Home > Security, Technology > Advantages and Security Considerations of Utilizing the IPv6 Protocol

Advantages and Security Considerations of Utilizing the IPv6 Protocol

* The PDF version of this paper can be downloaded here.

Abstract

Internet Protocol version 6 has been available for nearly a decade, but many entities in the private sector have been hesitant to adopt this new technology. With the decreasing number of IPv4 addresses, however, the switch to the newer protocol will soon become a necessity. Luckily, IPv6 offers several features that not only improve performance and security, but also allow for a gradual transition from one protocol to the other. It is essential however, that Administrators and other support staff become familiar with the new protocol before adopting it within their network. Several advantages and dangers of this protocol are highlighted, in order for the reader to become more familiar with the variety of risks and advantages associated with its implementation. By providing IT staff with training, and developing a plan for the gradual migration to the new protocol, organizations can make this transition smoothly and without disruption.

Why Use IPv6?

IPv4 Available Address Space

Figure 1: ARIN, Percentage of available IPv4 addresses as of September 2010.

In response to the inevitable departure from IPv4, the latest Internet Protocol (IPv6), has been available in most major operating systems

and network devices for nearly a decade. Its design includes features that resolve many of our modern-day networking concerns without relying on stopgap technologies, such as Network Address Translation (NAT) and Private Network Addressing. The United States Federal Government has even gone so far as to issue a string of deadlines going from 200

8 to 2014 in an effort to migrate both their internal clients and external servers to the new protocol (Marsan, 2010b). Despite various technological advantages for migrating to the new protocol, a large  percentage of the private sector have displayed a reluctance to venture into the unfamiliar IPv6 waters. As time  passes, however, it will become increasingly advantageous for these companies to invest the time and training to safely and effectively implement this new technology on their networks. For these corporations and their clients, the incentives for transitioning to IPv6 include: increased address space, the ability to gradually migrate from IPv4, and the native incorporation of the IPSec Protocol Suite.

The Numbers Behind Version 6

Perhaps the most well known advantage to IPv6 is the increased number of addresses available for use. In IPv4, network addresses are 32 bits long, which results in 232 (approximately 4.3 billion) unique addresses to be used around the world. Despite the adoption of stopgap technologies like NAT routing, the increasing popularity of PCs and mobile network devices have resulted in these addresses to be depleted at an alarming rate. According to the American Registry for International Numbers (ARIN), 94.5% of all IPv4 addresses have been assigned as of September 3, 2010 (See Figure 1). Furthermore, it has been projected that the remaining 5.5% will be assigned as early as the end of this year (Marsan, 2010a). IPv6 on the other hand, uses an address of 128 bits (approximately 3.4×10^38), resulting in an address space sufficiently large to handle future networking needs for years to come.

Making the Transition Easy

Most businesses today have a significant amount of money and time invested in their IPv4 networks. Normally, it would be impossible for most to switch their entire network over to a new protocol without devoting massive amounts of resources to the project. Such a financial burden would be both detrimental to the business, and ultimately hamper the success of the new protocol in general. In order to avoid this situation, the designers of IPv6 were careful to implement several features that allow both IPv4 and IPv6 networks to interact with each other. Such changes allow organizations to gradually transition from one protocol to the other without incurring a large financial burden. This is accomplished through the use of IPv4 tunnels and running both IPv4 and IPv6 in tandem on a host.

In order to route IPv6 traffic across IPv4 networks, IPv6 utilizes what is known as an “IPv6-over-IPv4 Tunnel.” In this situation, an IPv6-enabled host will package a datagram in accordance with the specifications of the protocol and send it over the network. When the packet reaches a router connecting an IPv6 network to an IPv4 network, the entire packet is encapsulated in the data section of an IPv4 packet and forwarded along to the next stop. Finally, when another IPv6 network is reached, the IPv4 header is removed and the packet is sent to its final destination (Miller, 1998). If additional security is desired through the use of a VPN, the entire VPN package is packaged as shown in Figure 2. This ensures that at any stop of its journey, the packet will have the correct header for the network segment it is on.

IPv6-Over-IPv4 Tunneling Packet

Figure 2: Diagram of an IPv6 packet being tunneled through an IPv4 VPN.

While tunneling is used to ensure a packet can travel successfully from one part of a network to another, it is also important that all hosts are able to understand both IPv6 and IPv4 packets in order to communicate with each other. In response to this need, most modern-day operating systems configure IPv4 and IPv6 to run in “dual-stack mode” by default (Hogg, 2009). This allows for transparent communication between two hosts without user interaction, despite the IP version being used. From the view point of Network and Systems Administrators, this is a very convenient feature. Such a configuration does bring about security implications that will be discussed in the next section of this paper.

Security from the Start

One of the greatest advantages from the standpoint of security is the protection provided in IPv6 by the IPsec Protocol Suite. IPsec provides both authentication and confidentiality to IP communications through the combined use of an Authentication Header (which depends on SHA-1, MD5, or AES-XCBC hashing algorithm, combined with HMAC for added security), and an Encapsulating Security Payload (which uses AES, DES, or TrippleDES combined with CBC to encrypt the packet, see Figure 3 for more details) (Network Working Group, 2007b). Because IPsec works on the network layer, the protection it provides occurs transparently. This helps to remove some of the burden of securing IP connections from the user (Panko, 2004). While IPsec is also available for IPv4, it requires extra configuration to setup and use, whereas in IPv6 it is built directly into the protocol.

CBC Encryption

Figure 3: Wikipedia, Top: CBC encryption mode is performed by using an XOR on an IV and the planetext message. Each subsequent message is XORed with the previous encrypted packet. This not only ensures that each packet is unique and secure secure, but also that each packet depends on all subsequent packets to be able to decrypt the data. Bottom: Decryption occurs much the same way as encryption, but instead of the planetext, the cyphertext is used in the XOR to decrypt each packet.

What are the Dangers of IPv6?

Design specifications, such as IPsec being built into the protocol, can add significant security advantages to IPv6. Just because the protocol has more features and a newer design than IPv4, it does not mean that it is without its vulnerabilities. In fact, due to the limited number of organizations currently running IPv6 in a production environment, there are new vulnerabilities regularly being discovered in the protocol, some of which have already been fixed in IPv4 (Hogg, 2009). Furthermore, the added complexity of running both IPv4 and IPv6 forces Network Administrators to devote twice as much time to securing a network since equal attention must be devoted to each protocol. By understanding some of the more common IPv6 exploits and security holes, these Administrators will be able to better focus their attention of mitigating these risks without being overwhelmed in the process.

Type 0 Routing Headers: The Return of “Source Routing”

Type 0 Routing Headers

Figure 4: Marin, An example of how an RH0 packet can instruct the routers on a network to take a different path than that which it would normally take, possibly bypassing network defenses in the process.

Perhaps one of the most well known and dangerous vulnerabilities currently found in the IPv6 protocol is the existence of Type 0 Routing Headers (more commonly known as RH0 packets). These packets function similar in concept to IPv4’s old “Source Routing,” where a packet dictates its path through a network rather than relying on a router’s current configuration to direct the packet’s path. This “feature” can be used to bypass a network’s defenses, such as firewalls and intrusion detection systems. Further malicious behavior, such as DoS attacks and malicious payloads have been sent using these packets (Hogg, 2009). This protocol specification is so dangerous, that in a December 2007 publication, the Network Working Group depreciated the Type 0 Routing Header in the interests of network security (Network Working Group, 2007a). Unfortunately, many routers still support RH0 packets, so it is essential for Network Administrators to filter all Type 0 Headers in order to fully defend against these types of attacks.

Resource and Host Misconfiguration

One of the most common difficulties encountered by managers in attempting to implement IPv6 on their networks, is finding knowledgeable technical staff able to deploy and support the new protocol (Marsan, 2010a). This lack of experience with IPv6 often results in security vulnerabilities due to misconfiguration on perimeter defenses and network hosts. Most firewalls with IPv6 support maintain separate rule-sets for IPv4 and IPv6. These rule-sets must be properly coordinated and managed in order to avoid inadvertently exposing the network to malicious IPv6 traffic (Hogg 2009).

Additionally, since most modern operating systems come with “dual-stack mode” enable by default, many System Administrators do not realize that IPv6 services are running on the systems they are protecting. This can result in a situation where important patches and hardening are not applied to a system. This can result in IPv6 vulnerabilities acting as a “backdoor” to an otherwise secure system (Hogg, 2009). Unless System Administrators are vigilant in installing and testing patches for both protocols, these hosts will continue to be vulnerable to attacks on the network.

Hidden Data in Fragments

Just as with IPv4, routers that support IPv6 are able perform packet fragmentation to allow data that is normally much larger than the network’s Maximum Transmission Unit (MTU) to be transmitted across the network (see Figure 5).

Packet Fragmentation

Figure 5: Packets that are larger than a network's MTU can be broken into smaller fragments and transmitted with their own headers.

Unfortunately, some attackers can leverage packet fragmentation in IPv6 to circumvent network security measures. This is possible because many routers and firewalls only look at the header information and don’t bother to piece together the fragmented data sections (Hogg, 2009). When this approach is coupled with IPv6’s tunneling feature, normally suspicious traffic (such as packets generated by malware) will not only pass through a network’s perimeter defenses, but is often to avoid being noticed by additional network-monitoring countermeasures as well (US-Cert, 2005). Many enterprise routers, such as those made by Cisco, can help thwart this attack by flagging fragmented packets for further deep-packet inspection by Application Proxy Firewalls and Intrusion Detection Systems.

Hidden Dangers of ICMPv6

Unlike IPv4, ICMP packets in IPv6 (commonly known as ICMPv6) are an integral part of the protocol and provides additional functionality to that of IPv4’s ICMP packets, including much of the same functionality provided by DHCP in IPv4 (Giobbi, 2009). For this reason, a Network Administrator cannot simply block all ICMPv6 packets like is commonly done in IPv4 networks, nor can they simply permit all ICMPv6 traffic through the network, since many of them can also be used for malicious purposes (Giobbi, 2008). Table 1 provides some general guidelines for filtering ICMPv6 traffic.

ICMPv6 Types Generally Safe to Allow Purpose /Comments ICMPv6 Types that Can Generally Be Denied Purpose /Comments
1, Destination Unreachable General connectivity testing 137, Redirect Alerts clients to send traffic to another router, presumably one with a more direct route to the destination; like other ICMPv6 types listed, these messages are unauthenticated and could be malicious
2, Packet Too Big Sent by routers to notify a node that it should fragment the packets 138, Router Renumbering Automatic reconfiguration of routers
3, Time Exceeded Protects against routing loops 139, Node Information Query Allows a host to be fingerprinted
4, Parameter Problem Error messages and handling 140, Node Information Response Allows a host to be fingerprinted
128, Echo Request Ping 151-154 Deny by default
129, Echo Reply Ping reply Others Not yet used; deny by default
133, Router Solicitation Sent by clients to the all nodes; multicast address to request an IP address assignment
134, Router Advertisement Sent by routers to the all nodes multicast address; clients can use the information in this message to generate an address
135, Neighbor Solicitation Queries nodes for IP and connectivity information
136, Neighbor Advertisement Sends IP and connectivity information to other nodes

Table 1: Giobbi (2009), A generalization of which types of ICMPv6 types can be accepted or dropped.

One common attack vector in IPv6 is to utilize the added functionality of ICMPv6 to send false Packet Maximum Transmission Unit (PMTU) signals in order to invoke a Denial of Service (DoS) of a particular host (Hogg, 2009). This method takes one of two approaches in order to perform the DoS attack. The first involves an attacker sending an ICMPv6 packet that tells a host to use a much smaller PMTU than is actually required by the network. This results in the victim using a really small packet  size and reduces network transmission speeds to a crawl.
The second attack takes the opposite approach of instructing the victim to use a PMTU that is larger than what the network supports. If taken at face value by the victim, it causes all the outgoing traffic from the victim to be too large to pass through the router and to be dropped. In both of these attacks, the victim host is likely to receive other legitimate ICMPv6 signals that will reset its PMTU; if an attacker continuously retransmits the aforementioned attack packets, they can cause a great deal of disruption to the victim’s connectivity. In order for a Network Administrator to defend against this attack, hosts must be configured to not increase their PMTU size solely on instructions received via ICMPv6. Additionally, any packets containing instructions to set a host’s PMTU value below 1280 bytes (which is the default MTU for an IPv6 network) should be filtered and dropped instead of being forwarded to a host (Hogg, 2009).

Conclusions: What Does the Future Hold?

While technologies such as NAT and Private Networks have helped delay the adoption of the new protocol for several years in the private sector, the future move to IPv6 is inevitable. As network devices (such as smart phones and other mobile hosts) become more common place, it will become increasingly difficult to rely on the antiquated IPv4 protocol to get the job done. For this reason, businesses and other organizations need to begin developing a plan for the gradual migration of their network infrastructure to the new IPv6 protocol (Marsan, 2010a). While many individuals (both IT personnel and hackers alike) are still unfamiliar with the new protocol, it is unlikely to remain this way for long. Therefore, in addition to addressing the physical aspects of migrating over to IPv6, these plans need to include details regarding the training of IT staff and Administrators in how to securely and effectively migrate and mange the new network. Finally, equal focus must be given to both IPv4 and IPv6 in regards to patch management and developing new firewall and IDS rules. By starting on this migration process now, this transition can be performed gradually and effectively without disrupting the organization’s day-to-day network operations.

Works Cited

  • Hogg, Scott & Vyncke, Eric. (2009). IPv6 Security: Protection Measures for the Next Internet Protocol. Indianapolis: Cisco Press
  • Network Working Group. (1997a). Depreciation of Type 0 Routing Headers in IPv6. Media type: Memo. IETF Trust
  • Network Working Group. (1997b). Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH). Media type: Memo. IETF Trust
  • Panko, R. J. (2004). Corporate Computer and Network Security, Second Edition. Upper Saddle River, NJ: Pearson Education
In order to route IPv6 traffic across IPv4 networks, IPv6 utilizes what is known as an “IPv6-over-IPv4 Tunnel.” In this situation, an IPv6-enabled host will package a datagram in accordance with the specifications of the protocol and send it over the network. When the packet reaches a router connecting an IPv6 network to an IPv4 network, the entire packet is encapsulated in the data section of an IPv4 packet and forwarded along to the next stop. Finally, when another IPv6 network is reached, the IPv4 header is removed and the packet is sent to its final destination (Miller, 1998). If additional security is desired through the use of a VPN, the entire VPN package is packaged as shown in Figure 2. This ensures that at any stop of its journey, the packet will have the correct header for the network segment it is on.
Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: