IPv6 and Security

About This Presentation

Title:

IPv6 and Security

Description:

NATs do provide a layer of security, and they do completely break the end-to-end ... There will be IPv6 NATs (soon to be a major motion picture starring Daniel ... – PowerPoint PPT presentation

Number of Views:46

Avg rating:3.0/5.0

Slides: 62

Provided by: markm199

Category:

more less

Transcript and Presenter's Notes

Title: IPv6 and Security

1
IPv6 and Security
Gregory Travis Center for Applied Cybersecurity
Research (CACR) Advanced Network Management
Laboratory greg_at_iu.edu
2
A Bold Statement

our soldiers need better information in order
to make better decisionswho to help and who to
kill. The lack of security and flexibility in the
current IPv4 protocol is a drag on our wing. This
isn't about do you trust the Internet for your
kid's homework, it's do you trust your kid's
life. If we fail, people die.
Defense Department Will Require IPv6
Compliance, Says DoD's John Osterholz. From
Market Wire, June 26, 2003.

3
tempered by age

Good judgment comes from experience and
experience comes from bad judgment. Fred Brooks

4
Why IPv6?
5
In the beginning

The Internet was infinitesimally small, and no
one could comprehend its role in the future of
society
Networks, as they grew, were built and run by
benevolent lords
The security concern of the time was simply a
nuclear war

6
In the beginning

Security was the concern of the government
Cryptography was within the realm of dark
projects
Secure communications were defined by the NSA

7
The IETF said let there be Autonomous Systems
and routing protocols

and the Internet grew and grew
The NSF said let there be commercialization
and the Internet grew and grew and grew
Cisco said let there be e-commerce
and Cisco grew and grew

8
In 1993 the IETF said the sky is falling

Current state-of-the-art routers couldnt hold
the entire routing table
It was projected that class-B addresses, and
eventually all addresses, would be exhausted
Creative IETF members said we can fix things,
but each had his own plan

9
If youre giving away ice-cream, make sure the
scoops are small

The IETF said let there be CIDR
and classless interdomain routing became the
efficient way to dole out IP addresses
Others in the IETF said CIDR is nice, but were
still going to run out of ice-cream
wouldnt it be nice to have an astronomical
amount of ice-cream, they wondered
Two years later, the IETF invented the equivalent
of an astronomical amount of ice-cream IPv6

10
What is IPv6?
11
Timeline

1993, the sky started to fall
1996 first alpha implementations of IPv6 (on
Linux)
1997 first commercial implementation of IPv6
(IBM)
2009 Less than 1 of Internet hosts actually
using IPv6 (Google)
What happened to the falling sky?

12
Key differences in IPv6 itself

The addresses are longer (128bits vs. 32)
no need to use NATs to increase usable IP space
possible to preserve end-to-end model
more flexible support of IP option headers
use of multicast rather than broadcast in the
LAN
no need for IP fragmentation in network devices
could lead to explosion in routing table size
addresses take more special memory in routing
equipment (e.g., TCAMS)
more flexible support of IP option headers
harder to optimize for low bandwidth connections
and resource limited devices (e.g., sensors,
PDAs, cell phones)

13
What else?

Uniform header (40 bytes) vs. variable length
header of IPv4 (more on this later)
No fragmentation
End to end MTU discovery
No such thing as a static IP
Pervasive multicast
The QoS (Quality of Service) Zombie
IPSEC required

14
More Addresses is a Big Deal

If the Internet is to preserve its end-to-end
model, then eventually IPv6 will be needed
Even now, there is tangible evidence of a need
for more addresses
COMCAST uses IPv6 to manage its network
infrastructure because using the 10.0.0.0/8
network (16 million IPs) wasnt big enough
However, increasingly security practices are
leaning towards breaking the end-to-end model in
favor of better security mechanisms
NATs do provide a layer of security, and they do
completely break the end-to-end model
There will be IPv6 NATs (soon to be a major
motion picture starring Daniel Day Lewis)

15
And IPv6 does have an astronomical number of
addresses

This does allow for the flexibility to build
network topologies which support attribution at
the network layer.
But you can make quite a mess with an
astronomical amount of ice-cream.

16
Some example IPv6 Address Block Assignments

US DoD /13 (largest allocation so far)
4.2E34 addresses. If each address was a dollar
coin and they were stacked on top of each other,
the stack would be 88 billion times the diameter
of the Milky Way
Put another way 4.3 1034 8600 addresses for
every bacterium on earth
Italian Telecom /20
Assumptions
268 million customers (whats Italys
population?)
Each customer gets a /48 has 65k local area
networks

17
Thats some conspicuous consumption

Enough addresses that every cell in the body of
every human alive could have its own allocation
of IP addresses 200,000 times larger than the
entire IPv4 space.
You wouldnt believe it, but some are now
beginning to worry about IPv6 address exhaustion
as a result
Ice Cream Scoops got big, again

18
Whos running IPv6 now

A few ISPs in the US offer IPv6 (Qwest is one)
There are numerous test beds in Japan
The US RE network infrastructure (I.e.
Internet2), and its counterparts in Europe and
the Pacific rim have a large, high-speed, dual
stack inter-network of native IPv6

19
Now, what is this added security that the
gentleman mentioned?

(not much)

20
Around the same time they were solving the
ice-cream problem, the IETF also was dealing with
security

SSL was standardized - now TCP connections could
be encrypted without the user messing around with
keys or passphrases
Standards were emerging for securing the network
at the IP layer (would later be called IPSEC)

21
IPsec Support

The major difference is that an IPv6 device must
support IPsec
IPsec is available for both IPv4 and IPv6 but is
not a requirement for IPv4
Configuration and use is functionally identical
between IPv4 and IPv6
This still leaves the question of when to
actually use IPsec

22
The difference between may and must

The IPv6 IETF standard (RFC) specifies that a
full implementation of IPv6 MUST support certain
components of IPSEC
IPv4, which was defined before IPSEC, MAY support
IPSEC
In reality, some IPv6 stacks dont support IPSEC
and many IPv4 stacks do.
There are no additional security features if
IPv6! In fact, IPv4 does have additional
required security features (but theyre not used)

23
Is it even necessary?
24
IPsec Support

IPsec is difficult to install and configure on
most platforms
This is especially true with the retirement of
the FreeS/WAN project
Biggest problem is key distribution
Requires infrastructure support (e.g., special
DNS RRs) and dedicated professional staff
If you get this part wrong, you gain complexity
without any additional security

25
IPsec Adoption

IPsec has been around since 1995, but still sees
limited use outside of L2TP-based VPNs
Why?
Much more ubiquitous support for SSL
IPsec and NAT dont mix well at all

26
SSL vs. IPsec

IPsec is better than SSL because it provides much
better protection for packet headers
Provides confidientiality, accountability, and
authentication
No more spoofed headers, etc.
SSL is better than IPsec because you have it
right now and it works pretty well for just about
everything you want to do

27
Wont NATs Go Away?

Part of the purpose of IPv6 is to restore the
end-to-end model by providing more addresses
But address depletion is not the only motivating
force behind NATs
Security practices are at least as much to blame
NATs probably provide the best cost-to-benefit
ratio of any simple security measure
A NAT box is dirt-cheap and easy to configure
It also completely breaks the end-to-end model
There will still be NATs in IPv6

28
Address Sparsity

Many IPv4 worms and cracking tools do scans of
IPv4 address space to find hosts
IPv6 increases the size of the address space by
over 79,000,000,000,000,000,000,000,000,000 times
Properties of the address structure can pare down
the search space somewhat
Nevertheless, its true that a brute force search
of IPv6 address space will be completely
intractable

29
Does This Gain Us Security?

It does eliminate a primary technique of a great
deal of malware (and some legitimate research
efforts)
Lists of hosts to attack will be harvested from
system configuration files, e-mail addresses, Web
sites, server logs, etc.
This is exactly how the Morris worm worked back
in the late 1980s

30
Does This Gain Us Security?

How well-known will a host need to be before its
address leaks into this lists?
How much spam do you get?
There is a bright side to this
A long list of addresses takes up a lot of space
and provides forensic evidence
You wont have packet-of-death attacks like SQL
Slammer any more
Worms are more likely to report back to their
source

31
Things That Stay the Same

IPv6 doesnt change TCP or UDP at all
IPv6 doesnt patch vulnerabilities in individual
applications or OSes
IPv6 doesnt force network administrators to do
egress filtering
IPv6 doesnt mandate use of any security features

32
IPv6 doesnt fix everything

A recent survey of CERTs top 100 vulnerabilities
shows only 1 to be specific to IPv4, the rest are
accessible via IPv6
True the exploits might requiring different host
discovery strategies, but the host
vulnerabilities exist for IPv6
A host vulnerable to the slammer worm, is also
vulnerable to an IPv6 packet using the same bug
to run arbitrary code on the target machine
Spyware, stack over flow vulnerabilities, e-mail
worms, etc., are NOT fixed with IPv6!

33
Theres nothing about IPv6 thats security related

Theres nothing in the packet that adds to IPv6
security relative to IPv4
IPsec exists and is functionally the same for
both IPv4 and IPv6
IPv6 has no additional QoS features (although
some would argue the that the unused flow label
is such a feature)
IPv6 offers no performance improvements over IPv4
IPv6 is about more addresses and some mobility
features

34
other than new security threats
35
Houston, we have a problem

Practical and operational considerations of
making, building, and running a network conspire
to leverage IPv6s additional richness into
additional complexity
Complexity failure
KISS Keep It Simple, Stupid

Einstein argued that there must be simplified
explanations of nature, because God is not
capricious or arbitrary. No such faith comforts
the software engineer. Fred Brooks

37
Key differences in todays IPv6 implementations

Over a decade ago, the industry starting putting
IPv4 functions in ASICs, generally, this is not
yet the case for IPv6. This translates to slower
firewalls, encryption hardware, routers,
switches, and end-systems (more later)
There are lots of layer 3 snooping functions in
layer 2 equipment (more later)
IPv6 implementations mean newer, less tested,
more complex code (more later)
Despite purchasing pressure from the DoD and
Asia, IPv6 still treated as an extra feature, not
a core requirement

38
IPv6 support needed where it shouldnt be (layer
2 devices)

IP is a network layer protocol that sits above a
data link layer like Ethernet
In theory IP and Ethernet are separate, such that
Ethernet-only devices like switches need not
support IP
But vendors starting adding value to their
Ethernet switches that included snooping IP
information
This snooping allowed the switches to better
support IP multicast, enforce security policies,
enhance management, QoS, etc.

39
IPv6 non-support in layer 2 devices

Somehow this issue has slipped under the radar
for vendors and IPv6-savvy customers
Increasingly important as strategies for network
security evolve
Single mostly likely component to prevent
migration away from IPv4
Very difficult to define what IPv6 compliant
means in this space
Does not easily map to IETF standards
Often is the most expensive part of the network
to replace

40
IPv6 non support in layer 2 devices (cont.)

Practices evolving to quarantine network devices
until they are known to be patched/up to date,
preventing IP spoofing, providing edge QoS,
correctly forwarding IP multicast, and E911
support for VoIP applications are some of the
examples of layer 2 devices snooping layer 3
information to perform critical functions
Support for IPv6 in this space is not currently a
priority for vendors but technically their layer
2 devices are IPv6 ready now (sans the added
features)

41
ASIC Indigestion

In order to be able to forward packets at line
speeds, network vendors use ASICs (Application
Specific ICs)
These chips are simple and very inflexible
Work best when data bits are in predictable
locations
When there is something in a packet that an ASIC
cant handle, it gets sent to the routers CPU
Which is several orders of magnitude slower
An IPv6 header is like a game of baseball you
dont know when its going to end
Multi-option headers are common in IPv6. Very
hard to deal with practically w/ASICs

42
Supports IPv6

Means different things. Lets examine a real
issue of IPv6 support in two different vendors
core routers, Cisco and Juniper
The test scenario define and apply a filter to
IPv6 TCP packets destine for port 139
Remember that IPv6 has support for option headers
that are at different positions in the packet

43
Supports IPv6 (cont.)

The access list will cause the Cisco GSR,
regardless of line card to send all IPv6 packets
to which the filter applies to be processed by
the central CPU, rather than being forwarded at
high speed (because the ASICs cant handle it)
The Juniper will forward the filtered packets at
line-speed.
The Juniper is better, right? Perhaps not

44
Supports IPv6 (cont.)

The Juniper can filter at line-speed in part
because it assumes that the TCP header will be
the first header in the IPv6 packet. If its
not, if there is an option header before the TCP
header, the Juniper filter will fail to match.
The Cisco will search through the headers until
it finds the TCP header, then make the right
forwarding decision.
Both strategies have their advantage, but they
are both very different. Both vendors support
IPv6 filtering, but in extremely different ways

45
A state of resources

Multicast was an afterthought in IPv4, in IPv6
its a key architectural component
IPv6 doesnt work unless multicast works
IPv4 could care less
Multicast is another word for state
State kills
SQL Slammer worm

46
Exposure of MAC Addresses

Standard IPv6 addresses contain the MAC address
in the lower 64 bits of the addresses
This is information that was usually confined to
a single broadcast domain before
The manufacturer of your NIC is now public
knowledge and may associate you with a known
vulnerability
Heres how we start to get the IPs of vulnerable
hosts!

47
Competing and Complex Standards

In some ways, IPv6 suffers from design by
committee spread across multiple committees
The IPv6 Address Oracle has to draw from over a
dozen different RFCs
Examples of multiple standards
DNS AAAA vs. A6
Tunnels At least four different approaches
Resolver getipnodebyaddr() vs. getaddrinfo()
The Second System Effect
Fred Brooks description of what happens when a
triumph is followed by a second version
Kitchen Sink effect made possible by unlimited
resources
IPv6 is a classic second system

48
Code Maturity

Most of the IPv6 code in the world is new and
untested in comparison to IPv4
This code is certain to contain more flaws and
vulnerabilities than its IPv4 equivalents
Its larger and much more complex
It has not yet stood the test of timeor attacks
This situation will slowly improve over time
IPv6 isnt low-hanging fruit yet, so theres
little motivation to attack it

49
Code Maturity

Flaws will be opened in existing applications as
they are ported from IPv4 to IPv6
IPv6 involves many more programming changes than
just bigger addresses
Net increase in lines of line
New code will be written to deal with (or
reinvent) third-party libraries that do not
handle IPv6 and cannot be modified

50
Protocol Maturity

Not only is IPv6 code comparatively immature, but
so are its standards
Example A6 vs. AAAA DNS records
A6 was clever, but raised concerns about DoS
attacks using infinitely recursive delegated
lookups
Now relegated to experimental status
Similar concerns have been expressed about
protocols for tunneling IPv6 in IPv4 networks

51
Protocol Maturity

Many features are not fully specified yet
What do you do with the Priority field?
Whats the exact structure of the Flow Label?
Whats the format of Aggregatable Global Unicast
Addresses this year?
When and how often do I do MTU discovery?
How do anycast addresses actually work?

52
Router Maturity

Issues with code and protocol maturity come
together in the routers
A vulnerable host may result in the loss of a
single system
A vulnerable router may result in the loss of a
substantial piece of the network
Catch-22 Router vendors cant spend too much on
testing IPv6 stacks until IPv6 gets more popular,
and IPv6 has a hard time getting more popular
until router vendors spend more time testing
their IPv6 stacks

53
The security community

Completely unprepared/unequipped for IPv6
Most of the tools they use simply dont support
IPv6
And many of the detection schemes cant
Impossible to hold even a bit-map of all possible
IPv6 addresses in memory (trivial for IPv4),
making a lot of attack detection methods really
hard
Router firewall-based mitigation very
hard/impossible (that ASIC Indigestion, again)
Reality is that network-level cybersecurity is
flying blind in the IPv6 world and will
continue to do so for the foreseeable future

54
Experience

Todays use of the Internet Protocol is the
result of decades of experience and sometimes
painful teeth cutting. IPv6 will set us back.
Fortunately it will also set the hackers back
The DoD has a mixed track record for driving the
adoption of standards in networking, history
would suggest a bit of caution in assuming that
DoD procurement incentive will accelerate the
broader adoption of a new protocol (remember OSI)

55
Best Practices

Be prepared to devote considerable resources to
development and maintenance of key infrastructure
if you plan to use IPsec
Adopt new features of IPv6 sparingly until their
standards processes are finalized
Allow for the existence of more undiscovered
flaws in IPv6 code when assessing risks
Subject ported applications to the same level of
review and testing as new ones

56
The argument for IPv6 is to maintain the
flexibility of supporting the end-to-end network
model. IMHO, it has nothing to do with security
57
In the near term, a transition to IPv6 will

Increase the challenge to provide network
security
Increase the overall complexity of the network
and its operations
Increase downtime and instability of the network
Require re-training of networking staff
Require re-writing of applications
Probably change network design strategy to
accommodate limitations in current equipment

58
In the short term, a transition to IPv6 will

Increase the hype from equipment and software
vendors
Make it more difficult to evaluate specifications
to determine their IPv6 support
Reduce network security
Reduce the working life of new equipment
purchased
Increase the risk of spectacular failures

59
Want to make a network less secure, migrate to
IPv6 early
60
Best Practices

Have clear definitions of IPv6 ready and IPv6
aware when you compare vendors products
Pay close attention to new RFCs as they come
outand changes in the status of old ones
Design new protocols in such a way that they will
continue to operate through a NAT
Dont write IPv6-only applications make them
dual-stack instead

61
Conclusion

IPv6 does not make for a completely different
world of security
Expect a low level of incidents initially
(obscurity), followed by a much higher level
(exploitation), followed by a slow decline to the
level we see now with IPv4 (stasis)

Write a Comment

User Comments (0)