This tip is a part of the SearchSecurity.com mini learning guide, IPv6 tutorial: Understanding IPv6 security issues, threats, defenses.
Internet Protocol version 6 (IPv6) is coming soon to an enterprise near you, but few organizations have invested much time or effort into understanding how it works, never mind how to secure it. Yet enterprises could stand to learn something from the students and staff at Virginia Tech, which was recently lauded for an innovative new technology that secures IPv6 network communications.
A team from the Blacksburg, Va.-based university’s Information Technology Security Laboratory was recognized by the National Homeland Defense Foundation, which is a nonprofit forum for responding to terrorism tactics and natural disasters, for creating a security tool called Moving Target IPv6 Defense (MT6D).
MT6D solves one of a number of unique IPv6 security concerns that don’t exist in IPv4. In short, an IPv6 address consists of two parts: a 64-bit network prefix, and a 64-bit host address. The first part is determined by the network, but the host address by default is determined by the device’s MAC address.
According to Stephen Groat, a Ph. D. student in computer engineering at Virginia Tech, in this scenario, a machine’s IPv6 address would expose its MAC address, making a machine easy to track by a potential attacker.
“In IPv6, it takes centuries to scan a single subnet,” Groat said. “But once an attacker knows that MAC address, this lets an attacker pretty much do anything they want to a system.”
Groat said, with a little homework, attackers could use the IPv6 address to learn who the manufacturer of the system is, and also collect traffic over multiple sessions: Even when a device disconnects and reconnects, the MAC address portion of the IPv6 address remains unchanged.
There are mechanisms that exist today to obfuscate IPv6 client addresses to some degree, like IPv6 privacy extensions in Windows 7, but Groat said the Virginia Tech team wanted to protect both ends of a session; privacy extensions may protect clients, but servers can’t change their addresses without terminating a session.
That’s where MT6D comes in. It serves to create an algorithm that allows a pair of network hosts to change their addresses dynamically in a way that each host can predict the other’s next address, creating a network tunnel. The technology could be deployed as a stand-alone appliance on a network to secure a subnet or be built into specialized network devices like smart grid electric meters, but it’s likely to be made available to vendors for inclusion in commercial networking and security products.
While MT6D solves one IPv6 security problem, there are still a number of others. Few network security products today offer robust support for IPv6, Groat said, and those that claim to often haven’t been tested in a large-scale IPv6 environment like the Virginia Tech network, which has been in place since 2005 and features 30,000 nodes. Often, organizations have IPv6-enabled devices and don’t realize it, opening the door for malware to use IPv6 as an unmonitored back-channel. And that’s just for starters.
“We have someone here who also works for a hosting firm, and at the hosting firm they can’t turn on v6 support for their mail servers because they have v4-only blacklists,” Groat said. “So if they turn on v6, they’ll suddenly get all this spam. The other question is, ‘How do you create a blacklist for v6?’ Since hosts can change their addresses so frequently, do you block whole subnets? These are real problems people haven’t solved yet.”
Fortunately, with World IPv6 Day coming on June 8 – a one-day IPv6 connectivity awareness initiative where many global network and website operators like Google and Facebook will turn on IPv6, just to see what happens -- everyone will get a chance to see what an IPv6 Internet looks like. Though some believe the event will mostly be a PR stunt and simply raise awareness for the upcoming transition across the Internet, count the Virginia Tech team among those who believe it could be a disruptive event.
“I think a lot of websites will break,” said William Urbanski, a security analyst with the Virginia Tech IT security office. “I think end users are going to see misconfigurations on commerical ISPs.”
Still, World IPv6 day and the MT6D tool should serve to help enterprise security teams ponder how their security tactics must evolve as IPv6 takes hold. It’s a topic we’ll follow closely on SearchSecurity.com as the year moves on.
About the author:
Eric B. Parizo is senior site editor of TechTarget's Security Media Group. His rants can also be heard on SearchSecurity.com's Security Squad podcast.