- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
This chapter covers the following subjects:
Reintroduction to IPv6: Brief overview of IPv6
IPv6 Update: Describes the current state of IPv6 adoption
IPv6 Vulnerabilities: Describes the weaknesses in IPv6 that are key areas of focus
Hacker Experience: Covers the current state of attack tools and skills
IPv6 Security Mitigation Techniques: Introduces the high-level methods of securing IPv6
The Internet Protocol (IP) is the most widely used communications protocol. Because it is the most pervasive communication technology, it is the focus of hundreds of thousands of IT professionals like you. Because so many people rely on the protocol, the safety of communications is top of mind. The security research that is performed on IP is conducted by both benevolent and malevolent people. All the security research has caused many patches and adjustments to IP, as it has been deployed internationally. In hindsight, it would have been better if deeper consideration were given to the security of the protocol before it was extensively deployed.
This book provides you with insight into the security ramifications of a new version of IP and provides guidance to avoid issues prior to deployment. This chapter provides a brief background on this next version of IP, IPv6. You learn why it is important to consider the security for IPv6 before its wide-scale deployment. A review of the current risks and industry knowledge of the vulnerabilities is provided, as well as the common ways that IPv6 can be secured.
The Internet Engineering Task Force (IETF) is the organization that is responsible for defining the Internet Protocol standards. When the IETF developed IPv4, the global expansion of the Internet and the current Internet security issues were not anticipated. In IPv4's original design, network security was only given minor consideration. In the 1980s, when IPv4 was developing, the "Internet" was constructed by a set of cooperative organizations. As IPv4 was developed and the Internet explosion took place in the 1990s, Internet threats became prolific. If the current environment of Internet threats could have been predicted when IPv4 was being developed, the protocol would have had more security measures incorporated into its design.
In the early 1990s, the IETF realized that a new version of IP would be needed, and the Task Force started by drafting the new protocol's requirements. IP Next Generation (IPng) was created, which then became IPv6 (RFC 1883). IPv6 is the second network layer standard protocol that follows IPv4 for computer communications across the Internet and other computer networks. IPv6 offers several compelling functions and is really the next step in the evolution of the Internet Protocol. These improvements came in the form of increased address size, a streamlined header format, extensible headers, and the ability to preserve the confidentiality and integrity of communications. The IPv6 protocol was then fully standardized at the end of 1998 in RFC 2460, which defines the header structure. IPv6 is now ready to overcome many of the deficiencies in the current IPv4 protocol and to create new ways of communicating that IPv4 cannot support.
IPv6 provides several improvements over its predecessor. The advantages of IPv6 are detailed in many other books on IPv6. However, the following list summarizes the characteristics of IPv6 and the improvements it can deliver:
Larger address space: Increased address size from 32 bits to 128 bits
Streamlined protocol header: Improves packet-forwarding efficiency
Stateless autoconfiguration: The ability for nodes to determine their own address
Multicast: Increased use of efficient one-to-many communications
Jumbograms: The ability to have very large packet payloads for greater efficiency
Network layer security: Encryption and authentication of communications
Quality of service (QoS) capabilities: QoS markings of packets and flow labels that help identify priority traffic
Anycast: Redundant services using nonunique addresses
Mobility: Simpler handling of mobile or roaming nodes
NOTE - Remember the following IPv6 terminology:
A node is any system (computer, router, and so on) that communicates IPv6.
A router is any Layer 3 device capable of routing and forwarding IPv6 packets.
A host is a node that is a computer or any other access device that is not a router.
A packet is the Layer 3 message sourced from an IPv6 node destined for an IPv6 address.
During the development of IPv6, one of the requirements was that this new protocol must have flexible transition mechanisms. It should be easy to transition to this new protocol gradually, over many years. Because it was evident that IPv6 would become very popular, the transition would need to be slow and methodical.
Running both IPv4 and IPv6 at the same time, called dual stack, is one of the primary transition strategies. This concept describes the scenario in which a router supports two or more different routed protocols and forwards each type of traffic, independent of the behavior of the other routed protocol. Seasoned network engineers will recall the concept of "ships-in-the-night routing." This term refers to the fact that packets from either protocol can pass by each other without affecting each other or having anything to do with each other. Because "dual stacking" can be a dominant migration strategy, running a network with both protocols can open that network to attacks on both protocols. Attacks can also evolve that leverage a combination of vulnerabilities in IPv4 and IPv6.
In addition to dual stack, the transition to IPv6 involves various types of tunneling approaches where IPv6 is carried over IPv4 networks that have yet to migrate to IPv6. There will likely be attacks on the transition mechanisms themselves to gain access to either the IPv4 or IPv6 portions of a network. The security of IPv6 systems must be assessed before IPv6 is permitted to be enabled on current and future networks and systems.
Because IPv6 and IPv4 are both network layer protocols, many of the network layer vulnerabilities are therefore similar. However, because the protocol layers above and below the IP layer remain the same for either IP version, many of those attacks will not change. Because the two protocols are related, the similarities between the protocols can create similar attack patterns. IPv6 could improve security in some areas, but in other areas, it could also open new threats. Chapter 2, "IPv6 Protocol Vulnerabilities," focuses on the attacks against the IPv6 protocol itself and describes ways to protect against them.
IPv6 has continued to evolve since December 1998, when the IETF published RFC 2460. As the number of available IPv4 public addresses has reduced, IPv6 has become more attractive. In fact, IPv6 is the only viable solution to this IP address depletion problem. Many of the problems in current IPv4 networks relate to address conservation. For example, perpetuating the use of Network Address Translation (NAT) and double-NAT is not a realistic long-term strategy for Internet expansion.
Today, the identity of users on the Internet is often unknown, and this has created an environment where attackers can easily operate. The use of anonymizer tools such as Tor and open proxies and the use of NAT allow users to hide their source IP addresses and allow hackers to operate without their targets knowing much about the source of the messages. NAT is often misunderstood as a security protection measure because it hides the internal addresses and thus obfuscates the internal network topology. Many network administrators feel a false sense of security and put too much faith in NAT. NAT breaks the use of the full end-to-end communication model that IP Security (IPsec) needs to be fully effective. The firewalls that perform the NAT function have difficulty maintaining the NAT state during failover. Troubleshooting application traffic that flows through a NAT is often difficult. When using IPv6, the use of NAT is not necessary because of the large amount of addresses available. Each node has its own unique address, and it can use that address for internal and external communications.
After the core, distribution, and access layers are dual-stack enabled, the computer systems themselves can be IPv6 enabled. After this takes place, the system administrators can start to enable IPsec tunnels between IPv6-enabled nodes to provide confidentiality and the integrity of the communications between systems. This provides a greater level of security over current unencrypted IPv4 implementations. IPsec deployments utilizing both authentication and encryption are rarely used today for computer-to-computer communication. Today the common method of using IPsec only encrypts the payload in tunnel mode because the NATs that are in place prevent authenticating the header. However, communications between critical systems can optionally be secured with IPv6 IPsec, using both authentication and encryption. Chapter 8, "IPv6 Security (IPsec)," provides further details on how to secure IPv6 communications. IPv6 can uniquely provide this clear end-to-end secure communication because NAT is not needed when IPv6 can provide every node with a globally unique IP address.
IPv6 is becoming a reality. The many years of early protocol research have paid dividends with products that easily interoperate. Several early IPv6 research groups have disbanded because the protocol is starting to move into the transition phase. The 6BONE (phased out with RFC 3701) and the KAME (http://www.kame.net) IPv6 research and development projects have wound down and given way to more IPv6 products from a wide variety of vendors. Deployment of IPv6 is not a question of if but when. IPv6 is an eventuality.
The transition to IPv6 continues to take place around the world. The protocol is gaining popularity and is being integrated into more products. There are many IPv6-capable operating systems on the market today. Linux, BSD, Solaris, Microsoft Vista, and Microsoft Server 2008 operating systems all have their IPv6 stacks enabled by default, and IPv6 operates as the preferred protocol stack. Of course, Cisco equipment fully supports dual-stack configuration, and the number of IPv6 features within IOS devices continues to grow. However, the production use of IPv6 is still in the domain of the early adopters.
The rate of IPv6 adoption is growing but is also unpredictable. The timeline for the deployment of IPv6 is long and difficult to measure. Generally speaking, the transition to IPv6 has thus far been based on geography and politics. The Asian and European regions that did not have as many allocated IPv4 addresses have felt the pressure to transition to IPv6. While organizations in North America have more IPv4 addresses, the address-depletion effects are making the migration to IPv6 more urgent. The market segments that are focused on IPv6 are few and far between. There are few IPv6-specific applications that appeal to enterprises, service providers, and consumers that make them want to transition sooner. Some vertical markets such as government and defense, public sector, education, video distribution, and high tech are starting to see the benefits of IPv6 and are working on their transition plans.
There are still many areas of IPv6 where issues remain to be resolved. One of the remaining challenges for IPv6 is that few IPv6 service providers exist. Currently, Internet IPv6 traffic is still light compared to IPv4, but it continues to grow. This can be attributed to the lack of last-mile IPv6 access and customer premises equipment (CPE) that does not support IPv6. Multihoming, which is the concept of connecting to multiple service providers for redundancy, is an issue that will take some time to resolve, but it is doubtful that it is significantly holding back organizations from deploying IPv6. Hardware acceleration for IPv6 is not universal, and many applications lack IPv6 support. Just like the deployment of other networking technologies, network management and security are left to the end. The goal of this book is to raise awareness of the security issues related to IPv6 and to provide methods to secure the protocol before deployment.
IPv6 will eventually be just as popular as IPv4, if not more so. Over the next decade as IPv6 is deployed, the number of systems it is deployed on will surpass those on IPv4. While early adopters can help flesh out the bugs, there are still many issues to resolve. IPv6 implementations are relatively new to the market, and the software that has created these systems has not been field tested as thoroughly as their IPv4 counterparts. There is likely to be a period of time where defects will be found, and vendors will need to respond quickly to patching their bugs. Many groups are performing extensive testing of IPv6, so they hopefully can find many of the issues before it is time to deploy IPv6. However, all the major vendors of IT equipment and software have published vulnerabilities in their IPv6 implementations. Microsoft, Juniper, Linux, Sun, BSD, and even Cisco all have published vulnerabilities in their software. As IPv6 has been noticed, it is evident that these major vendors have drawn the attention of the hackers.
The early adopters of IPv6 technology are encouraged to tread lightly and make sure that security is part of their transition plans. There are distinct threats of running IPv6 on a network without any security protection measures. Some operating systems can run both protocols at the same time without the user's intervention. These operating systems might also try to connect to the IPv6 Internet without explicit configuration by the user. If users are not aware of this fact and there is no security policy or IPv6 security protections implemented, they are running the risk of attack. IPv6 can be used as a "backdoor protocol" because many security systems only secure IPv4 and ignore IPv6 packets. For these reasons, it is important to secure IPv6 before it is widely deployed.
When you consider the ways that an IPv4 or IPv6 network can be compromised, there are many similarities. Attacks against networks typically fall within one of the following common attack vectors:
Internet (DMZ, fragmentation, web pages, pop-ups)
IP spoofing, protocol fuzzing, header manipulation, session hijacking, man-in-the-middle, sniffing
Buffer overflows, SQL injection, cross-site scripting
Email (attachments, phishing, hoaxes)
Worms, viruses, distributed denial of service (DDoS)
Macros, Trojan horses, spyware, malware, key loggers
VPN, business-to-business (B2B)
Chat, peer-to-peer (P2P)
Malicious insider, physical security, rogue devices, dumpster diving
In 2007, The Computer Security Institute (CSI — http://www.gocsi.com) 12th Annual Computer Crime and Security Survey stated that 59 percent of all survey respondents suffered from insider abuse of network access. This percentage historically has been lower in the mid- to late 1990s and has risen steadily each year. So the percentage of internal attack sources is likely to be even higher today. Those internal sources of attacks could either be a legitimate hacker or an unknowing end user. The key issue is that most organizations do not spend 50 percent of their security budget on mitigating inside threats. Therefore, external as well as internal devices must be hardened equally well but not necessarily against the same types of attacks.
One disadvantage of both IP versions is the fact that the signaling of network reachability information takes place in the same medium as the user traffic. Routing protocols perform their communication in-band, and that increases the risks to infrastructure destabilization attacks. The threat mentioned here is that user traffic can affect the protocol-signaling information to destabilize the network. Protections against these types of attacks involve securing the signaling communications between network devices. IPv6 routing protocols can use encryption and authentication to secure the signaling information, even if it is transported inside the data path. Domain Name System (DNS) is another key infrastructure component that provides important signaling functions for IPv4 and IPv6. As seen over the past ten years, there is an increase in the number of attacks that target the infrastructure and DNS of the Internet and private networks. The attacks aim to create a denial of service (DoS), which affects the usability of the entire network.
Attacks against network elements typically come from the Internet for perimeter-based devices, while attacks on intranet devices originate from malicious insiders. Most internal routers have simple protection mechanisms like simple passwords and Simple Network Management Protocol (SNMP) community strings. Ease of management typically outweighs security in most enterprise networks. Internet routers do not enjoy this friendly environment, and they are constantly susceptible to many different forms of attack.
Routers are not usually capable of running traditional server software or other applications that can have vulnerabilities. However, they can be the target of a buffer overflow, where the attacker attempts to send information to the router to overrun an internal memory buffer. The side effects can be anything from erratic behavior to a software crash or gaining remote access. Any software that the router runs could be vulnerable, and any protocol supported and implemented within that software for communications to other devices is at risk for potential exploitation. Routers communicate over many different protocols, and each of those protocols is a potential target.