Network Security Axioms

IP Version 6 Changes Things

In use today on some networks, IP version 6 (IPv6) is getting more and more attention for use in both new and existing networks. The U.S. Department of Defense, for example, has stated that its goal is to migrate to IPv6 fully by 2008. Although most U.S.-based organizations have been slow to embrace IPv6, other parts of the world that have far less generous IPv4 address reserves see IPv6 as the only answer. In researching IPv6 security, I found that the vast majority of security discussions around IPv6 center on its mandatory inclusion of IPsec support. Although IPsec is certainly useful for security, the idea that it can be ubiquitously used for all traffic will not be realistic at any point in the immediate future. This is because all the problems that have hindered IPv4 IPsec use (key management, configuration complexity, and so on) will remain when moving to IPv6.

Although there are some areas of IPv6 that are encouraging from a security standpoint, most of the same problems from IPv4 remain. The following brief introduction highlights some of the security benefits and risks IPv6 can bring. This list is certainly incomplete because the security community as a whole is just beginning to explore the possibilities relating to IPv6 threats. Elements of IPv6 are still changing in the standards process, so there might be new risks and benefits that come to light in the future. The following are some high-level benefits of using IPv6 as opposed to IPv4:

• Larger subnets complicate scanning Because IPv6 has a default subnet size of 64 bits (over 18 quintillion addresses), the ability for attackers to scan an entire subnet using traditional means is going to be largely eliminated.
• Larger subnets complicate worm propagation Today's worms such as SQL Slammer would be unable to propagate at anywhere near the same rates in an IPv6 network.
• Link-local addressing complicates infrastructure attacks IPv6 includes a special set of addresses that remain local to a given subnet. By using these addresses for infrastructure communication, spoofing attempts can be easily spotted and prevented.
• IPsec is a mandatory feature Because IPsec is a required component of any interoperable IPv6 stack, the ability to use IPsec more broadly is a big benefit. Key management issues remain the same as in IPv4, however.

The following are some high-level risks of moving from IPv4 to IPv6:

• Lack of operator experience The community has been working with IPv4 for many years; although IPv6 is similar, significant differences open the door for insecure configurations, which may wind up on a production network. To date, most network and security professionals have very little knowledge of IPv6.
• Address and configuration complexity increases human errors Unless changes are made to the way networks are configured and managed, the increased size and complexity of IPv6 addresses increase the chances of operators making mistakes in configurations, regardless of the level of their training.
• Immaturity of software We are still finding problems with various implementations of IPv4 in products. The introduction of IPv6 is likely to bring all new implementation flaws, given the relative lack of experience developers have with the protocol.
• Legacy problems remain Most of the same issues with IPv4 from a protocol operation standpoint remain with IPv6. For example, the ARP attacks described in Chapter 6 "General Design Considerations," are replaced by attacks against the IPv6 equivalent: neighbor discovery (ND).
• Transition techniques can create vulnerabilities The various techniques used to transition to IPv6 have several potential security flaws. For example, running a PC in "dual-stack" configuration with both IPv4 and IPv6 can allow an attacker to access the system over IPv6, which might not be as well secured. (Current personal firewalls, for example, might only protect the IPv4 stack.) As another example, the various tunneling techniques used to communicate between IPv4 and IPv6 networks can allow new methods of spoofing traffic.

Overall, the most important thing is for operators of networks that are migrating to IPv6 to educate themselves as much as possible about IPv6 beforehand. Most of the core concepts of this book do not change when moving to IPv6, but it will be some time before well-tested best practices for IPv6 network design are established.