The Internet protocol version 6 (IPv6) does not improve Web security for enterprises, but an understanding of IPv6 network security threats can help you protect your corporate network against the latent issues of IPv6 when you transition from IPv4. Scott Hogg and Eric Vyncke, co-authors of the book IPv6 Security: Protection measures for the next Internet Protocol, talk about the IPv6 security implications in this interview. Use their advice to alleviate security concerns surrounding the protocol, and learn about the network security tools and product features that are available to mitigate risk.
Will IPv6 improve Web security for enterprises? How about consumers?
Scott Hogg: IPv6 won't change any of the applications that run on top of the transport layer. The threats that exist today for IPv4 applications will continue to exist for IPv6 applications. For example, if you have a dual-protocol Web server that is vulnerable to cross-site-scripting attacks, it will still be vulnerable when IPv6 is used as the Layer 3 protocol. Consumers' computers that are dual-stack will also be unaffected by the introduction of IPv6. However, if either an enterprise or a consumer is using a firewall that doesn't filter IPv6 packets, they are essentially operating wide-open. Also, computers may create tunnels to the IPv6 Internet without the user's knowledge, and those tunnels may bypass all current IPv4-only security protections.
Eric Vynke: The next generation of Internet protocol, IPv6, brings mainly a larger address space, but IPv6 brings almost no improvement to Web security. The main reason is that Web security is related to application security (the attacks are SQL injection, cross-site scripting and so on); and the application security is completely independent of the network layer where the new IPv6 is deployed.
How does IPv6 security compare with IPv4 security?
Hogg: There are several similarities between the security of IPv4 and IPv6 in terms of LAN attacks (ARP, neighbor discovery, DHCP, DHCPv6), fragmentation attacks, denial of service (DoS) attacks, etc. IPv6 has some new vulnerabilities because of the structure of its headers and its heavy use of ICMPv6. Filtering of unallocated addresses in IPv6 is easier than in IPv4 because the IPv4 address space is so fragmented. IPv6 offers some advantages in terms of how IPSec is easier to implement with AH and ESP because NAT is not used with IPv6. IPv6 and Mobile IPv6 provide new opportunities and new challenges for securing mobile communications. Also, the transition mechanisms for IPv6 will also be targets of attacks.
Vynke: we compare IPv4 and IPv6 at the network layer on a local area network (LAN) or on the Internet, the[y] are pretty much equivalent.
The huge number of IPv6 addresses make a network scan (this is the discovery of all computers on a network) impossible by checking all addresses; but hackers can easily adapt by relying on DNS or other sources of information in order to find a potential victim. So this is not a security advantage.
The standards mandate that IPv6 computers implement IPsec (confidentiality and authentication with the help of cryptography), but IPv6 computers are free to actually use IPsec or not. Moreover; the generalized use of IPsec would make the job of the infosec department more difficult, as they could not use firewalls anymore (firewalls are useless for encrypted traffic).
Regarding the Layer 2 security (Ethernet), in IPv4 there are well-known issues around ARP, which can be poisoned to maliciously redirect traffic. The very same issue exists for IPv6; there is just a change of name: NDP (Neighbor Discovery Protocol) poisoning rather than ARP poisoning. The same mitigation techniques can be used. In addition, SEcure Neighbor Discovery (SEND) even applies cryptography to secure NDP; the only caveat is that it is not yet implemented in Microsoft Windows or Mac OS/X.
The bottom line is that IPv4 and IPv6 are quite equivalent for security. The only real issue is that most of the network and security architects and staffs are not aware of IPv6, and they currently lack operational expertise in this new protocol. This is a real danger for several months, until everyone is trained and [has] experimented.
Are there security vulnerabilities in the Internet Protocol version 6? If so, how does someone make a revision to IPv6 to enhance network security?
Hogg: There are vulnerabilities in the way that IPv6 headers (extension/option headers) are handled. There are also vulnerabilities in the Neighbor Discovery Protocol (NDP). There really isn't any way to revise the IPv6 protocol itself, but you can selectively filter the messages that are allowed on a network. Messages can be filtered at the perimeter and in the interior of networks to help prevent these types of attacks.
Vynke: As IPv6 is a minor evolution from IPv4, there are few differences and no major vulnerabilities in the protocol itself. Of course, there have been some vulnerability in the implementations of most vendors, but they are mostly fixed now.
The IETF (the standardization body for the Internet) has already standardized two minor evolutions of IPv6:
- Secure Neighbor Discovery, which relies on cryptography to secure the dynamic discovery of the mapping of an IPv6 address to an Ethernet MAC address.
- Deprecating the infamous Routing Header Type 0, which could have led to some denial of service (DoS) attacks.
If the federal government has already migrated to IPv6 (since its self-imposed deadline of 2008), how does that affect enterprises?
Hogg: The U.S. government has performed the early steps of a migration to IPv6, but they are far from being fully migrated. Many federal organizations simply turned up IPv6 capability to meet the June 2008 date but then immediately decommissioned the IPv6 links for fear of vulnerabilities. They did not fully deploy IPv6 and have comprehensive DNS dual-protocol records or any application content. Hopefully, this book will show those organizations how they can deploy IPv6 with a reasonable level of security to mitigate the risks. They shouldn't fear IPv6 and any "unknown" vulnerabilities that exist. They can be confident in deploying initial dual-stack capability using the techniques outlined in this book.
Vynke: As long as the enterprises have no relationship with the federal government, they are not concerned.
Will running IPv4 and IPv6 simultaneously pose any specific security issues?
Hogg: Yes—because you are running two protocols, your organization is vulnerable to the sum of both protocol issues. There are also attacks that leverage one protocol against the other. Therefore, it has always been advisable to minimize the time that your organization spends in a dual-protocol state. The goal is not to get to dual-stack but to get to only-IPv6.
Vynke: Running a dual-stack environment does not cause any security issue per se, but the user must be aware that the computer is now exposed to both IPv4 and IPv6 attacks. This does not mean that this computer will be attacked twice as often as before but rather that the user must secure the computer for both IPv4 and IPv6 with the help of [a] personal firewall (like the Microsoft Windows one) and other security products.
What address selection issues are associated with IPv6, and how do they threaten network security?
Hogg: IPv6 hosts use some default address selection rules because a single computer could have many different IPv6 addresses on its network interface. These rules govern which addresses are used. If these default address selection rules were modified, unforeseen consequences could result. This could be an attacker's way to create a man-in-the-middle situation or DoS a host. Therefore, it is important to make sure that those address selection rules remain the same as the default rules.
Since IPv6 is not backwards compatible with existing products, what products and protection mechanisms must you upgrade to or implement to keep an IPv6 network secure? Are these any different from an IPv4 network?
Hogg: You need to be sure that you are using security protection mechanisms that are IPv6-capable. You should be using firewalls that can apply the same policy for IPv6 packets as you currently have configured for IPv4. The firewalls should also be able to intelligently process the different IPv6 headers. You should also have IPS sensors that can detect attacks in either IPv4 packets or IPv6 packets. You may therefore require some upgrades in terms of software or hardware, depending on your current vendor's IPv6 capabilities.
Vynke: There are no real differences between IPv4 and IPv6 regarding security. Therefore, the exact same tools can and should be used to secure IPv4 and IPv6. This includes firewalls, intrusion prevention systems (IPSs), behavior analysis to detect abnormal behaviors, network telemetry, and of course all the application security products like anti-spam and antivirus that can inspect email and Web traffic on the network.
You are strongly advised to have the same appliance or the same server to run both IPv4 and IPv6 protection in order to ease the management, reduce the operation cost, and ensure that the security policy is identical for IPv4 and IPv6.
Is there any likelihood that IPv6 will be modified to make it backwards compatible with IPv4?
Hogg: That is not possible. IPv6 is a completely separate protocol from IPv4. They are capable of running on the same network link at the same time, but they act as "ships in the night" and are mutually exclusive of each other. Running IPv6 and IPv4 on the same network is similar to the situation years ago when we ran IPX and AppleTalk on the same network. They coexisted with each other, but they were not interoperable protocols.
Vynke: IPv6 will not be modified to make it backwards compatible with IPv4. But the IETF has already proposed several transition mechanisms to facilitate the migration from IPv4 only to a dual-stack and finally to an IPv6-only network (the latter is not expected to come any time soon). The IETF is working on other transition mechanisms before the 2011 deadline. The goal is that the IPv4-address exhaustion and transition to IPv6 be fully transparent to existing and future consumers.
What tools and products can you use to monitor and identify any weaknesses in your IPv6 network?
Hogg: You can use the same vulnerability scanners on an IPv6 host as you do on an IPv4 host. The only difference is that it is not practical to perform ping-sweeps on an IPv6 network because the addressing space is so large. When you find a host's IPv6 address, however, it is equally easy to perform a port-scan of that host with IPv6 or IPv4. Most of the popular IPv4 tools also have IPv6 capabilities.
Vynke: You can use the same set of tools to monitor your IPv6 network that you are using currently for your IPv4 network. They will probably need to be upgraded to a recent version in order to support IPv6. These tools include intrusion prevention systems (IPSs) and network telemetry like NetFlow.
Do any of these tools also resolve security issues? And if not, which products might help you fix a security problem?
Hogg: Typically, these tools just identify that you have an issue; they don't help you remedy it automatically. The remediation is typically a manual process for the system or network administrator.
Vynke: An upgraded version of the existing security tools is sufficient to mitigate all IPv6 attacks. Reusing the same tool has the additional benefit that the operations for IPv4 and IPv6 are identical, which is both a financial benefit (less training) and a security benefit because the operators know how to use those tools.