Monday, October 15, 2012

IPV6 rant

Yes IPv6 is here and it's not going away. IPv6 is suppose to give us a warm fuzzy feeling in that we now have an ip address schema that would allow for very hair on your body and on every living and breathing person to be addressed, & with a ipv6 address.

IPv6 has been around & available for internet devices back around 1995. But the growth of ipv6 didn't fully take off till  2002. During this period the on-lookers and vendors hawked over when will ipv4 be fully exhausted. Well guess what ? that day came around 2009 when the last ipv4 allocations where slowly chewed up. We went from crawling on our bellies and now we are at least crawling on our elbows forward with  deployments of ipv6.

Now let's look at some of the basics risks and things to think about with ipv6. I'm going to give you 10 of my rants on the matter and how it relates to ipv6.

1: nobody knows anything about it.

Yes we have a ipv6  protocol out with very little used in the modern world. Asia is the biggest user by far and America is playing catch up. Understanding of the technology, headers, and now even more header extensions and privacy extension and just on what it (ipv6)  can do; " is not 100% clear or educated within the IT community and the network and security members are lost with no guidance"

2: Just like in ipv4 ,  source-routing was identified as risk, will guess what? " it's a risk & flawed in ipv6 as well"

 btw in ipv6 it's know as route-header-0 or RH0 for short.

In ipv6 routers look at the outer ipv6 header, but must also process any extended next-hop-header before handling any of the transport payload. This opens a door to a security risk if we choose to send a packet between 2 nodes or a few nodes and back and forth. Not very smart nor a good ideal.Most end-users devices are RH0 disable, but a lot of l3 devices are not.

3: Most vendors, &  yes that includes cisco, has weak to no security mechanisms in place for  access-ports or end users.  

So as it stands, one could become a router ipv6 router spew rogue RA advertisements with no means to controls this activity. It's basically the wild-wild-west again!

4: DAD exploits & flooding of  neighbor announcements or other solicitations request can't be prevent

  This kinds of lead off rant #3, & lack of enterprise networks security controls in effected. And we need these issues addressed before we can really move forward in the enterprise sector imho.

Since ICMPv6 is mandatory for ipv6 and all hosts uses it ( you can't block it or deny it ), it's easier to exploit a lot features around this. For example , with ipv6  DAD ( duplicate address detection), which is the equivalent to  ipv4 duplicate address  warning, a host could easily flood rogue DAD response to new ipv6 clients that are coming up and attempting to  gain a ipv6 address and who are trying to  determine if their address is already in use. This DoS could greatly effect any new host attempting to gain access to the LAN.

Rogue Route Advertisements ( RAs) could easily be crafted and sent over the local-link and cause major disruption in  services to valid hosts.

Granted most of these DoS attacks,  requires direct LAN access and can not be exploited remotely.

5: IPS appliances are very limited in detecting  L3 attacks within ipv6 traffic flows

Every IPS/IDS mfg'er are claiming they are developing towards this, but most of the work and development is dependent on when and if the majority (ipv4) users ever get rolling into the  ipv6 space.

So it's a chicken and egg, we need IPS and Anomaly mitigation gear, but no one is really working towards this, due to no one is really moving  in leaps and bounds towards  ipv6 networks.

The DDoS protection community is also behind the curve in this area. For example, the DDoS security provider I work for, has  no ipv6 infrastructure, in place & no immediate plans for adding this. Also using the simple protection method;  acls, Src RTBH or Dst RTBH ,etc.... becomes a challenge when you have a whole world as a  possible source of spoof'd address just awaiting to be used by the unethical types.

6: A lot of business applications are not  ipv6 ready

Take mysql, I did a project with a ipv4-2-v6 transition team a while back, and we check all of everything and found that their mysql backends where not ipv6 ready. The mysql community quickly camed up with a  build , but it had problems and a lot of problems. So the customer was stuck with  building the  webapp-to-dbservers connections  and stayed with ipv4 until a few release had past  of the mysql ipv6 supported server. And only moved over once it was tested and debug  heavily. It was a few months of nail bitting when they finally bit the bullet and move to the new mysql-servers in late 2009 they encounter a problems still :)

7:  SOHO and home-users devices, don't support or speak ipv6

Yes find a printer that you like at Office Depot,  "nine out of  ten times", it  probably has no clue about ipv6. So thinking about using it in your ipv6 only network, forget about it! or at least for now :)

8: IPv6 multicast is now integral in operation

Due to this, we have no real way to filter and controls with in the LAN & with mcast requests. It's safe to assume all  ipv6 devices are listening on a ff02 mcast group and on a ff02::1 or ff02::1

Take for example  a ND solicitations.

IPv6 Multicast Group Memberships
Group                   Link-layer Address      Netif

ff01::1%en1             33:33:0:0:0:1           en1
ff02::1%en1             33:33:0:0:0:1           en1

So it's easy to create misused data and flow towards an adjacent  host.   Multicast -rate-limits within l2/l3 ipv6 enable switches, don't really exist like that for ipv4. ND flooding and spoof attacks done locally, could easily bring a network to it's knees. One day and just for a fun of it, I'm going to spoof my mac_address to that of a the 33:33:00:00:00:01 or 02 and see what happens :)

9: ip-reputation filtering will be impractical for the most part in ipv6 network worlds

Think about this for a second to see how funny it is;  We increase the ipv6  address to a whopping
340,282,366,920,938,463,463,374,607,431,768,211,456 address

( Don't ask me how to say that. Just say that  huge and wide  :) )

 Even a defacto /64 prefix  is a whopping big  & 18+trizillion or so address. Could you see the management nightmare in this concept & how it plays with ip reputations and scoring? and than management  of the blacklists?

Laughable at best when you try to overlay our ipv4 ways and methods of  thinking and with using  old school methods with ip_address reputation scoring. Ipv6 is not going to have a chance with reputation scoring systems.

10: SLAAC and eui64 address , could expose the  end-user unintentionally

Yes your nic interface mac-address can be used against you. You connect to a systems and now we have a little bit more information about you hardware. Privacy extension does help, but they are not used as much in some camps, due to it makes management and monitoring of internal users just that much harder.

Okay one good piece of news.

As a  Pen-Tester, Ethical and former un-Ethical hacker, ipv6 make it's 100K times harder to simply blind port scan for an active hosts in a network range. Due to the shear size of the range :)

Yes pen-test will now become more of a grey-box vrs black-box services. Possibly even become majority white-boxes only.

 To shed  some light on how funny it becomes. The biggest ipv6 network that I worked on,  was at a college that had roll out 3 of  it's /64 from it's /48 assignment. The total  active ipv6 hosts was like .00000001 of 1% of  a single /64.

Just think how long a port-scan could take just to find an active host?

 I'm talking about  the potential of searching thru just  over 1million hosts. To put this into simpler terms, " it would be like trying to find a needle in one haystack in field with over 10+K other haystacks"

And with  privacy-extensions, a host that you might find today, could be gone tomorrow or you could simply just miss it on the 1st wave of your probes.  :)

Will enough about IPv6,  please follow my blog & more's to come . I would like to leave you a few links to follow

kfelix Security Architect & Engineer
Freelane Network and Security Professional

No comments:

Post a Comment