IPv6 Information and Security Issues
IPv6 Information and Security Issues
Abstract
Internet Protocol IP version 6 (IPv6) was developed to address the growing depletion of IP version 4 addresses (IPv4). IPv6 also provides richer feature set and better security than IPv4. However, the adoption of the new protocol in organizations has been slowed down by inherent security issues. The transition from IPv4 to IPv6 is faced with many security challenges as well. These issues threaten the mainstream adoption of the protocol. The paper seeks to explore the security issues of IPv6 and the research community’s response to those challenges.
Introduction
The rapid adoption of the Internet in the global economy has resulted in a rapid exhaustion of IP addresses. Also contribution to this exhaustion of the IP addresses is the range of devices that are now using the Transmission Control Protocol/Internet Protocol (TCP/IP) suite for communication. These devices include cell phones, home appliances, wireless gadgets, vehicles, and gaming devices. There is many developing countries and China who report that lack of adequate IP addresses is hampering their development. Other concerns with IPv4 are that its configuration nature is leading to problem where router table entries were getting too large, and that the protocol has limited security. In response to the growing need for more IP addresses the Internet Engineering Task Force (IETF) established IP version 6 (IPv6) to provide a bigger address space.
Some of the Features of IPv6
IPv6 will definitely solve many of the problems with IPv4. There will be many IP addresses for the growing need of the Internet. IPv6 has come with a rich set of features. Sotillo (2006) identified many benefits with the IPv6 protocol as listed below:
- Larger address space: as mentioned above, IPv4 provides as many as 232 addresses. On the other hand, IPv6 provides for as many as 2128 addresses.
- Hierarchical addressing: in IPv6 there are three major types of addresses: unicast, multicast, and anycast addresses. Unicast addresses are assigned to a single IPv6 node. Multicast addresses are assigned to multiples nodes within a single multicast group. Packets sent to a multicast address must be delivered to all members of the same multicast group. On the other hand, although anycast addresses are also assigned to groups of nodes, they do not need to be delivered to all members of the group—it is sufficient that one node receives the packets.
- Stateless and stateful address configuration: IPv6 allows hosts to acquire IP addresses either in a stateless or autonomous way or through a controlled mechanism such as DHCPv6.
- Quality-of-service: the IPv6 packet header contains fields that facilitate the support for QoS for both differentiated and integrated services.
- Better performance: IPv6 provides for significant improvements such as better handling of packet fragmentation, hierarchical addressing, and provisions for header chaining that reduce routing table size and processing time.
- Built-in security: although IPSec is also available for IPv4 implementations, it is not mandated but optional. Support for IPSec in IPv6 implementations is not an option but a requirement.
- Extensibility: despite the fact that IPv6 addresses are four times larger than IPv4 addresses, the new IPv6 header is just twice the size of the IPv4 header (i.e., two times 20 bytes = 40 bytes).
Security Issues with IPv6
Despite the many benefits of the IPv6 protocol. Switching from IPv4 has not been an easy process. Many of the problems are associated with the transition process and cost. However, there are inherent security vulnerabilities that hamper the adoption of the protocol. SearchSecurity, and industry think-tanks have compiled 5 security issues as follow:
- Security practitioners need education/training on IPv6. IPv6 will come to the networks under practitioner control – it’s only a matter of time. As with any new networking technology, it’s essential that network administrators learn the basics of IPv6, especially the addressing scheme and protocols, in order to facilitate incident handling and related activities.
- Security tools need to be upgraded. IPv6 is not backwards compatible. The hardware and software used to route traffic across networks and perform security analyses won’t work with IPv6 traffic unless they are upgraded to versions that support the protocol. This is especially important to remember when it comes to perimeter-protection devices. Routers, firewalls and intrusion-detection systems may require software and/or hardware upgrades in order to “speak” IPv6. Many manufacturers already have these upgrades available. For example, Cisco networking devices support IPv6 as of IOS release 12.0S.
- Existing equipment may require additional configuration. Devices that do not support IPv6 typically treat it as an entirely separate protocol (as they should). Therefore, the access control lists, rule bases and other configuration parameters may need to be re-evaluated and translated to support an IPv6 environment.
- Tunneling protocols create new risks. The networking and security communities have invested time and energy in ensuring that IPv6 is a security-enabled protocol. However, one of the greatest risks inherent in the migration is the use of tunneling protocols to support the transition to IPv6. These protocols allow the encapsulation of IPv6 traffic in an IPv4 data stream for routing through non-compliant devices.
Therefore, it’s possible that users on the network can begin running IPv6 using these tunneling protocols before the organization is ready to officially support it in production. If this is a concern, the security administrator should block IPv6 tunneling protocols (including SIT, ISATAP, 6to4 and others) at the perimeter.
- IPv6 autoconfiguration creates addressing complexity. Autoconfiguration, another interesting IPv6 feature, allows systems to automatically gain a network address without administrator intervention. IPv6 supports two different autoconfiguration techniques. Stateful autoconfiguration uses DHCPv6, a simple upgrade to the current DHCP protocol, and doesn’t reflect much of a difference from a security perspective.
Stateless autoconfiguration allows systems to generate their own IP addresses and checks for address duplication. This decentralized approach may be easier from a system administration perspective, but it raises challenges for those charged with tracking the use (and abuse!) of network resources.
Other Security Issues
Caicedo (2009) hinted that even as IPv6’s new features will likely generate newer protocol attacks, the older known IPv4-related attacks will morph into new forms. Further, the lack of trained professionals as well as the scarcity of IPv6-related tools for network security analysis and monitoring will lead to slow response times against security attacks, which could exacerbate simple security breaches in massively interconnected IPv6 environments. Caicedo posit that even though IPSec support is mandatory in IPv6, its use is not. Not using IPSec exposes a network to old IP-related attacks as well as attacks related to IPv6-specific features. A working IPSec infrastructure is also difficult to deploy and manage, further reducing IPSec’s use.
According to Caicedo (2009), IPv6 packet structure allows for routing headers, which list the addresses of one or more intermediate nodes that the packets will go through. An attacker can generate specific packets with routing headers to reach hosts that normally would not accept the attacker’s traffic. Further, if an end point accepts these headers and follows their routing instructions, trusted nodes could forward malicious packets or the flow of packets could lead to resource exhaustion at the routers, resulting in a DoS attack.
Unfortunately, Mobile IPv6 requires routing headers. Networks with MIPv6 functionality should therefore incorporate mechanisms to securely handle packets with these headers; otherwise, they should not allow these packets.
Caicedo also revealed that an attacker can launch a DoS attack on a multicast group by sending messages to the group address telling members to leave. Because IPv6 eliminates broadcast addresses and uses multicast heavily, this kind of attack can seriously impede a node’s operation. Also, as IPv6 has standard multicast addresses for important devices such as the “all routers” and “all DHCP servers” groups, an attacker can modify messages directed to these addresses on a network and receive information that helps identify key systems on which to target attacks.
Security administrators can use IPSec’s security services to reduce packet sniffing—looking at a packet’s content—and port scanning activities. The difficulty in scanning posed by IPv6 addressing also makes it hard for an administrator to identify hosts that are either malicious or possible targets for attackers.
Recommended Practices
It is recommended that security administrators give themselves time to stage and test IPv6 deployments. Organizations should plan IPv6 environment carefully to reduce security vulnerabilities. More efficient and effective security tools to analyze IPv6 networks’ vulnerabilities and weaknesses are needed to ensure the development of appropriate monitoring capabilities and defense mechanisms. In the areas of scanning and intrusion detection. There are some tools available to monitor and analyze IPv6 packets. Some of these tools include Snort, Nmap, Netcat6, and Wireshark.
Summary
IPv6 presents many issues that stem from organizational implementation issues to inherent vulnerabilities of the protocol. The major issues are highlighted as cost due to equipment and software upgrades. The big issue among all is the lack of motivation to push the technology in the enterprises due to zero or small return on investment.
References
Caicedo, C. E., Joshi, J. B. D., & Tuladhar, S. R. (2009). IPv6 security challenges. IEEE Computer, 42(2), 36- 42. Retrieved April 14, 2010, from http://doi.ieeecomputersociety.org/10.1109/MC.2009.54
Chapple, M. (2005). Get ready for IPv6: five security issues to consider. Retrieved April 14, 2010, from http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1101218,00.html
Sabir, M. R., Fahiem, M. A., & Mian, M. S. (2009). An overview of IPv4 to IPv6 transition and security issues. IEEE Communications and Mobile Computing, 2009. CMC ’09. WRI International. 3, 636-639. Retrieved April 14, 2010, from http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=4797330
Sotillo, S., 2006, IPv6 security issues. Retrieved April 14, 2010, from http://www.infosecwriters.com/text_resources/pdf/IPv6_SSotillo.pdf
Savola, P (2006). MTU and fragmentation issues with in-the-network tunneling. Retrieved April 14, 2010, from http://www.rfc-editor.org/rfc/rfc4459.txt