fThis article, which is a part of theSearchSecurity.com mini learning guide, IPv6 tutorial: Understanding IPv6...
security issues, threats, defenses,discusses how a number of factors, such as a lack of trained personnel and limited IPv6 support in security devices, may affect the security of IPv6 network deployments. It also explains the potential effects of those factors, and suggests possible ways to mitigate these shortcomings.
Aside from the security properties of the IPv6 protocol suite itself, there are a number of factors – technical and non-technical – that greatly influence the security of emerging IPv6 deployments. This article identifies those factors, discusses the effect they may have on the security of enterprise IPv6 deployments, and suggests possible actions to mitigate their security implications.
IPv6, the new version of the Internet Protocol, is expected to coexist with and eventually replace its long-lived predecessor, IPv4. IPv6 will provide more address space to enable the growth of the Internet. There are a number of factors that make the IPv6 protocol suite interesting from a security standpoint, and that will likely have an effect on the security of emerging IPv6 deployments. Let's examine each of them in turn.
Lack of well-trained personnel
It is estimated that approximately 20 million engineers are in need of IPv6 training worldwide. Of those engineers that have some IPv6 knowledge, they usually have less confidence with the IPv6 protocols than with IPv4, since IPv4 has been around much longer.
As it is likely these engineers will be asked to deploy IPv6 before their confidence with the protocol matches that of IPv4, it is also likely the security implications of IPv6 may be unknowingly overlooked during deployments. This means that, aside from the security properties of the protocols themselves, the security of these emerging IPv6 deployments will lag that of the existing production IPv4 counterparts.
It should be obvious that, regardless of whether an organization has plans for deploying IPv6 in the future, IT executives and managers must facilitate IPv6 training, particularly in regard to security, for technical personnel, and should encourage experimentation with IPv6 in their environments prior to deployment, such that they gain the necessary know-how before deploying IPv6 in production environments.
While some best practices for the secure deployment of IPv6 have been developed in recent years, this topic should be considered (to some extent) a “work in progress,” and technical personnel should be prepared to adapt to emerging best practices for the deployment of IPv6, whether they are produced by standards organizations such as the Internet Engineering Task Force (IETF), or by government organizations such as NIST or CPNI.
IPv6 implementations haven’t been a focus of the security research community at large. To date, only a few dozen advisories regarding IPv6 vulnerabilities have been published; this should not be taken as an indication that IPv6 implementations are more secure than their IPv4 counterparts, but rather interpreted as an indication that there are many vulnerabilities yet to be discovered in IPv6 implementations, and the protocol must be the focus of greater research.
Clearly, in the short term, IPv6 is likely to become the “weakest link in the chain” in terms of protocol-implementation security, and will probably be leveraged by attackers when targeting dual-stacked sites.
It will take time before security researchers and the vendor community discover and correct IPv6 vulnerabilities such that the maturity of IPv6 implementations matches that of their IPv4 counterparts.
Lack of IPv6 security assessment tools
Closely related to the limited security research about IPv6, is the lack of publicly available IPv6 tester tools to assess the security of IPv6 implementations and deployments. There are only a few publicly available attack/assessment tools for the IPv6 protocol suite (such as THC's IPv6 attack suite and scapy6), as opposed to the plethora of tools available for the IPv4 protocol suite. The result is that network and security administrators usually lack the tools to evaluate the effectiveness of the network security controls they seek to enforce, thus possibly resulting in a false sense of security. For example, the recent work on RA-Guard evasion should be considered an indication of this problem.
It is likely that, as IPv6 deployment increases, so will the production of IPv6 security assessment tools. However, this is simply speculation concerning how the current lack of IPv6 security tools may be overcome, and more tools are necessary in the meantime.
Limited IPv6 support in security devices
Security devices such as firewalls and network IDSes usually offer less support for the IPv6 protocols than for their IPv4 counterparts. This may be reflected either in terms of features or performance. For example, a security device may provide support for deep-packet inspection for IPv4, but not for IPv6; it may support some features for both IPv4 and IPv6, but IPv4 support is implemented in hardware and IPv6 support is implemented in software. Clearly, this lack of parity of security features for IPv4 and IPv6 could lead to reduced security in the resulting IPv6 networks, and may prevent the enforcement of security policies currently in effect for IPv4 on the emerging IPv6 deployments.
Network and security administrators should consider IPv6 support when purchasing new devices or upgrading existing ones. There are some conformance and interoperability test programs (such as the IPv6 Ready Logo Program) that may be of help when evaluating the capabilities of security products.
Lack of awareness about IPv6 transition/coexistence technologies
Since IPv6 is not backwards-compatible with IPv4, a number of transition/coexistence technologies have been developed to facilitate the deployment of IPv6. However, these technologies lead to an increased complexity in the resulting traffic that an attacker could leverage to conceal his or her attempts to bypass network security controls. Some of these technologies (notably Teredo) have been developed to bypass devices such as Network Address Translators (NATs), which many networks employ as a first line of defense against incoming attacks from the Internet, thus potentially increasing host exposure to external attacks.
As a result, the security implications of transition/coexistence technologies should be understood by all network and security administrators, since these technologies may have security implications even on IPv4-only networks. Additionally, security devices should be “aware” of these technologies, and be able to enforce the same security policies they enforce on native IPv4 and native IPv6 traffic.
About the author:
Fernando Gont is a networking and security consultant who has worked on a number of projects on behalf of the UK National Infrastructure Security Coordination Centre (NISCC) and the UK Centre for the Protection of National Infrastructure (CPNI). As part of his work for these organizations, he has authored a series of documents with recommendations for network engineers and implementers of the Internet protocol suite. Gont is an active participant at the IETF (Internet Engineering Task Force), where he contributes to several working groups, and has authored a number of RFCs (Request for Comments). He is a regular speaker at a number of conferences, trade shows, and technical meetings, about information security, operating systems, and Internet engineering. More information is available at his website: http://www.gont.com.ar.