Is IPv6 Secure Enough?
by George Lawton
Proponents are pushing network operators and equipment makers to adopt IPv6.
Supporters say increased utilization will result in a better protocol that provides many more IP addresses for the huge number of Internet-connected devices than its predecessor, IPv4. The Internet Assigned Numbers Authority gave the last IPv4 addresses to regional Internet registries in 2011.
On 6 June this year, backers sponsored World IPv6 Launch day, during which participating websites enabled the protocol permanently. In addition, ISPs offered IPv6 connectivity and router manufacturers provided devices enabled for the technology by default.
Despite the ongoing campaign, numerous experts contend that IPv6 raises significant security concerns that adopters must address.
For example, they say, best security practices for IPv6 routers, firewalls, and spam filters have not been well developed and implemented.
There are also concerns that Windows machines now turn on IPv6 tunneling by default. With this approach, legacy IPv4 networks can carry IPv6 traffic by encapsulating and tunneling IPv6 packets across IPv4 networks.
However, this could create security problems for organizations that have such IPv4 networks but haven't deployed security measures to deal with malicious IPv6 packets.
Jeremy Duncan, senior director at security vendor Salient Federal Solutions, said there have already been several IPv6 denial-of-service (DoS) and spam attacks because many existing routers, firewalls, and other gateway devices can't protect against them yet.
"There is a small percentage of the attacker community that is knowledgeable about IPv6," said IPv6 security expert Scott Hogg, director of technology solutions at consultancy GTRI and chair of the Rocky Mountain IPv6 Task Force.
Some hackers, he added, don't even know about IPv6 vulnerabilities but launch general attacks that happen to exploit IPv6 networks' weaknesses.
A Quick Look at IPv6
The Internet Engineering Task Force began developing IPv6 in 1992 when the IETF saw that the increase in Internet activity would use up the limited number of IPv4 addresses. The group released IPv6 in 1996.
IPv4 uses a 32-bit address space, allowing for 232 — or about 4.3 billion — unique addresses.
IPv6 uses a 128-bit address space, allowing for 2128 — or about 3.4×1038 — addresses.
Google has collected statistics that indicate that IPv6 global aggregate usage has grown from 0.2 percent of all Internet traffic in early 2010 to 0.75 percent in mid-2012.
Newer operating systems and networking equipment support IPv6. However, many older IPv4 devices are still in use.
According to GTRI's Hogg, a key issue is the lack of time IT workers have spent learning about IPv6, even though their networks use the technology.
IPv6 has different security challenges than IPv4, he explained. "Most security practitioners have not invested the time to learn about these differences and formulate plans on how to secure IPv6," he said.
IPv6 code development for security is immature, according to Jeff Doyle, president of IP-network consultancy Jeff Doyle and Associates.
Vendors have just begun implementing and testing useful IPv6 security approaches, which are too new to have been proven safe, he explained.
One problem occurs because IPv6 networks create tunnels for sending traffic across IPv4 networks by encapsulating IPv6 data into IPv4 packets.
IPv4 equipment, including firewalls, cannot easily decode the traffic based on the newer protocol for security inspection.
Thus, hackers could send malware and spam that IPv4 security equipment couldn't detect.
Some older IPv6 implementations don't support newer security technologies, including those that provide built-in authentication and encryption.
Another problem is the IPv6-attack tools that people have created and posted online for use by unskilled hackers.
For example, said Salient Federal's Duncan, one prominent group — the Hackers Choice (THC) — has updated one of its tools to include exploits for LAN-based IPv6 equipment.
THC says it has done this to make public the vulnerabilities it finds so that people will fix them.
However, the toolkit also lets hackers fake router advertisements, which routers use to announce themselves on a link. Hackers could use fake RAs to overwhelm a router and thereby stall traffic.
IPv6 offers rich extension headers that carry information that promises more granular networking control in areas such as routing, data encryption, and authentication.
However, vendors are just learning how to securely support these extensions.
In one case, a researcher used an extra-long extension header to overwhelm a router, allowing potentially malicious packets through without authentication.
Older IPv6 equipment supported by default the protocol's Type 0 routing headers, designed to list the intermediate nodes at which packets will stop on the way to their destination. This is designed to improve network performance.
However, hackers could construct packets that use the Type 0 headers to travel between two routers multiple times, resulting in a DoS attack.
Newer IPv6 equipment has support for Type 0 routing headers turned off by default.
Current IPv6 Security
IPv6 has several security features such as IPsec, which authenticates and encrypts each IP packet used during communications.
However, Salient Federal's Duncan noted, older equipment doesn't always have IPsec turned on by default.
IEEE 802.1X provides access control via the authentication of routers trying to communicate with the network.
The IETF's IPv6 Router Advertisement Guard (RA-Guard) analyzes RAs and filters out bogus ones sent from unauthorized routers. This helps counter router spoofing.
However, Windows doesn't natively support these capabilities, so organizations must deploy RA-Guard drivers on each of their computers to protect them.
Locking it Down
The best practices for addressing IPv6 security issues are generally the same as those used with IPv4, said GTRI's Hogg.
However, in many cases, organizations must update their networking equipment to support the latest IPv6 capabilities, said consultant Doyle.
This will entail a simple software upgrade in some cases or, for equipment using dedicated-purpose chips that can't be upgraded, a full platform change.
Moreover, Doyle said, companies must make sure their IT personnel are fully trained in IPv6 security.
Businesses could also use deep-packet inspection tools to analyze IPv6 traffic more carefully.
Some organizations are offering security bounties to help find vulnerabilities. Will Brown, associate vice president of product development for network-equipment vendor D-Link, said, "We are working directly with the security community … and have created a reward program for disclosing any issues that can be verified."
Hogg stated, "We need security vendors to address IPv6 in all aspects of their security products to provide defenders [with] protection before they deploy IPv6."
Doyle predicted IPv6 will be a major concern to IT organizations and vendors for the next couple of years, as new vulnerabilities are discovered and addressed.
But in the long run, he said, as firewalls, spam filters, and packet-inspection tools improve, securing IPv6 will become routine.