Too many options for IPv6 address configuration?

With IPv6 there are several options for configuring addresses... which is probably not really good for security.

As security people, we all know that having too many options is always a bad thing: simple setup is often more secured than a complex setup. And, when it comes to IPv6, there are THREE ways to configure one IPv6 global address:

  • Static configuration
  • Use of Dynamic Host Configuration Protocol (DHCP) in the stateful version which can lease IPv6 addresses to IPv6 nodes
  • Use of Stateless Address Auto-Configuration (SLAAC) where a Router Advertisement message announces the on-link prefixes as well as the link-local address of the router. The prefix is then combined with either the node link-layer address to form a EUI-64 address or with a random number to form a privacy extension address.

Note: this article is only about address configuration and not about other IPv6 network parameters such as domain name or Maximum Transmission Unit (MTU) size. Let’s review all those three ways in the light of security, mainly from the forensic point of view: how can we identify the host given an address which was used a couple of days ago? This is a rather trivial question in the IPv4 world:

  1. IPv4 addresses are often leased and used for several days in a row; hence, there is a fair chance that they are still in use when the forensic takes place
  2. Else go and have a look into the DHCP history log to get the MAC address and then either consult an inventory database or look into the current DHCP binding database to find the current IP address.

This is not so trivial in the IPv6 world is the address is not used anymore (see also Static Configuration Static configuration is easy to understand and is mainly used for routers and servers, which rarely change of IPv6 addresses (exactly like in the IPv4 world). Of course, normal hosts and especially mobile laptops and smart phones should not use static configuration to make the roaming easier. But, in the world of IPv6 this simple way to configure an IPv6 address has an interesting twist: which kind of interface identifier (IID - the least significant 64 bits, the most significant 64 bits form the prefix and are fixed by the network topology)? The most obvious choice is to use easy to remember IID such as 2001:db8::1 for a router or 2001:db8::25 for a mail server or 2001:db8::3:4 for a dual-stack node whose IPv4 address is (this is keeping par of the address identical). It has significant operational benefits because network operators make less typing mistakes and security officers can more easily understand security policies and audit logs. Some people do not like those easy-to-remember addresses because they are easy to scan and one of the security benefits of IPv6 is to make the full scan of a subnet too long to be practical (estimate is thousands of years for a single LAN). So the alternative for IID is to use a randomly generated IID to prevent this network scanning. I personally prefer to use easy-to-remember addresses rather than complex-to-remember addresses; the ability to scan a network does not mean that the miscreant will be able to run successfully an attack anyway; moreover, complex addresses make the task of any security and network operator more difficult when DNS cannot be used: think about writing ACL or looking in log files for an event. I am a strong proponent that simplicity is the best friend of security. Stateful DHCP Another way to configure addresses is of course the use of stateful DHCP in a very similar way as for IPv4. This is mainly reserved for end-user stations and not for routers and servers in order to make life easier for all DNS and ACL administrators. Windows Vista and Windows 7 notably use it. I wrote similar and not identical because with DHCP for IPv6, IPv6 addresses are bound not to a MAC address but to a Device Unique Identifier (DUID); DUID can be based on MAC address or on time. This means that the DHCP binding table (and log file) does not contain the MAC address of the DHCP client but only its DUID. This makes the tracking of an IPv6 address impossible when the IPv6 address is no more ‘live’ (this is when it is stored in none of the neighbor cache of any router) and when the DUID is not based on MAC address. This is of course causing a problem when doing forensic search. DHCP for IPv6 is also slightly different because it has a huge address space to lease addresses from. Some DHCP servers leverage this huge address pool to lease random addresses out of this pool in order to prevent scanning. This is pure benefit in this case because the IPv6 addresses are used by end-user stations and not by servers, so, those addresses will probably never be used in ACL. SLAAC Using SLAAC is the default configuration of several OS (Mac OS and Linux). It is also the fallback configuration of Windows Vista and Windows 7 in the absence of a DHCP server. SLAAC is fully decentralized which is a huge benefit from a networking point of view (no need for length configuration, no error in the configuration, and so on) but is a mixed blessing from a security point of view:

  • Benefit: high availability since there is point of failure
  • Drawback: not easy to trace back the owner of a SLAAC address when it is no more live in your network

As previously written in a previous blog article, DHCP is still the best way for end-users computers but it is not as easy as in the IPv4 world. It is also pretty obvious that a miscreant will also masquerade its MAC address and use a random DUID.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.