Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

IPv6 and Security

Published: 2006-12-06
Last Updated: 2006-12-06 14:07:42 UTC
by Mark Hofman (Version: 1)
0 comment(s)
For last two days I have been at an IPv6 conference.  Not knowing much about the protocol, like many of us my daily troubles lay in the IPv4 space, I was looking forward to learning exactly what the big deal was.  More importantly how it affects security and what the implications for our clients are.  As one of the speakers said "some security issues will be worse, some better and most of them the same", filling me with hope that I'll still be employed in the IPv6 world.

The first hurdle is to remember that it is just another protocol.  Think of it like IPX, SNA, Appletalk, Decnet, take your pick.  It is a convenient way of getting traffic from point A to point B.  The main reason for changing to IPv6 is the increase in the number of available addresses.  IPv4 addresses according to the presentations will run out in the next 6 years or so.

A second hurdle is to remember the difference between end-to-end addressability and end-to-end connectivity.   A number of the presentations saw IPv6 as a way of providing the latter, which tends to scare security people.  Peer 2 Peer processing, across firewalls, networks etc (I can hear the squeals of protest "not over my network you don't").   As far as I understand it, IPv6 will provide end to end addressing, which is different.  Knowing how to get to a device is one thing.  Being allowed to do so is another.  It will also make the need to NAT obsolete.

Now for the security side of things, IPSEC is mandatory.  So if you wish, you can secure communications from end to end, between two addressable (and reachable devices).  If you have ever set up a VPN between two different vendor products you know that it can be a challenge.  The second part of the problem is this, are you comfortable allowing IPSEC tunnels through your perimeter?  BTW I'm not saying the IPSEC features are bad, I just think there will be some challenges to overcome.

One of the presenters today mentioned that reconnaissance and malware propagation will be more difficult in the IPv6 world.  There is such a large address space that needs to be checked, it would take such a long time to scan the address range that the effort is not worth while (think several thousand years).  However IPv6 does rely heavily on two things, DHCP and DNS, DHCP to allocate addresses and DNS to find things in the network.  That in itself is interesting as it provides two convenient targets on an IPv6 network.  Randomly scanning for available hosts may not be required as you may be able to get all the information you need from one of these devices.  I think malware will just take advantage of what is available.

As for other threats there are many that will not change much, if at all.  You can still sniff the network.  Application layer attacks don't change, rogue devices can still be inserted into the network and may even be more difficult to detect. Man in the middle attacks still work.  Flooding, spoofing and a whole host of other attacks are all still possible.

IPv6 networks are already and will continue to be deployed within organisations.  Connectivity via the internet will slowly start to appear over the next few years as ISP's and Telco's change their infrastructure (no real business driver as yet).  In the mean time not many firewalls deal with this protocol sensibly, nor do a number of other security devices such as IDS/IPS.  So there is a fair way to go before the protocol can be securely used.

As a final thought, one of the presentations mentioned that Vista will have IPv6 enabled by default, with some functionality only fully available when IPv6 is used.  This in itself has some implications for us all.  One thing that interests me is how the IPv6/IPv6 combination is handled.  In XP for example, when IPv6 is enabled it has preference.  So a connection attempt is made using IPv6 first.  Once the timeouts are reached an IPv4 request is performed.  This can have a noticeable performance impact.  If someone knows how Vista behaves in this instance I'd be interested to find out.  If it is the same as XP, then I can see a lot of helpdesk calls complaining about slowness of the network.

There is much more to IPv6 than the above, but I'll leave that for another time, I'm still digesting all the information


Cheers

Mark

ISC Handler on Duty
shearwater

Keywords:
0 comment(s)
Diary Archives