13-11-2012, 05:37 PM
IPv6 and IPv4 Threat Comparison and Best- Practice Evaluation (v1.0)
IPv6 and IPv4.pdf (Size: 855.79 KB / Downloads: 44)
Introduction
IPv6 [1] security is in many ways the same as IPv4 [2] security. The basic mechanisms for transporting
packets across the network stay mostly unchanged, and the upper-layer protocols that transport the actual
application data are mostly unaffected. However, because IPv6 mandates the inclusion of IP Security
(IPsec) [3], it has often been stated that IPv6 is more secure than IPv4. Although this may be true in an
ideal environment with well-coded applications, a robust identity infrastructure, and efficient key
management, in reality the same problems that plague IPv4 IPsec deployment will affect IPv6 IPsec
deployment. Therefore, IPv6 is usually deployed without cryptographic protections of any kind.
Additionally, because most security breaches occur at the application level, even the successful
deployment of IPsec with IPv6 does not guarantee any additional security for those attacks beyond the
valuable ability to determine the source of the attack.
Some significant differences, however, exist between IPv4 and IPv6 beyond the mandate of IPsec. These
differences change the types of attacks IPv6 networks are likely to see. It is also unlikely that the average
organization will migrate completely to IPv6 in a short timeframe; rather it will likely maintain IPv4
connectivity throughout the multiyear migration to IPv6. To date, however, there has not been a thorough
treatment of the threats such networks will face and the design modifications needed to address these
threats.
This paper outlines many of the common known threats against IPv4 and then compares and contrasts
how these threats, or similar ones, might affect an IPv6 network. Some new threats specific to IPv6 are
also considered. The current capabilities of available products are evaluated, as is how any inherent
protocol characteristics of IPv6 affect the nature of the threat. This is prefaced by a brief overview of
current best practices around the design of an IPv4 Internet edge network and then followed by a review
of how that IPv4 edge network needs to evolve in order to secure the addition of IPv6.
Caveats
IPv6 security is a large and complex subject. It is also one that has seen little examination, except by the
group who designed the protocol themselves. Therefore, some topics are not addressed in this document.
For example, this document does not address Mobile IP Version 6 (MIPv6) [6], which is still in the draft
stage in the IETF. Some of the implications regarding the support of the routing header (a key element in
MIPv6) are discussed, but only as the routing header impacts a static IPv6 network.
Additionally, this document focuses on the security requirements of medium to large edge networks on
the Internet. These networks typically house some element of public services (Domain Name System
[DNS], HTTP, Simple Mail Transfer Protocol [SMTP]) and a filtering router or firewall protecting their
internal resources. The document does not address the implications of the threats to service providers (or
other core network entities).
Finally, because of the ubiquity of their deployment, Cisco routers are the principal network entity tested
in this research. The threats and mitigation techniques described in this document should apply to a
network built with any vendor’s equipment, however, and the configurations provided should be easily
modified as necessary.
Threat Analysis
This section evaluates and compares threats in IPv4 and in IPv6. It is divided into two main sections, the
first of which outlines attacks that significantly change as a result of IPv6, and the second summarizes
attacks that do not fundamentally change.
Attacks with New Considerations in IPv6
The following nine attacks have substantial differences when moved to an IPv6 world. In some cases the
attacks are easier, in some cases more difficult, and in others only the method changes.
• Reconnaissance
• Unauthorized access
• Header manipulation and fragmentation
• Layer 3 and Layer 4 spoofing
• Address Resolution Protocol (ARP) and Dynamic Host Configuration Protocol (DHCP) attacks
• Broadcast amplification attacks (smurf)
• Routing attacks
• Viruses and worms
• Transition, translation, and tunneling mechanisms
Reconnaissance
The first category of attack is reconnaissance, which also is generally the first attack executed by an
adversary. In this attack the adversary attempts to learn as much as possible about the victim network.
This includes both active network methods such as scanning as well as more passive data mining such as
through search engines or public documents. The active network methods have the goal of giving the
adversary specific information about the hosts and network devices used in the victim network, their
interconnections with one another, and any avenues of attack that can be theorized based on the
evaluation of this data.
IPv4 Considerations
In IPv4 the adversary has several well-established methods of collecting this information:
• Ping sweeps—By determining the IPv4 addresses in use at an organization (through active probes,
whois lookups, and educated guesses), an adversary can systematically sweep a network with ICMP
or Layer 4 ”ping” messages that solicit a reply, assuming both query and response are not filtered at
the network border. Following this scan, the adversary uses the data to formulate some hypothesis
regarding the layout of the victim network. Tools such as traceroute and firewalk can provide further
data to aid the adversary.
• Port scans—After identifying reachable systems, the adversary can systematically probe these
systems on any number of Layer 4 ports to find services both active and reachable. By discovering
hosts with active services, the adversary can then move to the next phase.
IPv6 Considerations
This section outlines the differences in the reconnaissance attack when moved to IPv6. Because port and
application vulnerability scans are identical after a valid address is identified, this section focuses on
identifying valid addresses. The first subsection highlights technology differences independent of
currently available technology, and the latter outlines current capabilities in this area for the adversary and
the defender.
Technology and Threat Differences
With regard to technology, IPv6 reconnaissance is different from IPv4 reconnaissance in two major ways.
The first is that the ping sweep or port scan, when used to enumerate the hosts on a subnet, are much
more difficult to complete in an IPv6 network. The second is that new multicast addresses in IPv6 enable
an adversary to find a certain set of key systems (routers, Network Time Protocol [NTP] servers, and so
on) more easily. Beyond these two differences, reconnaissance techniques in IPv6 are the same as in
IPv4. Additionally, IPv6 networks are even more dependent on ICMPv6 to function properly. Aggressive
filtering of ICMPv6 can have negative effects on network functions. ICMPv6 filtering alternatives are
reviewed in section 3.1.2.
IPv6 Subnet Size Differences
The default subnet size of an IPv6 subnet is 64 bits, or 264, versus the most common subnet size in IPv4 of
8 bits, or 28. This increases the scan size to check each host on a subnet by 264 - 28 (approximately 18
quintillion). Additionally, the 64-bit address is derived based on the EUI-64 version of a host MAC
address, or in the case of IPv6 privacy extensions [8] (which are enabled by default in Windows XP and
available on numerous other platforms), the number is pseudorandom and changes regularly. So a
network that ordinarily required only the sending of 256 probes now requires sending more than 18
quintillion probes to cover an entire subnet. Even if we assume that sound network design principles are
discounted and that the same 64-bit subnet now contains 10,000 hosts, that still means only one in every
1.8 quadrillion addresses is actually occupied (assuming a uniform random distribution). And even at a
scan rate of 1 million probes per second (more than 400 Mbps of traffic), it would take more than 28
years of constant scanning to find the first active host, assuming the first success occurs after iterating
through 50 percent of the first 1.8 quadrillion addresses. If we assume a more typical subnet with 100
active hosts, that number jumps to more than 28 centuries of constant 1-million-packet-per-second
scanning to find that first host on that first subnet of the victim network.