Analysis: Vast IPv6 address space actually enables IPv6 attacks

For World IPv6 Launch Day 2012, Fernando Gont covers why common ways of generating IPv6 addresses actually make an attacker’s job easier.

As companies today, June 6, 2012, mark World IPv6 Launch Day by enabling IPv6 in their products and services, it serves as an opportunity to examine a key misconception about IPv6 security. It is widely assumed that, due to IPv6’s increased address space, IPv6 host-scanning attacks would take so much effort and time on the part of the attacker that they are practically unfeasible. However, this is more of an urban legend than a result...

of a careful analysis.

Unfortunately, each of these options reduces the potential search space, making IPv6 host-scanning attacks easier and potentially more successful.

By reviewing how IPv6 addresses are configured on the Internet, this tip will provide a more realistic perspective on the feasibility of IPv6 attacks.

The myth of IPv6 invincibility
IPv6 offers a much larger address space than IPv4 did. Standard IPv6 subnets can (in theory) accommodate approximately 1.844 * 1019 hosts, resulting in a much lower host density than IPv4 subnets (i.e. lower ratio of the number of hosts to the number of available IP addresses in a subnet).

Because of this vast amount of IPv6 address space, many believe it would take a tremendous effort by would-be attackers to perform host-scanning attacks against IPv6 networks. Some estimates peg the length of time for a host-scanning attack on a single IPv6 subnet at 500,000,000 years!

From the editors: 
More on IPv6 security

This article is part of SearchSecurity.com's special report, IPv6 tutorial: Understanding IPv6 security issues, threats and defenses. This compendium of technical articles and news coverage explains how IPv6 may be exploited by savvy attackers, and what enterprises must do to ensure a secure transition. Check it out now.

Host-scanning attacks in the IPv4 Internet
Before delving into the details of IPv6 host-scanning attacks, it is interesting to revisit how host-scanning attacks are performed in the IPv4 Internet.

IPv4 provides a limited amount of address space. The whole IPv4 address space is composed, in theory, of 232 addresses, with IPv4 subnetworks typically employing 28 addresses or the like. Because of this, host density in typical IPv4 subnetworks is relatively high. As a result, IPv4 host-scanning attacks are typically performed in the following manner:

  • A target address range is selected.
  • A probe packet is sent to each address in the range.
  • Each address for which a response is received is considered "alive.

Since the search space for a typical IPv4 subnet is relatively small (typically 28 addresses) and the host density of such subnetworks is high, sequentially trying every possible address in the targeted network is simply "good enough" (and is probably even "desired") by most attackers.

Host-scanning attacks in the IPv6 Internet
There are two factors that make IPv6 host-scanning attacks much more difficult than IPv4 attacks:

  • Typical IPv6 subnetworks are much larger than their IPv4 counterparts (264 addresses for IPv6, 28 addresses for IPv4).
  • Host density in IPv6 subnetworks is much lower than IPv4 subnetworks.

Because of these two factors, sequentially probing every single address of the target IPv6 subnetwork would be unfeasible, both in terms of packets/bandwidth and amount of time required to perform the attack.

Busting the IPv6 security myth
However, IPv6 host-scanning attacks may not be so cumbersome and time-consuming as they first appear.

It is important to realize IPv6 host addresses are not randomly spread over the corresponding 264 subnet address space. This means the attacker does not actually have to go through the entire subnet address space when trying to identify "alive" nodes.

Understanding how IPv6 addresses are generated or configured shows the non-random nature of address assignments.

IPv6 address options
The following figure illustrates the syntax of IPv6 global unicast addresses.

IPv6 global unicast addresses, as their name implies, are the IPv6 addresses employed for communications in the Internet (as opposed to, say, link-local addresses, which are only employed for communications within a local subnetwork). Their syntax is similar to their IPv4 counterpart: The global routing prefix is typically assigned by the upstream provider, the subnet bits are used by the local network administrator to segment an organizational network into multiple logical subnets, and the Interface ID (IID) is used to identify the specific network interface on that subnetwork.

A number of options are available for selecting the Interface ID (the low-order 64 bits of an IPv6 address), including:

  • Embed the MAC address;
  • Employ low-byte addresses;
  • Embed the IPv4 address;
  • Use a “wordy” address;
  • Use a privacy or temporary address;
  • Rely on a transition or coexistence technology.

Unfortunately, each of these options reduces the potential search space, making IPv6 host-scanning attacks easier and potentially more successful. The following sections explain why.

Embedded MAC addresses
Most IPv6 hosts generate their addresses according to traditional Stateless Address Auto Configuration (SLAAC) developed by the non-profit Internet Society. SLAAC takes the MAC address and inserts a 16-bit number in the middle, which results (in the case of Ethernet) in Interface IDs (again, the lower 64 bits of the address) with the following syntax:

In this case, at least 16 bits of the Interface ID are always known. The rest of the bits in the Interface ID (those borrowed from the underlying Ethernet address) also follow specific patterns.

Therefore, when planning IPv6 host-scanning attacks, an attacker may have knowledge about the vendor from which the targeted organization buys networking gear. The attacker could use this knowledge to reduce the search space to, say, only those OUIs (organizational unique identifiers) that are known to be assigned to that vendor. The search space can then be even further reduced, since the low-order 24 bits of an Ethernet address are typically assigned sequentially as the network interface cards are manufactured. If an organization purchased, say, 400 systems from the same vendor, chances are those systems will have consecutive Ethernet addresses (and hence consecutive IPv6 addresses). As soon as the attacker finds one node in the target network (probably trying random addresses), the rest of the nodes could be trivially found by trying consecutive addresses.

Virtualization technologies present an interesting special case, since most virtualization products employ specific IEEE OUIs for the network interface cards of virtual machines. This means that, when targeting virtual machines, the search space could be reduced to just the OUIs known to be employed by virtualization technologies.

These scenarios show how knowing or discovering just a few addresses enables an attacker to narrow his or her search space, making an IPv6 host-scanning attack more feasible.

Low-byte addresses
Low-byte addresses are IPv6 addresses in which the Interface ID is all zeros, except for the last 8 or 16 bits (e.g. 2001:db8::1, 2001:db8::2, etc.). These addresses are typically the result of manual configuration (as is usually the case for infrastructure devices), but may also result from the use of some Dynamic Hosted Configuration Protocol version 6 (DHCPv6) servers, which sequentially assign IPv6 addresses from specific address ranges. When low-byte addresses are employed, the IPv6 address-search space is reduced to, at most, 216 addresses, thus making IPv6 host-scanning attacks more feasible.

More on IPv6 attacks

Understanding IPv4 to IPv6 transition mechanisms

Debunking other IPv6 security myths

Embedded IPv4 addresses
The Internet Engineering Task Force (IETF) specification allows IPv6 addresses to be expressed in the form "2001:db8::W.X.Y.Z", where "W.X.Y.Z" is an IPv4 addresses. This form of generating addresses is typically found in infrastructure devices, since it makes it easy to "remember" a device's IPv6 address if the device's IPv4 address is known.

Because the rest of the address is known or guessable, networks that employ embedded IPv4 addresses allow the attacker to reduce the IPv6 address search space to about the same size as the search space for the corresponding IPv4 network.

"Wordy" addresses
Employing hexadecimal (rather than decimal) notation for IPv6 addresses allows some level of creativity when manually configuring addresses. For example, as of this writing, Facebook's domain maps to the IPv6 address "2a03:2880:2110:3f02:face:b00c::".

While determining the search space for these "wordy" addresses is not trivial, the search space is certainly reduced when compared to the whole 264 IPv6 space. Dictionary-based IPv6 host-scanning attacks targeting "wordy" addresses have been found in the wild, and were publicly reported in a number of attack operations mailing lists.

Privacy/temporary addresses
In response to host-tracking concerns, the IETF standardized "Privacy Extensions for Stateless Address Autoconfiguration" in Request For Comments (RFC) 4941. In essence, RFC 4941 mandates that the Interface ID be randomized, and also be changed over time, with the goal of creating non-predictable addresses.

However, RFC 4941 mandates these temporary addresses be generated in addition to traditional SLAAC addresses (rather than in place of them), with temporary addresses being employed for outgoing communications, and traditional SLAAC addresses being employed for server-like functions (i.e. incoming communications). Therefore, these addresses do not mitigate host-scanning attacks, since the predictable SLAAC addresses are still configured on hosts employing temporary addresses (with the notable exception of OpenBSD, which disables traditional SLAAC addresses when privacy addresses are enabled).

Transition/coexistence technologies
A number of IPv4-to-IPv6 transition or coexistence technologies, such as 6to4 and Teredo, specify a special syntax for IPv6 global unicast addresses, which in most cases embed an IPv4 address in part of the resulting IPv6 address. Since there are a plethora of such technologies, this article won’t delve into specific details, but simply note these addresses follow specific patterns and thus help reduce the IPv6 address search space.

Mitigating IPv6 host-scanning attacks
The clearest way to mitigate IPv6 host-scanning attacks is to remove any obvious patterns from IPv6 addresses. The 6man working group of the IETF is currently working on a method to generate IPv6 addresses with the following properties:

  • The resulting Interface IDs are not easily predictable.
  • The resulting Interface IDs are stable within each subnetwork, but change as a host moves from one network to another.
  • The resulting Interface IDs are independent from the underlying link-layer address.

To ensure secure IPv6 deployments, the IETF must complete this standardization effort and, more importantly, vendors need to implement it. Once in place, these non-predictable addresses will make IPv6 host-scanning attacks much more difficult to conduct.

From the editors: 
More on IPv6 security

This article is part of SearchSecurity.com's special report, IPv6 tutorial: Understanding IPv6 security issues, threats and defenses. This compendium of technical articles and news coverage explains how IPv6 may be exploited by savvy attackers, and what enterprises must do to ensure a secure transition. Check it out now.

Other possible mitigations for IPv6 host-scanning attacks include the use of network-based intrusion prevention systems (IPS); specifically to react to host-scanning activity by blocking incoming packets from a specific source address when a large number of probe packets targeting different IPv6 addresses in the local subnet are received, especially if many of the target addresses are non-existent. Another option is to configure non-predictable addresses for DHCPv6-based and manually configured systems. While Windows systems generate non-predictable addresses, all other endpoints (including Cisco- and Linux-based devices) would need some additional configuration, either by enabling the DHCPv6 server so it leases non-predictable addresses, or by manually configuring systems so they use non-predictable addresses. Clearly, the DHCPv6 option should be preferred, since it scales much better. However, not all DHCPv6 software has this feature, and hence the only option may be to manually configure the IPv6 address of each system (which of course would be very painful).

This analysis of how IPv6 addresses are assigned on the Internet should raise awareness that, while resistance to host-scanning attacks should be greatly improved with IPv6, there is still work to be done by the IETF and the vendor community to make IPv6 host-scanning attacks more difficult for attackers.

About the author:
Fernando Gont is a networking and security consultant who has worked on a number of projects on behalf of the UK National Infrastructure Security Coordination Centre (NISCC) and the UK Centre for the Protection of National Infrastructure (CPNI).As part of his work for these organizations, he has authored a series of documents with recommendations for network engineers and implementers of the Internet protocol suite. Gont is an active participant at the Internet Engineering Task Force (IETF), where he contributes to several working groups, and has authored a number of RFCs. He is a regular speaker at a number of conferences, trade shows, and technical meetings, on information security, operating systems, and Internet engineering. More information is available at his website: http://www.gont.com.ar.

This was first published in June 2012

Dig deeper on Network Protocols and Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close