Sunday, July 24, 2016
IPv6 Security Overview: a Small View of the Future
Introduction:
The current version of Internet Protocol is IPv4. This is used to send data over the Internet and makes interaction between different services possible. As all experts know, this protocol has significant limitations, such as the maximum addressing space and some known security issues. The security problems, in many ways, depend on the original development project, which certainly did not have “security” as a determining factor, and the whole final environment was considered a friendly one. However, over the years, as response to these deficiencies and in consideration of a global network in rapid growth, new technologies, like SSL/TLS and IPSec, have been introduced to remedy these issues.
Despite these enhancements, however, the whole architecture is still missing that level of security and flexibility expected. As result of these known limitations, a new project for a new Internet Protocol has been designed by the IETF in the early 90′, having in mind “ease-of-configuration”, performance and security. In this post we will analyze the features of the new suite of internet protocols,its advantages and disadvantages, as well as the possible implications from a security point of view.
The Old Version Four
To better understand the actual new features of IPv6, we must first know its predecessor’s. As already mentioned, IPv4 was designed with no security in mind. This means that security in communications through this suite of protocols must or should be guaranteed by “end-nodes”. If I need to send or receive highly sensitive data, and then use a secure channel (encryption?), it’s the responsibility of that application to provide that service. Currently, the Internet works this way. This, and many others characteristics that will not be covered in this post, has allowed various types of threats to take off in the digital world. The most famous of these are certainly:
1) Reconnaissance Attacks:
This type of attack takes place thanks to the relative small size of IPv4 addressing, because a whole network can be scanned to find open and/or unpatched services. In fact, it is quite easy to perform a reconnaissance scan of a class C network in a few minutes. In this category we can add “Ping Sweep” (sweep a network with ICMP ping messages that solicit a reply), “Port Scan” (to find active and reachable services) and “Application Vulnerability Scan” (to find known vulnerabilities in discovered services).
2) Denial of Service Attacks:
In this type of attack, a service is rendered unavailable through a flood of large amounts of illegitimate requests. It’s possible to mention for this category the smurf attack (remember?).
3) Man-in-the-middle Attacks:
The lack of its own authentication mechanism in communications allows hackers to intercept data in transit.
4) ARP poisoning Attacks:
In IPv4, ARP (Address Resolution Protocol) is responsible for mapping a host’s IP address with its physical MAC address. This information is stored locally (ARP Table) by each host which is part of the communication. The “ARP Poisoning” attack occurs when an arbitrary ARP reply with incorrect information inside is sent to a host which is part of the communication, implying that legitimate packets will arrive at unforeseen destinations.
5) Address Spoofing Attacks:
In the current communication protocols, one of the keys to complete cyber attacks is the ability to modify the source address of a packet. IPv4 allows this possibility since it does not provide any type of source-to-end authentication mechanism. Today these types of attacks are used to spread spam, malware and also to perform DoS/DDoS attacks. IP spoofing also allows masking the true origin of the malicious packets, making the tracking operations more complex.
6) Malware Attacks:
Malware, today, remains one of the biggest security-related problems. Currently, with IPv4, malware can not only damage the host affected, but also saturate (or use part of) the network resources in place. It’s necessary to clarify that, with the advent of IPv6, there was no way to eradicate these threats, and the conception of the potential damage by malware infection will essentially remain the same. It’s possible to assume that, however, due to the broader spectrum of addressing, its spread could be slower.
What’s New in IPv6?
As previously stated, IPv6 is not IPv4′s upgrade but a totally new suite of protocols. This means that the differences between the two are very marked:
1) Address Space:
IPv4 provides as many as 2^32 addresses. IPv6 provides as many as 2^128 addresses.
2) Hierarchical Addressing:
In IPv6 we can find 3 major types of addresses: Unicast, Multicast and Anycast. Unicast addresses are assigned to a single node. Multicast addresses are assigned to multiples node within a single multicast group while anycast addresses are assigned to groups of nodes.
3) QoS (Quality-of-Service) and Performances:
The IPv6 packet header provides for fields that facilitate the support for QoS. In addition, the new standard is a big step forward in terms of performance.
4) Security:
The use of IPSec in IPv6 is not optional, but mandatory.
5) Extensibility:
Despite the new features and the considerable increase of addressing space, the IPv6 header is only slightly larger than that of IPv4 (practically just twice, 40 bytes). The IPv6 header does not include any optional fields or a checksum.
In IPv4, the IPv4 header is followed by data of transport protocol (TCP, UDP), also known as “payload".
IPng vs Old Attacks
In this section we will analyze some of the most popular cyber attacks in a perspective focused on the comparison and on the possible impact of these with the IPng.
1) Reconnaissance Attacks:
Reconnaissance attacks, in IPv6, are different for two major reasons: The first is that “Ports Scan” and/or “Ping Sweep” are much less effective in IPv6, because of, as already said, the vastness of the subnet into play. The second is that new multicast addresses in IPv6 will allow finding key systems in a network easier, like routers and some type of servers. In addition, the IPv6 network has a much closer relationship with ICMPv6 (compared to the IPv4 counterparty ICMP) which does not allow too aggressive filters on this protocol. For the rest, the techniques remain the same.
2) Over the Wall:
This class will discuss the type of attacks in which an adversary tries to exploit little restrictive filtering policies. Currently, we are used to developing access lists (ACLs) to restrict unauthorized access to the network we want to be protected by set specific policies on gateway devices in between the IPv4 endpoints. The need for access control is the same in IPv6 as in IPv4. In IPv6, the basic functions for mitigation of unauthorized access are the same. However, considering the significant differences between the headers of the two protocols, it is possible to imagine different ways to implement them.
While L4 spoofing remains the same, due to the globally aggregated nature of IPv6, spoofing mitigation is expected to be easier to deploy. However the host part of the address is not protected. Layer 4 spoofing attacks are not changed, because L4 protocols do not change in IPv6 with regard to spoofing.
In IPv6, we cannot find the broadcast address. This means that all resulting amplification attacks, like smurf, will be stopped. IPv6 specifications forbid the generation of ICMPv6 packets in response to messages to IPv6 multicast destination address, a link-layer multicast address or a link-layer broadcast address. In general, through the adoption of the new standard, we should find an improvement in this regard.
Routing attacks refer to activities that try to redirect traffic flow within a network. Currently, routing protocols are protected using cryptographic authentication (MD5 with Pre-Shared Key) between peers. This protection mechanism will not be changing with IPng. BGP has been updated to carry IPv6 routing information.
6) Malware:
There is no particular implementation in IPv6 which will allow changing the classical approach to malware. However, worms that use the internet to find vulnerable hosts may find difficulties in propagation due to the large address space.
7) Sniffing:
This is the classical attack that involves capturing data in transit across a network. IPv6 provides the technology for the prevention of these types of attacks with IPSec, but it does not simplify the problems for keys management. For this reason, this technique can still continue to be practiced.
Here we refer to all those types of attacks performed at Layer 7 of the OSI model. Also considering a worldwide adoption of IPSec, this type of attacks will remain almost unchanged. Buffer Overflow, Web Applications Vulnerability, etc., cannot be stopped through the IPv6 adoption. There is also another consideration: if IPSec will be implemented as a standard for communication between endpoints, all devices such as IDS/IPS, firewalls and antivirus will only see encrypted traffic, promoting this type of attacks.
9) Man-in-the-Middle:
The IPv6 is subjected to the same security risks that we may encounter in a man-in-the-middle attack that affects the suite of IPSec protocols.
Conclusions:
Without a doubt, IPv6 represents a big step forward compared to its predecessor. The entire suite of protocols has been designed to bring improvements in both functionality and security. However, despite these, IPv6 raises new challenges in both these fields, without considering the transition problems that occur. In short, it is definitely something that will give much fun to Information Security professionals.
Labels:
Information,
internet,
Security,
Technology