The following is an excerpt from the book IPv6 Security. In this section of Chapter 1: Introduction to IPv6 (.pdf), author Eric Vyncke explains why the emerging network-layer protcol is
still far from perfect.
This excerpt is a part of the SearchSecurity.com mini learning guide, IPv6 tutorial: Understanding IPv6 security issues, threats, defenses.
IPv6 will eventually be just as popular as IPv4, if not more so. Over the next decade as IPv6 is deployed, the number of systems it is deployed on will surpass those on IPv4. While early adopters can help flesh out the bugs, there are still many issues to resolve. IPv6 implementations are relatively new to the market, and the software that has created these systems has not been field tested as thoroughly as their IPv4 counterparts. There is likely to be a period of time where defects will be found, and vendors will need to respond quickly to patching their bugs. Many groups are performing extensive testing of IPv6, so they hopefully can find many of the issues before it is time to deploy IPv6. However, all the major vendors of IT equipment and software have published vulnerabilities in their IPv6 implementations. Microsoft, Juniper, Linux, Sun, BSD, and even Cisco all have published vulnerabilities in their software. As IPv6 has been noticed, it is evident that these major vendors have drawn the attention of the hackers.
The early adopters of IPv6 technology are encouraged to tread lightly and make sure that security is part of their transition plans. There are distinct threats of running IPv6 on a network without any security protection measures. Some operating systems can run both protocols at the same time without the user's intervention. These operating systems might also try to connect to the IPv6 Internet without explicit configuration by the user. If users are not aware of this fact and there is no security policy or IPv6 security protections implemented, they are running the risk of attack. IPv6 can be used as a "backdoor protocol" because many security systems only secure IPv4 and ignore IPv6 packets. For these reasons, it is important to secure IPv6 before it is widely deployed.
When you consider the ways that an IPv4 or IPv6 network can be compromised, there are many similarities. Attacks against networks typically fall within one of the following common attack vectors:
- Internet (DMZ, fragmentation, web pages, pop-ups)
- IP spoofing, protocol fuzzing, header manipulation, session hijacking, man-in-the-middle, sniffing
- Buffer overflows, SQL injection, cross-site scripting
- Email (attachments, phishing, hoaxes)
- Worms, viruses, distributed denial of service (DDoS)
- Macros, Trojan horses, spyware, malware, key loggers
- VPN, business-to-business (B2B)
- Chat, peer-to-peer (P2P)
- Malicious insider, physical security, rogue devices, dumpster diving
In 2007, The Computer Security Institute (CSI — http://www.gocsi.com) 12th Annual Computer Crime and Security Survey stated that 59 percent of all survey respondents suffered from insider abuse of network access. This percentage historically has been lower in the mid- to late 1990s and has risen steadily each year. So the percentage of internal attack sources is likely to be even higher today. Those internal sources of attacks could either be a legitimate hacker or an unknowing end user. The key issue is that most organizations do not spend 50 percent of their security budget on mitigating inside threats. Therefore, external as well as internal devices must be hardened equally well but not necessarily against the same types of attacks.
Author Eric Vyncke explains why IPv6
is becoming a reality.
One disadvantage of both IP versions is the fact that the signaling of network reachability information takes place in the same medium as the user traffic. Routing protocols perform their communication in-band, and that increases the risks to infrastructure destabilization attacks. The threat mentioned here is that user traffic can affect the protocol-signaling information to destabilize the network. Protections against these types of attacks involve securing the signaling communications between network devices. IPv6 routing protocols can use encryption and authentication to secure the signaling information, even if it is transported inside the data path. Domain Name System (DNS) is another key infrastructure component that provides important signaling functions for IPv4 and IPv6. As seen over the past ten years, there is an increase in the number of attacks that target the infrastructure and DNS of the Internet and private networks. The attacks aim to create a denial of service (DoS), which affects the usability of the entire network.
Attacks against network elements typically come from the Internet for perimeter-based devices, while attacks on intranet devices originate from malicious insiders. Most internal routers have simple protection mechanisms like simple passwords and Simple Network Management Protocol (SNMP) community strings. Ease of management typically outweighs security in most enterprise networks. Internet routers do not enjoy this friendly environment, and they are constantly susceptible to many different forms of attack.
Routers are not usually capable of running traditional server software or other applications that can have vulnerabilities. However, they can be the target of a buffer overflow, where the attacker attempts to send information to the router to overrun an internal memory buffer. The side effects can be anything from erratic behavior to a software crash or gaining remote access. Any software that the router runs could be vulnerable, and any protocol supported and implemented within that software for communications to other devices is at risk for potential exploitation. Routers communicate over many different protocols, and each of those protocols is a potential target.
As mentioned before, there is a lack of IPv6 deployment experience in the industry. There is also a lack of experience in securing an IPv6 network. That is why it is important to understand the issues with IPv6 and prepare your defenses. This should be done before IPv6 networks become a larger target for hackers. Not many IPv6 attacks exist or are publicly known, and there are few best practices for IPv6 security or reference security architectures for IPv6. However, a select few sophisticated hackers already use IPv6 for Internet Relay Chat (IRC) channels and back doors for their tools. Some DoS attacks are available and one IPv6 worm already exists, but there is little information available on new IPv6 attacks. It is fair to say that the current IPv6 Internet is not a big target for hackers. This is likely to change as the number of IPv6-connected organizations grows.
As IPv6 becomes more popular, it will continue to grow as a target of attacks, just as Microsoft software became more popular it became a larger target. Internet Explorer is a dominant web browser and experiences many attacks. As the Firefox web browser increased in popularity, so did the number of people working to find flaws in it. IPv6 will follow the same course as the number of deployments increases and it becomes a focus of new security research. The process of finding and correcting vulnerabilities will only make IPv6 stronger. However, because IPv6 has had so long to develop prior to mass adoption, the hope is that many of the early vulnerabilities have already been corrected.
The underground hacker community has started exploring IPv6. IPv6 is beginning to be well understood by these groups, and they are constructing tools that leverage weaknesses in the protocol and IPv6 stack implementations. Back doors that utilize IPv6 or IPv6 within IPv4 to obscure attacks and bypass firewalls are part of their repertoire. In fact, IPv6 capabilities have started to be added to several popular hacker tools.
Many of these IPv6 attack tools are already available and relatively easy to install and operate. Tools such as Scapy6 and The Hacker's Choice IPv6 Toolkit come to mind. These two tools are demonstrated in Chapter 2, which describes how these and other tools operate and discusses what risk they pose. This book illustrates the threats against IPv6 networks and describes how you can apply protection measures to neutralize these attacks.
NOTE - Throughout this book, you will see the terms attacker, hacker, and miscreant used interchangeably to refer to malevolent forces that try to take advantage of IPv6 vulnerabilities. Attacks can be initiated by an outsider such as a malicious user or some malicious host that has been compromised and is being remotely controlled. However, attacks also can be carried out by unknowing insiders who are not aware that they have just caused a problem.
IPv6 Security Mitigation Techniques
IPv6 security architectures are not substantially different from those for IPv4. Organizations can still have the same network topologies when they transition to IPv6 as they have today. The network can still support the organization's mission, and the network can still have data centers, remote sites, and Internet connectivity, regardless of what IP version is being used.
With IPv6, the perimeter design has the same relevance as for IPv4, and most organizations can continue to have the "hard, crunchy" exterior and the "soft, squishy" interior networks. The problem is that most organizations put most of their effort into securing the perimeter, and they overlook the internal security of their environments. If these organizations considered the malicious insider threat, they might rethink the perimeter model and move to a model that has an even layer of security spread throughout. Many of these classic security paradigms still apply to IPv6 networks. When it comes to securing IPv6 networks, the following areas of an IT environment needs to be protected:
Reproduced from the book IPv6 Security Copyright , Addison Wesley Professional.
Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240.
Written permission from Pearson Education, Inc. is required for all other users.
This was first published in February 2009