Yes IPv6 is here and it's not going away. IPv6 is suppose to give us a
warm fuzzy feeling in that we now have an ip address schema
that would allow for very hair on your body and on every living and
breathing person to be addressed, & with a ipv6 address.
IPv6 has been around & available for internet devices back around 1995.
But the growth of ipv6 didn't fully take off till 2002. During this
period the on-lookers and vendors hawked over when will ipv4 be fully
exhausted. Well guess what ? that day came around 2009 when the last ipv4
allocations where slowly chewed up. We went from crawling on our
bellies and now we are at least crawling on our elbows forward with
deployments of ipv6.
Now let's look at some of the basics risks and things to think about with ipv6. I'm going to give you 10 of my rants on the matter and how it relates to ipv6.
1: nobody knows anything about it.
Yes we have a ipv6 protocol out with very little used in the modern
world. Asia is the biggest user by far and America is playing catch up.
Understanding of the technology, headers, and now even more header
extensions and privacy extension and just on what it (ipv6) can do; "
is not 100% clear or educated within the IT community and the network
and security members are lost with no guidance"
2: Just like in ipv4 , source-routing was identified as risk, will guess what? " it's a risk & flawed in ipv6 as well"
btw in ipv6 it's know as route-header-0 or RH0 for short.
In ipv6
routers look at the outer ipv6 header, but must also process any extended
next-hop-header before handling any of the transport payload. This opens
a door to a security risk if we choose to send a packet between 2
nodes or a few nodes and back and forth. Not very smart nor a good
ideal.Most end-users devices are RH0 disable, but a lot of l3 devices
are not.
3: Most vendors, & yes that includes cisco, has weak to no
security mechanisms in place for access-ports or end users.
So as it
stands, one could become a router ipv6 router spew rogue RA
advertisements with no means to controls this activity. It's basically
the wild-wild-west again!
4: DAD exploits & flooding of neighbor announcements or other solicitations request can't be prevent
This kinds of lead off rant #3, & lack of enterprise networks
security controls in effected. And we need these issues addressed before
we can really move forward in the enterprise sector imho.
Since ICMPv6 is mandatory for ipv6 and all hosts uses it ( you can't block it or deny it ), it's easier to exploit a lot features around this. For example , with ipv6 DAD ( duplicate address detection), which is the equivalent to ipv4 duplicate address warning, a host could easily flood rogue DAD response to new ipv6 clients that are coming up and attempting to gain a ipv6 address and who are trying to determine if their address is already in use. This DoS could greatly effect any new host attempting to gain access to the LAN.
Rogue Route Advertisements ( RAs) could easily be crafted and sent over the local-link and cause major disruption in services to valid hosts.
Granted most of these DoS attacks, requires direct LAN access and can not be exploited remotely.
5: IPS appliances are very limited in detecting L3 attacks within ipv6 traffic flows
Every IPS/IDS mfg'er are claiming they are developing towards this, but most
of the work and development is dependent on when and if the majority
(ipv4) users ever get rolling into the ipv6 space.
So it's a chicken and egg, we
need IPS and Anomaly mitigation gear, but no one is really working
towards this, due to no one is really moving in leaps and bounds
towards ipv6 networks.
The DDoS protection community is also behind the curve in this area. For example, the DDoS security provider I work for, has no ipv6 infrastructure, in place & no immediate plans for adding this. Also using the simple protection
method; acls, Src RTBH or Dst RTBH ,etc.... becomes a challenge when
you have a whole world as a possible source of spoof'd address just awaiting to be
used by the unethical types.
6: A lot of business applications are not ipv6 ready
Take mysql, I did a project with a ipv4-2-v6 transition team a while back,
and we check all of everything and found that their mysql backends
where not ipv6 ready. The mysql community quickly camed up with a build , but it had problems and a lot of problems. So the customer was
stuck with building the webapp-to-dbservers connections and stayed with ipv4
until a few release had past of the mysql ipv6 supported server. And only moved over once it was tested and
debug heavily. It was a few months of nail bitting when they finally
bit the bullet and move to the new mysql-servers in late 2009 they
encounter a problems still :)
7: SOHO and home-users devices, don't support or speak ipv6
Yes find a printer that you like at Office Depot, "nine out of ten times", it
probably has no clue about ipv6. So thinking about using it in your ipv6
only network, forget about it! or at least for now :)
8: IPv6 multicast is now integral in operation
Due to this, we have no real way to filter and controls with in the
LAN & with mcast requests. It's safe to assume all ipv6 devices are
listening on a ff02 mcast group and on a ff02::1 or ff02::1
Take for example a ND
solicitations.
IPv6 Multicast Group Memberships
Group Link-layer Address Netif
ff01::1%en1 33:33:0:0:0:1 en1
ff02::1%en1 33:33:0:0:0:1 en1
So it's easy to create misused data and flow towards an adjacent host.
Multicast -rate-limits within l2/l3 ipv6 enable switches, don't really
exist like that for ipv4. ND flooding and spoof attacks done locally,
could easily bring a network to it's knees. One day and just for a fun
of it, I'm going to spoof my mac_address to that of a the
33:33:00:00:00:01 or 02 and see what happens :)
9: ip-reputation filtering will be impractical for the most part in ipv6 network worlds
Think about this for a second to see how funny it is; We increase the ipv6 address to a whopping
340,282,366,920,938,463,463,374,607,431,768,211,456 address
( Don't ask me how to say that. Just say that huge and wide :) )
Even a
defacto /64 prefix is a whopping big & 18+trizillion or so address. Could
you see the management nightmare in this concept & how it plays with ip reputations and scoring? and than management of the blacklists?
Laughable at best
when you try to overlay our ipv4 ways and methods of thinking and with using old school methods with
ip_address reputation scoring. Ipv6 is not going to have a chance with
reputation scoring systems.
10: SLAAC and eui64 address , could expose the end-user unintentionally
Yes your nic interface mac-address can be used against you. You
connect to a systems and now we have a little bit more information
about you hardware. Privacy extension does help, but they are not used
as much in some camps, due to it makes management and monitoring of
internal users just that much harder.
Okay one good piece of news.
As a Pen-Tester, Ethical and former un-Ethical hacker, ipv6 make
it's 100K times harder to simply blind port scan for an active hosts in a network range. Due to the shear size of the range :)
Yes pen-test will now become more of a grey-box vrs black-box services. Possibly even become majority white-boxes only.
To shed some light on how
funny it becomes. The biggest ipv6 network that I worked on, was at a
college that had roll out 3 of it's /64 from it's /48 assignment. The
total active ipv6 hosts was like .00000001 of 1% of a single /64.
Just think how long a port-scan could take just to find an active host?
I'm talking about the potential of searching thru just over 1million
hosts. To put this into simpler terms, " it would be like trying to find a needle in one haystack in field with over 10+K other haystacks"
And with privacy-extensions, a host that you might find today, could
be gone tomorrow or you could simply just miss it on the 1st wave of
your probes. :)
Will enough about IPv6, please follow my blog & more's to come . I would like to leave you a few links to follow
http://test-ipv6.com/
http://www.demyo.com
http://socpuppets.com
kfelix Security Architect & Engineer
Freelane Network and Security Professional
No comments:
Post a Comment