Title: IPv6 and Security
1IPv6 and Security
Gregory Travis Center for Applied Cybersecurity
Research (CACR) Advanced Network Management
Laboratory greg_at_iu.edu
2A Bold Statement
- our soldiers need better information in order
to make better decisionswho to help and who to
kill. The lack of security and flexibility in the
current IPv4 protocol is a drag on our wing. This
isn't about do you trust the Internet for your
kid's homework, it's do you trust your kid's
life. If we fail, people die. - Defense Department Will Require IPv6
Compliance, Says DoD's John Osterholz. From
Market Wire, June 26, 2003.
3tempered by age
- Good judgment comes from experience and
experience comes from bad judgment. Fred Brooks
4Why IPv6?
5In the beginning
- The Internet was infinitesimally small, and no
one could comprehend its role in the future of
society - Networks, as they grew, were built and run by
benevolent lords - The security concern of the time was simply a
nuclear war
6In the beginning
- Security was the concern of the government
- Cryptography was within the realm of dark
projects - Secure communications were defined by the NSA
7The IETF said let there be Autonomous Systems
and routing protocols
- and the Internet grew and grew
- The NSF said let there be commercialization
- and the Internet grew and grew and grew
- Cisco said let there be e-commerce
- and Cisco grew and grew
8In 1993 the IETF said the sky is falling
- Current state-of-the-art routers couldnt hold
the entire routing table - It was projected that class-B addresses, and
eventually all addresses, would be exhausted - Creative IETF members said we can fix things,
but each had his own plan
9If youre giving away ice-cream, make sure the
scoops are small
- The IETF said let there be CIDR
- and classless interdomain routing became the
efficient way to dole out IP addresses - Others in the IETF said CIDR is nice, but were
still going to run out of ice-cream - wouldnt it be nice to have an astronomical
amount of ice-cream, they wondered - Two years later, the IETF invented the equivalent
of an astronomical amount of ice-cream IPv6
10What is IPv6?
11Timeline
- 1993, the sky started to fall
- 1996 first alpha implementations of IPv6 (on
Linux) - 1997 first commercial implementation of IPv6
(IBM) - 2009 Less than 1 of Internet hosts actually
using IPv6 (Google) - What happened to the falling sky?
12Key differences in IPv6 itself
- The addresses are longer (128bits vs. 32)
- no need to use NATs to increase usable IP space
- possible to preserve end-to-end model
- more flexible support of IP option headers
- use of multicast rather than broadcast in the
LAN - no need for IP fragmentation in network devices
- could lead to explosion in routing table size
- addresses take more special memory in routing
equipment (e.g., TCAMS) - more flexible support of IP option headers
- harder to optimize for low bandwidth connections
and resource limited devices (e.g., sensors,
PDAs, cell phones)
13What else?
- Uniform header (40 bytes) vs. variable length
header of IPv4 (more on this later) - No fragmentation
- End to end MTU discovery
- No such thing as a static IP
- Pervasive multicast
- The QoS (Quality of Service) Zombie
- IPSEC required
14More Addresses is a Big Deal
- If the Internet is to preserve its end-to-end
model, then eventually IPv6 will be needed - Even now, there is tangible evidence of a need
for more addresses - COMCAST uses IPv6 to manage its network
infrastructure because using the 10.0.0.0/8
network (16 million IPs) wasnt big enough - However, increasingly security practices are
leaning towards breaking the end-to-end model in
favor of better security mechanisms - NATs do provide a layer of security, and they do
completely break the end-to-end model - There will be IPv6 NATs (soon to be a major
motion picture starring Daniel Day Lewis)
15And IPv6 does have an astronomical number of
addresses
- This does allow for the flexibility to build
network topologies which support attribution at
the network layer. - But you can make quite a mess with an
astronomical amount of ice-cream.
16Some example IPv6 Address Block Assignments
- US DoD /13 (largest allocation so far)
- 4.2E34 addresses. If each address was a dollar
coin and they were stacked on top of each other,
the stack would be 88 billion times the diameter
of the Milky Way - Put another way 4.3 1034 8600 addresses for
every bacterium on earth - Italian Telecom /20
- Assumptions
- 268 million customers (whats Italys
population?) - Each customer gets a /48 has 65k local area
networks
17Thats some conspicuous consumption
- Enough addresses that every cell in the body of
every human alive could have its own allocation
of IP addresses 200,000 times larger than the
entire IPv4 space. - You wouldnt believe it, but some are now
beginning to worry about IPv6 address exhaustion
as a result - Ice Cream Scoops got big, again
18Whos running IPv6 now
- A few ISPs in the US offer IPv6 (Qwest is one)
- There are numerous test beds in Japan
- The US RE network infrastructure (I.e.
Internet2), and its counterparts in Europe and
the Pacific rim have a large, high-speed, dual
stack inter-network of native IPv6
19Now, what is this added security that the
gentleman mentioned?
20Around the same time they were solving the
ice-cream problem, the IETF also was dealing with
security
- SSL was standardized - now TCP connections could
be encrypted without the user messing around with
keys or passphrases - Standards were emerging for securing the network
at the IP layer (would later be called IPSEC)
21IPsec Support
- The major difference is that an IPv6 device must
support IPsec - IPsec is available for both IPv4 and IPv6 but is
not a requirement for IPv4 - Configuration and use is functionally identical
between IPv4 and IPv6 - This still leaves the question of when to
actually use IPsec
22The difference between may and must
- The IPv6 IETF standard (RFC) specifies that a
full implementation of IPv6 MUST support certain
components of IPSEC - IPv4, which was defined before IPSEC, MAY support
IPSEC - In reality, some IPv6 stacks dont support IPSEC
and many IPv4 stacks do. - There are no additional security features if
IPv6! In fact, IPv4 does have additional
required security features (but theyre not used)
23Is it even necessary?
24IPsec Support
- IPsec is difficult to install and configure on
most platforms - This is especially true with the retirement of
the FreeS/WAN project - Biggest problem is key distribution
- Requires infrastructure support (e.g., special
DNS RRs) and dedicated professional staff - If you get this part wrong, you gain complexity
without any additional security
25IPsec Adoption
- IPsec has been around since 1995, but still sees
limited use outside of L2TP-based VPNs - Why?
- Much more ubiquitous support for SSL
- IPsec and NAT dont mix well at all
26SSL vs. IPsec
- IPsec is better than SSL because it provides much
better protection for packet headers - Provides confidientiality, accountability, and
authentication - No more spoofed headers, etc.
- SSL is better than IPsec because you have it
right now and it works pretty well for just about
everything you want to do
27Wont NATs Go Away?
- Part of the purpose of IPv6 is to restore the
end-to-end model by providing more addresses - But address depletion is not the only motivating
force behind NATs - Security practices are at least as much to blame
- NATs probably provide the best cost-to-benefit
ratio of any simple security measure - A NAT box is dirt-cheap and easy to configure
- It also completely breaks the end-to-end model
- There will still be NATs in IPv6
28Address Sparsity
- Many IPv4 worms and cracking tools do scans of
IPv4 address space to find hosts - IPv6 increases the size of the address space by
over 79,000,000,000,000,000,000,000,000,000 times - Properties of the address structure can pare down
the search space somewhat - Nevertheless, its true that a brute force search
of IPv6 address space will be completely
intractable
29Does This Gain Us Security?
- It does eliminate a primary technique of a great
deal of malware (and some legitimate research
efforts) - Lists of hosts to attack will be harvested from
system configuration files, e-mail addresses, Web
sites, server logs, etc. - This is exactly how the Morris worm worked back
in the late 1980s
30Does This Gain Us Security?
- How well-known will a host need to be before its
address leaks into this lists? - How much spam do you get?
- There is a bright side to this
- A long list of addresses takes up a lot of space
and provides forensic evidence - You wont have packet-of-death attacks like SQL
Slammer any more - Worms are more likely to report back to their
source
31Things That Stay the Same
- IPv6 doesnt change TCP or UDP at all
- IPv6 doesnt patch vulnerabilities in individual
applications or OSes - IPv6 doesnt force network administrators to do
egress filtering - IPv6 doesnt mandate use of any security features
32IPv6 doesnt fix everything
- A recent survey of CERTs top 100 vulnerabilities
shows only 1 to be specific to IPv4, the rest are
accessible via IPv6 - True the exploits might requiring different host
discovery strategies, but the host
vulnerabilities exist for IPv6 - A host vulnerable to the slammer worm, is also
vulnerable to an IPv6 packet using the same bug
to run arbitrary code on the target machine - Spyware, stack over flow vulnerabilities, e-mail
worms, etc., are NOT fixed with IPv6!
33Theres nothing about IPv6 thats security related
- Theres nothing in the packet that adds to IPv6
security relative to IPv4 - IPsec exists and is functionally the same for
both IPv4 and IPv6 - IPv6 has no additional QoS features (although
some would argue the that the unused flow label
is such a feature) - IPv6 offers no performance improvements over IPv4
- IPv6 is about more addresses and some mobility
features
34other than new security threats
35Houston, we have a problem
- Practical and operational considerations of
making, building, and running a network conspire
to leverage IPv6s additional richness into
additional complexity - Complexity failure
- KISS Keep It Simple, Stupid
36- Einstein argued that there must be simplified
explanations of nature, because God is not
capricious or arbitrary. No such faith comforts
the software engineer. Fred Brooks
37Key differences in todays IPv6 implementations
- Over a decade ago, the industry starting putting
IPv4 functions in ASICs, generally, this is not
yet the case for IPv6. This translates to slower
firewalls, encryption hardware, routers,
switches, and end-systems (more later) - There are lots of layer 3 snooping functions in
layer 2 equipment (more later) - IPv6 implementations mean newer, less tested,
more complex code (more later) - Despite purchasing pressure from the DoD and
Asia, IPv6 still treated as an extra feature, not
a core requirement
38IPv6 support needed where it shouldnt be (layer
2 devices)
- IP is a network layer protocol that sits above a
data link layer like Ethernet - In theory IP and Ethernet are separate, such that
Ethernet-only devices like switches need not
support IP - But vendors starting adding value to their
Ethernet switches that included snooping IP
information - This snooping allowed the switches to better
support IP multicast, enforce security policies,
enhance management, QoS, etc.
39IPv6 non-support in layer 2 devices
- Somehow this issue has slipped under the radar
for vendors and IPv6-savvy customers - Increasingly important as strategies for network
security evolve - Single mostly likely component to prevent
migration away from IPv4 - Very difficult to define what IPv6 compliant
means in this space - Does not easily map to IETF standards
- Often is the most expensive part of the network
to replace
40IPv6 non support in layer 2 devices (cont.)
- Practices evolving to quarantine network devices
until they are known to be patched/up to date,
preventing IP spoofing, providing edge QoS,
correctly forwarding IP multicast, and E911
support for VoIP applications are some of the
examples of layer 2 devices snooping layer 3
information to perform critical functions - Support for IPv6 in this space is not currently a
priority for vendors but technically their layer
2 devices are IPv6 ready now (sans the added
features)
41ASIC Indigestion
- In order to be able to forward packets at line
speeds, network vendors use ASICs (Application
Specific ICs) - These chips are simple and very inflexible
- Work best when data bits are in predictable
locations - When there is something in a packet that an ASIC
cant handle, it gets sent to the routers CPU - Which is several orders of magnitude slower
- An IPv6 header is like a game of baseball you
dont know when its going to end - Multi-option headers are common in IPv6. Very
hard to deal with practically w/ASICs
42Supports IPv6
- Means different things. Lets examine a real
issue of IPv6 support in two different vendors
core routers, Cisco and Juniper - The test scenario define and apply a filter to
IPv6 TCP packets destine for port 139 - Remember that IPv6 has support for option headers
that are at different positions in the packet
43 Supports IPv6 (cont.)
- The access list will cause the Cisco GSR,
regardless of line card to send all IPv6 packets
to which the filter applies to be processed by
the central CPU, rather than being forwarded at
high speed (because the ASICs cant handle it) - The Juniper will forward the filtered packets at
line-speed. - The Juniper is better, right? Perhaps not
44Supports IPv6 (cont.)
- The Juniper can filter at line-speed in part
because it assumes that the TCP header will be
the first header in the IPv6 packet. If its
not, if there is an option header before the TCP
header, the Juniper filter will fail to match. - The Cisco will search through the headers until
it finds the TCP header, then make the right
forwarding decision. - Both strategies have their advantage, but they
are both very different. Both vendors support
IPv6 filtering, but in extremely different ways
45A state of resources
- Multicast was an afterthought in IPv4, in IPv6
its a key architectural component - IPv6 doesnt work unless multicast works
- IPv4 could care less
- Multicast is another word for state
- State kills
- SQL Slammer worm
46Exposure of MAC Addresses
- Standard IPv6 addresses contain the MAC address
in the lower 64 bits of the addresses - This is information that was usually confined to
a single broadcast domain before - The manufacturer of your NIC is now public
knowledge and may associate you with a known
vulnerability - Heres how we start to get the IPs of vulnerable
hosts!
47Competing and Complex Standards
- In some ways, IPv6 suffers from design by
committee spread across multiple committees - The IPv6 Address Oracle has to draw from over a
dozen different RFCs - Examples of multiple standards
- DNS AAAA vs. A6
- Tunnels At least four different approaches
- Resolver getipnodebyaddr() vs. getaddrinfo()
- The Second System Effect
- Fred Brooks description of what happens when a
triumph is followed by a second version - Kitchen Sink effect made possible by unlimited
resources - IPv6 is a classic second system
48Code Maturity
- Most of the IPv6 code in the world is new and
untested in comparison to IPv4 - This code is certain to contain more flaws and
vulnerabilities than its IPv4 equivalents - Its larger and much more complex
- It has not yet stood the test of timeor attacks
- This situation will slowly improve over time
- IPv6 isnt low-hanging fruit yet, so theres
little motivation to attack it
49Code Maturity
- Flaws will be opened in existing applications as
they are ported from IPv4 to IPv6 - IPv6 involves many more programming changes than
just bigger addresses - Net increase in lines of line
- New code will be written to deal with (or
reinvent) third-party libraries that do not
handle IPv6 and cannot be modified
50Protocol Maturity
- Not only is IPv6 code comparatively immature, but
so are its standards - Example A6 vs. AAAA DNS records
- A6 was clever, but raised concerns about DoS
attacks using infinitely recursive delegated
lookups - Now relegated to experimental status
- Similar concerns have been expressed about
protocols for tunneling IPv6 in IPv4 networks
51Protocol Maturity
- Many features are not fully specified yet
- What do you do with the Priority field?
- Whats the exact structure of the Flow Label?
- Whats the format of Aggregatable Global Unicast
Addresses this year? - When and how often do I do MTU discovery?
- How do anycast addresses actually work?
52Router Maturity
- Issues with code and protocol maturity come
together in the routers - A vulnerable host may result in the loss of a
single system - A vulnerable router may result in the loss of a
substantial piece of the network - Catch-22 Router vendors cant spend too much on
testing IPv6 stacks until IPv6 gets more popular,
and IPv6 has a hard time getting more popular
until router vendors spend more time testing
their IPv6 stacks
53The security community
- Completely unprepared/unequipped for IPv6
- Most of the tools they use simply dont support
IPv6 - And many of the detection schemes cant
- Impossible to hold even a bit-map of all possible
IPv6 addresses in memory (trivial for IPv4),
making a lot of attack detection methods really
hard - Router firewall-based mitigation very
hard/impossible (that ASIC Indigestion, again) - Reality is that network-level cybersecurity is
flying blind in the IPv6 world and will
continue to do so for the foreseeable future
54Experience
- Todays use of the Internet Protocol is the
result of decades of experience and sometimes
painful teeth cutting. IPv6 will set us back.
Fortunately it will also set the hackers back - The DoD has a mixed track record for driving the
adoption of standards in networking, history
would suggest a bit of caution in assuming that
DoD procurement incentive will accelerate the
broader adoption of a new protocol (remember OSI)
55Best Practices
- Be prepared to devote considerable resources to
development and maintenance of key infrastructure
if you plan to use IPsec - Adopt new features of IPv6 sparingly until their
standards processes are finalized - Allow for the existence of more undiscovered
flaws in IPv6 code when assessing risks - Subject ported applications to the same level of
review and testing as new ones
56The argument for IPv6 is to maintain the
flexibility of supporting the end-to-end network
model. IMHO, it has nothing to do with security
57In the near term, a transition to IPv6 will
- Increase the challenge to provide network
security - Increase the overall complexity of the network
and its operations - Increase downtime and instability of the network
- Require re-training of networking staff
- Require re-writing of applications
- Probably change network design strategy to
accommodate limitations in current equipment
58In the short term, a transition to IPv6 will
- Increase the hype from equipment and software
vendors - Make it more difficult to evaluate specifications
to determine their IPv6 support - Reduce network security
- Reduce the working life of new equipment
purchased - Increase the risk of spectacular failures
59Want to make a network less secure, migrate to
IPv6 early
60Best Practices
- Have clear definitions of IPv6 ready and IPv6
aware when you compare vendors products - Pay close attention to new RFCs as they come
outand changes in the status of old ones - Design new protocols in such a way that they will
continue to operate through a NAT - Dont write IPv6-only applications make them
dual-stack instead
61Conclusion
- IPv6 does not make for a completely different
world of security - Expect a low level of incidents initially
(obscurity), followed by a much higher level
(exploitation), followed by a slow decline to the
level we see now with IPv4 (stasis)