IPv6 Security is an important topic because many organizations will not deploy IPv6 until they understand the security aspects of it, and feel that they can lock down their exposed IPv6 infrastructure as well as they can their exposed IPv4 infrastructure. It is such an important and complex area that an entire IPv6 Forum course is devoted to it. This article is just a very brief introduction to the topic.
There are no RFCs that specifically address IPv6 security as the main topic, although most RFCs include a section on the security issues related to the topic of the RFC.
Computer Security in General
Computer network security is concerned with protecting the organization’s infrastructure and information from attack by malicious elements (“crackers”). In theory, any node that is connected to the Internet can potentially be attacked from any other node on the Internet.
There are several varieties of malicious attacks:
Denial of Service (DoS) attack – if someone can prevent you, or your customers, from being able to access your online services, this causes you damage (and in the case of large sites, like amazon.com, potentially millions of dollars a day in lost sales). This can be accomplished by crashing your server(s), or simply overloading some limited resource on your servers (memory, fixed length tables, bandwidth, etc). Service may be denied temporarily (just for the duration of an important sale), or permanently (until your site can be restored from a backup or disaster recovery site).
Distributed Denial of Service (DDos) attack – a variant on the DoS threat that can be effective against even very large sites, through coordination of hundreds or even hundreds of thousands of compromised computers (a “bot army”) attacking a single site in coordination. Some hacking attacks do not harm your computer directly, but infect it with an agent that can be used to attack other computers, often without you even knowing it. The people who build these bot armies may use them themselves, or “rent them out” to people who use them to attack a large site.
Reputation attack – any malicious activity that damages your reputation, via defacing of your website, stealing customer information from it (thereby compromising people’s trust in your site), assuming your identity and doing something bad as you, etc.
Violation of Privacy / Theft of Intellectual Property – a malicious agent could obtain valuable information (source code, customer lists, customer credit card data, confidential product data, future market events, etc) from your site by obtaining unauthorized access to your server(s), by sniffing traffic to or from your site, etc. They may use this themselves, or sell it to others. Identity theft is a version of this attack, and can victimize an individual, or an entire organization.
There are many techniques and tools used by attackers to accomplish their goals. Some of these are covered in the Network Security Engineer course. Many of these are available online, created by experienced attackers. These may be downloaded and used by much less experienced or capable attackers, known as “script kiddies”.
Many network hacking attacks do not involve the Internet Layer (L3) – some of those involve the Application Layer (L7). Things like cross-scripting attacks exploit weaknesses in web servers (an application). Buffer overflow attacks exploit poor implementation in applications (no checking for number of characters stored in a memory buffer).
These attacks work exactly the same on IPv6 (and are just as effective) as on IPv4. Also the defenses are pretty much the same.
On the other hand, some hacking attacks involve weaknesses in IPv4, ICMPv4, the broadcast transmission mode, or even ARP (which maps IPv4 addresses onto Link Layer addresses). In most of these cases, IPv6 made improvements that render these attacks ineffectual. For example, there is no ARP to attack. However, the mechanism that replaced ARP (Neighbor Discovery Address Resolution) can be attacked in new ways.
Broadcast is now Multicast
There is no broadcast transmission mode in IPv6, but the all nodes in local link multicast address (ff02::1) does pretty much the same thing, and all IPv6 nodes by default belong to that multicast group. So there are similar IPv6 attacks to the ones from IPv4 that use broadcast. They just have to be re-written to use multicast.
Host Based Firewalls
Host Based firewalls are a big concern with IPv6. Many third party host based firewalls do not yet have good (or any) support for IPv6. With Windows 7, the free host based firewall (especially when managing it with “Windows Firewall with Advanced Security”) actually has very complete facilities for protecting a Windows node running IPv6. In BSD, the pf host based firewall is very complete and fully supports IPv6.
Packet fragmentation is very different in IPv6. Only the source node is supposed to ever fragment packets. There are a number of rules that any node doing fragmentation should adhere to that avoid some of the vulnerabilities previously associated with fragmentation. Unfortunately, there is nothing preventing a node other than the source from fragmenting packets, but any fragmentation that violates the IPv6 rules should be dropped. Gateways that do deep packet inspection may need to reassemble complete packets before applying filtering rules. The fields used in fragmentation are no longer in the basic header, but in an extension header. Be sure your firewall processes all extension headers.
Rogue RA Server
It is not very difficult from an attacker to deploy a rogue source of Router Advertisements in a subnet, which can cause numerous problems, especially Denial of Service. It can also convince internal nodes that it is the gateway, allowing the rogue node to have all traffic go through it, which would allow that node to monitor unencrypted traffic or redirect or block any traffic, based on visible information. Cisco has a feature called RA Guard that can help deal with this kind of attack. SEND will solve this problem, but Microsoft does not yet support this. Another approach is to avoid using Router Advertisement messages and SLAAC (see DNMS).
ICMPv6 was extensively re-designed compared to ICMPv4. One improvement is that many ICMPv6 packets are created with a Hop Limit of 255. No node will accept an ICMPv6 packet with any other hop limit value. This prevents bogus ICMPv6 packets from being injected from outside the local link (there is no hop limit value you can create that will result in 255 after the packet has crossed even one router). Of course a hacker can compromise an internal node and send ICMPv6 packets with hop limit of 255 from that node. So this mechanism eliminates only some hacking attacks using bogus ICMPv6 packets.
IPv6 doesn’t use ARP (which is notoriously weak against hacking attacks). There is no way to secure ARP. In IPv6 address resolution is done with Neighbor Discovery in the Internet Layer (L3). You can secure any Neighbor Discovery packet with IPsec (AH and/or ESP), if desired. There is also a secure version of Neighbor Discovery (SEND) that integrates good security into ND – unfortunately it is not yet widely deployed. Until then, you can secure it with IPsec.
Speaking of IPsec – it works great in IPv6 (unlike IPv4) due to the absence of NAT. IPsec correctly detects NAT as a hacking attack – something is making changes to the IP addresses and/or ports in the packet headers, that causes problems. That something is the NAT gateway. While it is possible to get IPsec to work through a NAT gateway by using NAT traversal (like the aptly-named STUN), this workaround introduces more problems than the IPsec solves. IPsec has never taken off in IPv4 because it is really incompatible with NAT, which is endemic on the IPv4 Internet (InterNAT?) today. I expect IPsec to take off on the IPv6 Internet. IPsec is the only IETF approved (and standardized) scheme for building VPNs – it just doesn’t work very well on the IPv4 Internet, so many people use SSL-VPN, which is a terrible design (and no standards exist).
Running without NAT
Many people seem to think that NAT44 is a security mechanism. It isn’t really – if you don’t have port blocking in place, NAT cannot prevent someone from getting into your network. It just makes it a little bit more difficult for the hacker. NAT also makes it a lot more difficult for the legitimate user to make connections to internal nodes. You should see what Skype has to go through to connect to internal nodes. Security guys do not consider Skype to be an application – it is a vulnerability. I can secure an IPv6 network (assuming I have an IPv6 firewall) just as well as an IPv4 network (with a similar firewall), but the IPv4 is more difficult to do right because of the NAT. Not having NAT in IPv6 does not reduce your security in any way. The only purpose for NAT was to extend the lifetime of the IPv4 public address space for 10-15 years, which it did. Those years ended about 2011. IPv4 is running out, and IPv6 is mature and working.
Dual Stack Doubles Your Attack Surface
It is easier to secure a single stack network (IPv4-only or IPv6-only) than it is to secure a Dual-Stack network (IPv4 and IPv6). In a Dual-Stack network, you double the attack surface. What’s worse is the hacker can probe both sides and attack the weaker one, so the resulting strength is only as good as the weaker of your two IP families. Today, that is probably IPv6, until your security guys learn how it really works.
One misconception about IPv6 is that it is impossible to scan a subnet for open ports, because of the zillions of addresses in a subnet (264). If a hacker was silly enough to try testing every address, it would in fact take zillions of years. However, in IPv6, every node in a subnet will respond to a Neighbor Solicitation message with a Neighbor Advertisement. You can send the Neighbor Solicitation message to the all nodes in subnet multicast address (ff02::1) – all nodes will reply to it. I can very quickly obtain a list of all IPv6 nodes in a subnet – faster than with IPv4, where no such mechanism exists. You can’t block that mechanism with a host-based firewall, or IPv6 will not function normally. You need to deploy host based firewalls and design applications with the assumption that a hacker can find your nodes.
Intrusion Detection / Prevention
Not many IDS/IPS systems support IPv6 yet, but Snort already does. Consider using this until more commercial products begin supporting IPv6.
Be careful about letting any tunnels cross the border gateway to terminate inside, especially if they are encrypted. Any tunnels to provide IPv6 to the network should terminate at the border gateway. No internal tunnel endpoints should be allowed. This can be assured by blocking protocol 41 and UDP/3544 at the border gateway. It is also a good idea to disable all automatic tunneling on Windows nodes.
End to End Model
Because IPv6 has restored the End-to-End nature of the Internet (by doing away with NAT) there will be many more apps that take advantage of this. I’m creating some now. This means we will need to write apps that take security seriously, and deploy good host-based security (including host-based firewalls). It is likely that other apps will be connecting directly to applications running on your node (e.g. VoIP or chat clients). If those are weak, hackers will attack you through them. Actually current nodes are pretty much wide open, as uses think that they are safe behind NAT44. Hackers call this “hard crunchy outside, soft chewy inside”. We need to make every node hard and crunchy.
With IPv4 we usually need intermediary systems (think AOL Instant Messenger) where Alice and Bob both have to make outgoing connections through their NAT gateways to an intermediary node (AOL). That node shuttles messages back and forth between the two users. This is very difficult to secure, and easy to monitor or control. NAT has led to designs with many choke points. The IPv6 Internet will be more decentralized – fewer choke points where someone can snoop or attack large numbers of connections at once. With true End-to-End connectivity, its easier to secure links. Skype’s security model is very weak – because of the architecture it had to use to work through IPv4 NAT.
It will be much easier to create secure applications when we don’t have to fight NAT.
IP Address Management
One subtle aspect of IPv6 security it that it is currently difficult to assign addresses in sub-blocks of a /64, linked to organizational groups – which means any firewall rule must apply to everyone in that subnet, or you need a separate rule for each user, which may be unworkable. This is one of the main reasons I’ve been working on a next generation address management system that can address this (and that system itself must be secured). Legacy IP address management systems are completely unsecured. SLAAC is not well suited to subnets with workstations for humans. Multiple global addresses and especially periodically changing addresses present significant security challenges. See DNMS for more information.
The Importance of IPv6 Training for Security Professionals
Today, there are network professionals who understand security, and there are some network professionals who understand IPv6. The number who understand both is currently small. It is very important for your security professionals (or you, if you are one) to master IPv6 now, before it is everywhere. There are a lot of differences, and they impact security. You need to master the available tools. The IPv6 Forum Network Security Engineer training will help a lot. At the very least, your network security professionals should have IPv6 Forum Network Engineer Gold or equivalent certification.
I highly recommend the book “IPv6 Security” by Scott Hogg and Eric Vyncke. Both of them are very knowledgable about both IPv6 and network security. This is a very good starting point for your education. It is available in major bookstores everywhere, and in Kindle ebook format too.