The Ipv6 Security Weakness And Extenuation Approaches

Published Date: 02 Nov 2017

Contents

Abstract

One of the main purposes of IP version 6 developments is to create a new more stable, more secure and with significantly larger IP address space than IPv4. The new Internet protocol provides extensibility, enhanced security and end-to-end communication. However, as a new technology, the protocol presents some security weaknesses both in the header format and in the other protocols related to it. This report examines IPv6 different security vulnerabilities and show some method that will . The IPv6 security vulnerabilities are classified under three categories that include the IPv6 main header field, IPv6 extension header and Neighbour Discovery Protocol (NDP). This report also summarizes the current level of IPv6 security and how the developments can improve and finally ensure and secure from these IPv6 security vulnerabilities. Additionally, mentioned how IPv6 uses Stateless Auto Address Configuration (SLAAC) rather than DHCP to provide endpoints with IP addresses.

Introduction

Computers and devices using the IPv4 protocol are owed a unique identifier called IP address to path the message through the different communication network machines from source to destination. This identifier is a 32-bit number which is signified as four numbers, from 0 to 255, each divided by a dot, for its better ease of control. A new protocol (IPv6) has been created to resolve massive problems and to guarantee good security level in the future, which uses a 128-bit as IP address, so that IPv6 has 2 ^ 96 times more addresses than IPv4. In reality, however, considering that the smallest IPv6 subnet is 64 bits long, it is more suitable for protocol version 6, to talk about a total space of 2 raised to the power of 64 subnets with 2 raised to the power of 64 possible addresses in each one.

IPv6 security weakness and extenuation approaches

According to Patel, J. (2010) there is no doubt that the IPv6 protocol has many advantages over IPv4 and the arrival of the new technology in the real world is immediately available in reality. The exploitation of IPv6 security vulnerabilities could make the advantages of IPv6 to become suboptimal. This section surveys IPv6 protocol vulnerabilities as well as their impact on IPv6 packet transmissions. RFC 4942 classified the vulnerability related to IPv6 in to three categories: vulnerability due to the IPv6 protocol itself, vulnerability of IPv6 transition, and vulnerability on IPv6 deployment. This paper focuses on the first and categorizes the vulnerability of the IPv6 protocol in to three groups. The three groups are identified based on the three main features of IPv6 that are also its advantages. They are IPv6 main header, IPv6 extension header and IPv6 associated protocols such as NDP and ICMPv6.

What is IPsec

IPv6 explicitly support IPsec (Internet Protocol Security) security model, which affords transparency, integrity and confidentiality for end-to-end communications. IPsec is a set of open protocols designed for providing security for communications of the OSI network and consequently for all upper-layer protocols. The disposition of IPsec in IPv4 is definite in a requirement dissimilar from the IPv4 protocol itself, so the addition of the protocol is achieved over instruments defined outside it, although in IPv6 the very "extensible" manner of the protocol allows executing IPsec in a normal way. It is also important to highlight that IPv6 enables the use of IPsec, but not the specific encryption and verification mechanisms of IPsec. IPsec propositions two operative manners, each providing distinct security levels.

Firstly, transport modes confirm that the IP payload is encrypted and/or authenticated, but the headers are not considered. It has the benefit that it can be used end-to-end but, on the other hand, the header data, such as the source and destination IP addresses, are readable.

Secondly, tunnel mode over the platform, or gateway, offers encapsulation to original packet in another packet. Concluded this, the entire original packet is encrypted and/or authenticated, but a gateway is obligatory for the tunnelling.

Other IPv6 Vulnerabilities and Security Holes

According to Hogg, S. (2009) IPv6 Security offers guidance for avoiding security problems prior to widespread IPv6 deployment. The generic approach is to implement an access control list (ACL) on switch ports, a feature supported by most vendors in part because the feature was also present under IPv4. Note, though, that the more complex headers in IPv6 can make ACL implementation trickier than in IPv4. Some vendors implement in-house solutions, such as Cisco with its Router Advertisement Guard. However, even the security plugs can have holes. Another risk zone is tunnelling. As discussed before, tunnelling between the IPv4 and IPv6 protocols helps with interoperability between the two networks, but it can also be a risk if tunnel paths aren’t monitored as part of an existing IPv4 security policy.  Through such a tunnel, a malicious connection could leverage an IPv6 stream working within an improperly configured IPv4 system. Often, the tools for proper security are already included with the IPv6, but it falls to users to learn how to configure and manage the new protocol for maximum benefit.

According to Bucholtz, S. (2011) DNSSEC, in a nutshell, protects DNS, as used on IP networks, from forged DNS data, by validation records with public-key cryptography. Although it does proposal integrity via authentication, it does not offer privacy. IPsec encrypts and authenticates IP communication, present both confidentiality and integrity. Both are essential, they’re not catch-all security nets, neither will defend IPv6 networks from DDoS attacks - they may alleviate some of the possessions, at best.

Elimination of NAT

Cisco’s security research engineer Carter , E.(2011) argued that with IPv4, most home firewalls apply a default configuration, which makes dynamic NAT to allow many internal systems to seem to be a single IP address to the external world. By default, this configuration typically only permits outbound connections from your internal network while denying any connections initiated from the Internet to your internal systems. This default configuration offers security to home networks by limiting incoming traffic, while still allowing your computers to easily access the Internet. With IPv6, however, addresses are not as limited so NAT is no longer needed. The disadvantage to this is that the default setup for home IPv6 firewalls is likely to be much more open, to assurance that your internal devices can access the Internet. From a security viewpoint, in many circumstances this may be alike to plugging your computer directly into your cable modem. Thus, you must make sure that you apply ACLs to limit access into your IPv6 home network.

Transport Protocol Filtering

In IPv4, people use extended ACLs to filter a large amount of TCP and UDP traffic created on source and destination ports. You can make this same filtering in IPv6 as well, although it is more difficult for your filtering device to find the transport protocol in IPv6 traffic. With IPv4, it is minor to find the transport protocol. With IPv6, locating the transport protocol is more difficult because you must traverse the extension header chain looking for the transport which typically comes at the very end of the extension header chain. With fragmentation, it is potential for the first fragment to not even contain the transport protocol. This enabled new filtering keywords, such as undetermined-transport, which shows that either the transport protocol cannot be recognised in the packet or the packet holds an unclear extension header. It also differs the way in which the fragment keyword is taken depending on the location of the transport protocol header.

Conclusion

Despite all criticism IP-Sec is the best network security solution currently available. It allows two networks to securely connect over the Internet, or just enabling secure data transmission for network services operating in clear text. It should be noted, however, that IP-Sec does not automatically secure everything; it’s as secure as the computer, operating system or application it is working on. IP-Sec does attempt to standardize security mechanisms in the Internet and is a great step toward a more secure Internet. When considering the TCP/IP protocol stack, the Internet layer is the only difference between IPv4 and IPv6. The Internet Protocol operates on top of many different network access options. IP can operate over Ethernet, PPP links, SONET, and even carrier pigeon. IP also supports many different transport protocols (for example, User Datagram Protocol, Transmission Control Protocol , Stream Control Transmission Protocol , and Datagram Congestion Control Protocol and the vast number of applications on top of those. Therefore, when the transition to IPv6 occurs, the layers above and below IPv6 will remain the same. If your web application is vulnerable in an IPv4 environment, it will also be vulnerable to attacks when IPv6 is used.

Finally, based on the above and considering the related papers, IPv6 is in very good security level because of the frequently upgrading of their security. All the pages agree about the level of the security and future of IPv6.