at industry events is about IPv6 stateless address autoconfiguration. Stateless address autoconfiguration involves a router to announce the network address to the network segment to which client nodes are attached. Client nodes use the announced network address to create its unique IPv6 address. It is an address configuration method widely used on current IPv6 network.

This method is very convenient, as it reduces the required configuration work significantly. But it is weak in terms of security. It is possible to place a device announcing wrong network address to make IPv6 network inoperable, or to eavesdrop communication of other nodes. Many examples involve misconfiguration by the users of their devices, causing confusion on the network as a result. It is hard to determine if each of these cases is intentional or not. There is a so-called SEND technology (RFC3971 Secure Neighbor Discovery) to secure address configuration, but the technology is not widely adopted due to the rights issue for its usage and complication of settings.

With IPv6 multicast, the following issues have been pointed out:

• There is a possibility that organizational scope multicast may be abused. Multicast addresses for several types of network service nodes are defined, such as all routers, all DHCP servers, etc. By sending packets to such multicast addresses, the attacker can get replies from the right nodes on the site network. The attacker, therefore, can grasp the IPv6 addresses of all service nodes on the site network. Such address list can be used for attacks.
• In contrast to IPv4 ICMP, ICMPv6 can return errors to some multicast packets. Therefore, sending error-causing packets to multicast addresses can lead to a lot of ICMPv6 traffic. Source address of such malicious packets can be spoofed, easily launching DoS attacks to specific hosts.

In using multicast, you should consider applying filters at the site boundary and terminate unnecessary multicast routing. Nodes should make sure that they don’t join unnecessary multicast groups.

There are many issues about extension headers, too.

• Use of routing header can avoid access filters by destination address (routing header rewrites destination address).
• Hop-by-Hop option header can be used to put stress on all routers along the packet travel path. Hop-by-hop option header has no limit on the number, so it is possible for a packet to be given many hop-by-hop options.

Other issues include:

• DoS packets transmission using temporary address scheme (RFC3041) defined for protecting privacy makes it harder to determine the source, therefore trouble shooting becomes more difficult.

Many of these issues can be solved by filtering and other methods. It is important for you to find the right solutions for your network environment.


Security threats on IPv4/IPv6 mixed networks

Some issues occur when you add IPv6 on existing IPv4 network.

IPv6 native services and IPv6/IPv4 dual protocol services are getting more common, but IPv6 over IPv4 tunneling remains a quick way to connect to outside IPv6 network. Tunneling can also be used when some routers on the organizational network do not support IPv6. In these cases, there is a possibility that network security model based on IPv4 does not work well. In other words, a segment with strong IPv4 security may be weak in IPv6 security. It is even possible that the network may be totally accessible from global IPv6 Internet. IPv4 network topology and IPv6 network topology don’t match when using tunneling in organizational network or when introducing IPv6 on a part of an organizational network. Security issues can be caused as a result.

This issue is applicable to 6to4 or Teredo, as both use tunneling to access IPv6 services. Some nodes on some organizational networks are totally accessible from global IPv6 Internet, because they allow the use of 6to4, although these nodes are protected from IPv4 attacks (For details of 6to4, read: http://www.ipv6style.jp/en/building/20030820/2.html).

Other IPv6-specific security issues and solutions are explained in (*2).

As explained earlier, many security threats on the use of IPv6 are pointed out. There are active efforts on the technology development and management to cope with such issues. But some of the issues are the direct results of convenience realized by IPv6. The threat on stateless address autoconfiguration, for example, is a tradeoff between convenience and security. It took many years for IPv4 to have the security model established. In using IPv6, IPv4 experience should be utilized, for building and maintaining networks that are both convenient and secure enough.

Reference:
*1 Fast Worm Propagation In IPv6 Networks
http://www.cs.virginia.edu/malware/yang.ppt
*2 IPv6 Transition/Co-existence Security Considerations
http://www.ietf.org/internet-drafts/draft-ietf-v6ops-security-overview-02.txt