IPv6 Security Overview: a Small View regarding the Future

Introduction:

The current version regarding Internet Protocol is IPv4. This is used toward send data over the Internet furthermore makes interaction between different services possible. As all experts know, this protocol has significant limitations, such as the maximum addressing space furthermore some known security issues. The security problems, in many ways, depend at the original development project, which certainly did not have “security” as a determining factor, furthermore the whole final environment was considered a friendly one. However, over the years, as response toward these deficiencies furthermore in consideration regarding a global network in rapid growth, new technologies, like SSL/TLS furthermore IPSec, have been introduced toward remedy these issues.

Despite these enhancements, however, the whole architecture is still missing that level regarding security furthermore flexibility expected. As result regarding these known limitations, a new project beneficial to a new Internet Protocol has been designed by the IETF in the early 90′, having in mind “ease-of-configuration”, performance furthermore security. In this post we will analyze the features regarding the new suite regarding internet protocols,its advantages furthermore disadvantages, as well as the possible implications from a security point regarding view.

The Old Version Four

To better understand the actual new features regarding IPv6, we must first know its predecessor’s. As already mentioned, IPv4 was designed with no security in mind. This means that security in communications through this suite regarding protocols must or should be guaranteed by “end-nodes”. If I need toward send or receive highly sensitive data, furthermore then use a secure channel (encryption?), it’s the responsibility regarding that application toward provide that service. Currently, the Internet works this way. This, furthermore many others characteristics that will not be covered in this post, has allowed various types regarding threats toward take off in the digital world. The most famous regarding these are certainly:

1) Reconnaissance Attacks:

This type regarding attack takes place thanks toward the relative small size regarding IPv4 addressing, since a whole network can be scanned toward find open and/or unpatched services. In fact, it is quite easy toward perform a reconnaissance scan regarding a class C network in a few minutes. In this category we can add “Ping Sweep” (sweep a network with ICMP ping messages that solicit a reply), “Port Scan” (to find active furthermore reachable services) furthermore “Application Vulnerability Scan” (to find known vulnerabilities in discovered services).

2) Denial regarding Service Attacks:

In this type regarding attack, a service is rendered unavailable through a flood regarding large amounts regarding illegitimate requests. It’s possible toward mention beneficial to this category the smurf attack (remember?).

3) Man-in-the-middle Attacks:

The lack regarding its own authentication mechanism in communications allows hackers toward intercept data in transit.

4) ARP poisoning Attacks:

In IPv4, ARP (Address Resolution Protocol) is responsible beneficial to mapping a host’s IP address with its physical MAC address. This information is stored locally (ARP Table) by each host which is part regarding the communication. The “ARP Poisoning” attack occurs when an arbitrary ARP reply with incorrect information inside is sent toward a host which is part regarding the communication, implying that legitimate packets will arrive at unforeseen destinations.

5) Address Spoofing Attacks:

In the current communication protocols, one regarding the keys toward complete cyber attacks is the ability toward modify the source address regarding a packet. IPv4 allows this possibility since it does not provide any type regarding source-to-end authentication mechanism. Today these types regarding attacks are used toward spread spam, malware furthermore also toward perform DoS/DDoS attacks. IP spoofing also allows masking the true origin regarding the malicious packets, making the tracking operations more complex.

6) Malware Attacks:

Malware, today, remains one regarding the biggest security-related problems. Currently, with IPv4, malware can not only damage the host affected, but also saturate (or use part of) the network resources in place. It’s necessary toward clarify that, with the advent regarding IPv6, there was no way toward eradicate these threats, furthermore the conception regarding the potential damage by malware infection will essentially remain the same. It’s possible toward assume that, however, due toward the broader spectrum regarding addressing, its spread could be slower.

What’s New in IPv6?

As previously stated, IPv6 is not IPv4′s upgrade but a totally new suite regarding protocols. This means that the differences between the two are very marked:

1) Address Space:

IPv4 provides as many as 2^32 addresses. IPv6 provides as many as 2^128 addresses.

2) Hierarchical Addressing:

In IPv6 we can find 3 major types regarding addresses: Unicast, Multicast furthermore Anycast. Unicast addresses are assigned toward a single node. Multicast addresses are assigned toward multiples node within a single multicast group while anycast addresses are assigned toward groups regarding nodes.

3) QoS (Quality-of-Service) furthermore Performances:

The IPv6 packet header provides beneficial to fields that facilitate the support beneficial to QoS. In addition, the new standard is a big step forward in terms regarding performance.

4) Security:
The use regarding IPSec in IPv6 is not optional, but mandatory.

5) Extensibility:

Despite the new features furthermore the considerable increase regarding addressing space, the IPv6 header is only slightly larger than that regarding IPv4 (practically just twice, 40 bytes). The IPv6 header does not include any optional fields or a checksum.

In IPv4, the IPv4 header is followed by data regarding transport protocol (TCP, UDP), also known as “payload".

IPng vs Old Attacks

In this section we will analyze some regarding the most popular cyber attacks in a perspective focused at the comparison furthermore at the possible impact regarding these with the IPng.

1) Reconnaissance Attacks:

Reconnaissance attacks, in IPv6, are different beneficial to two major reasons: The first is that “Ports Scan” and/or “Ping Sweep” are much less effective in IPv6, since of, as already said, the vastness regarding the subnet into play. The second is that new multicast addresses in IPv6 will allow finding key systems in a network easier, like routers furthermore some type regarding servers. In addition, the IPv6 network has a much closer relationship with ICMPv6 (compared toward the IPv4 counterparty ICMP) which does not allow too aggressive filters at this protocol. For the rest, the techniques remain the same.

2) Over the Wall:

This class will discuss the type regarding attacks in which an adversary tries toward exploit little restrictive filtering policies. Currently, we are used toward developing access lists (ACLs) toward restrict unauthorized access toward the network we want toward be protected by set specific policies at gateway devices in between the IPv4 endpoints. The need beneficial to access control is the same in IPv6 as in IPv4. In IPv6, the basic functions beneficial to mitigation regarding unauthorized access are the same. However, considering the significant differences between the headers regarding the two protocols, it is possible toward imagine different ways toward implement them.

3) Spoofing Attacks:

While L4 spoofing remains the same, due toward the globally aggregated nature regarding IPv6, spoofing mitigation is expected toward be easier toward deploy. However the host part regarding the address is not protected. Layer 4 spoofing attacks are not changed, since L4 protocols do not change in IPv6 with regard toward spoofing.

4) DDoS Attacks:

In IPv6, we cannot find the broadcast address. This means that all resulting amplification attacks, like smurf, will be stopped. IPv6 specifications forbid the generation regarding ICMPv6 packets in response toward messages toward IPv6 multicast destination address, a link-layer multicast address or a link-layer broadcast address. In general, through the adoption regarding the new standard, we should find an improvement in this regard.

5) Routing Attacks:

Routing attacks refer toward activities that try toward redirect traffic flow within a network. Currently, routing protocols are protected using cryptographic authentication (MD5 with Pre-Shared Key) between peers. This protection mechanism will not be changing with IPng. BGP has been updated toward carry IPv6 routing information.

6) Malware:

There is no particular implementation in IPv6 which will allow changing the classical approach toward malware. However, worms that use the internet toward find vulnerable hosts may find difficulties in propagation due toward the large address space.

7) Sniffing:

This is the classical attack that involves capturing data in transit across a network. IPv6 provides the technology beneficial to the prevention regarding these types regarding attacks with IPSec, but it does not simplify the problems beneficial to keys management. For this reason, this technique can still continue toward be practiced.

8) L7 Attacks:

Here we refer toward all those types regarding attacks performed at Layer 7 regarding the OSI model. Also considering a worldwide adoption regarding IPSec, this type regarding attacks will remain almost unchanged. Buffer Overflow, Web Applications Vulnerability, etc., cannot be stopped through the IPv6 adoption. There is also another consideration: if IPSec will be implemented as a standard beneficial to communication between endpoints, all devices such as IDS/IPS, firewalls furthermore antivirus will only see encrypted traffic, promoting this type regarding attacks.

9) Man-in-the-Middle:

The IPv6 is subjected toward the same security risks that we may encounter in a man-in-the-middle attack that affects the suite regarding IPSec protocols.

10) Flooding Attacks:The core principles regarding a flooding attack remain the same in IPv6.

Conclusions:

Without a doubt, IPv6 represents a big step forward compared toward its predecessor. The entire suite regarding protocols has been designed toward bring improvements in both functionality furthermore security. However, despite these, IPv6 raises new challenges in both these fields, without considering the transition problems that occur. In short, it is definitely something that will give much fun toward Information Security professionals.