With the IPv4-address exhaustion becoming closer and closer, there could be an impact on some security techniques used by Internet Service Providers (ISP) and other security organizations. Indeed, ISPx rely on the fact that part of the IPv4 address space is not allocated in order to prevent and detect attacks with two techniques that will be described in this article. This non-allocated IPv4 address space is called Dark Net (see also http://www.team-cymru.org/Services/darknets.html). As it is expected that all the IPv4 address space will be allocated by March or April 2011, the efficiency of those techniques will be reduced. Bogon filters The first impact will be on the so-called bogon-address filters on IPv4 packet source addresses in order to drop obviously spoofed addresses. Bogons addresses exist in mainly two classes:
- martians which are the private addresses as defined by RFC 1918;
- IPv4 /8 prefixes not yet allocated by the Internet Assigned Number Authority (IANA) to a Regional Internet Registry (RIR) such as ARIN (for US & Canada), RIPE (for Europe & Middle-East), ...
An oversimplified bogon filter could be written at the time of writing this blog entry, 5th of January 2011 (as there are still 7 IPv4 /8 available at the IANA) as:
deny 10.0.0.0 /8 deny 126.96.36.199 /8 deny 188.8.131.52 /8 deny 184.108.40.206 /8 deny 220.127.116.11 /8 deny 18.104.22.168 /8 deny 22.214.171.124 /8 deny 126.96.36.199 /8
Please see http://www.team-cymru.org/Services/Bogons/ for a more detailed explanation on bogon filters. It is expected that those remaining 7 blocks will be allocated by March or April 2011. The bogon address filter will then simply be a single line
deny 10.0.0.0 /8
Meaning that miscreants will have a huge choice of using a random source address and being confident that their spoofed packets will not be dropped by the above trivial bogon address filters. Of course, more sophisticated anti-spoofing techniques like unicast Reverse Path Forwarding check (uRPF which leverages the full Internet routing table to check the validity of a source address) will continue to work as before. uRPF is also very easy to deploy especially in the simplest configuration (strict mode):
interface <i>Blabla</i> ipv6 address 2001:db8:f00d::/64 eui-64 ipv6 verify unicast source reachable-via rx accept-default ipv6 enable
Sinkhole Another security technique used by ISP is called sinkhole. It consists of injecting in their network some specific routes routing all traffic destined to non-routed addresses to some security devices located in their network: in short, all traffic destined to the dark net will be received by those security devices. Sinkhole is used to detect:
- Honey pot: Active worms which try to infect a random IPv4 address, this can be combined with a honey pot: a dedicated machine pretending to be a victim and used to monitor the attack in order to build a signature detected the malware;
- Back-scatter: ICMP messages (generated when spoofed packets are dropped by uRPF) are also routed to those devices which can then gather more statistics on the attack in a single point rather than on all routers doing the anti-spoofing.
More information is available: http://www.arbornetworks.com/en/atlas.html Even if the sinkhole technique is based on non-routed address space (this is all networks either not allocated or not announced in the routing tables of the Internet), the consequence of allocating and routing the remaining /8 blocks in a couple of months is again a reduced efficiency of sinkholes. Can we continue to use bogon filters and sinkholes? Anti-spoofing based on uRPF will obviously continue to work. Moreover, each and every ISP has in its own allocated IPv4 space a couple of smaller blocks (/24 usually) that are not yet assigned to any customers. So, those smaller blocks are becoming the dark net for this specific ISP. As ISPs usually do not share the value of those blocks, the ISP community will not be able to have an huge sinkhole (several /8) anymore but only a very small one (a couple of /24). But, the sinkhole technique would still work somehow: it will simply attract much less traffic meaning that it will take more time for honey pots to collect information about new malwares. Summary In short, the IPv4-address exhaustion will not only impact the growth of the Internet (but IPv6 is the right answer) but it will also slightly decrease the security of the IPv4-only part of the Internet. Yet another reason to move users and content to IPv6 ;-)