Transition From Ipv4 To Ipv6

Published Date: 02 Nov 2017

Abstract

IPv6 is central to safeguarding the expansion of the internet, but the global deployment of the protocol raises its own security challenges. The global adoption of IPv6 is one of the key challenges facing the internet today. IPv6 deployment comes with its own set of challenges. Most security incidents are caused by human error, either as the result of a programming error or through misconfiguration. In this sense, IPv6 is no different to IPv4. The real concern is the lack of experience and training for those IT professionals dealing with IPv6, which makes these mistakes more likely.

Introduction

One of the main purposes of Internet Protocol version 6 (IPv6) developments was to solve the IP address depletion concern due to the burgeoning growth of the Internet users. The new Internet protocol provides end-to-end communication, enhanced security and extensibility apart from the other features such as address auto-configuration or plug-and-play and faster packet processing in the routers. However, as a new technology, it is also reported that the protocol introduces some security vulnerabilities both in the header format and in the other protocols associated to it. This paper reviews IPv6 security vulnerabilities that have large potential exploitation in terms of denial of service attacks. The IPv6 security vulnerabilities are classified under three categories that include the IPv6 main header field, IPv6 extension header and Neighbour Discovery Protocol (NDP). This paper also summarizes the current mitigation methods proposed by researchers and practitioners to secure from these IPv6 security vulnerabilities.

Transition from IPv4 to IPv6

The massive Internet transition from IPv4 to IPv6 is not without some risks to security. The biggest challenge CISOs will face is the ‘blank slate’ effect of a brand new Internet protocol. We know very little about IPv6 compared to what we know about IPv4, and a migration of this scale, going from something we’re confident in to something that’s very new to us in many ways, is the perfect storm of implementation mistakes and misconfigurations.  This is a big deal, since implementation and misconfiguration are likely the top two reasons security goes wrong in the real world.

First off, to support the transition from IPv4 to IPv6, many systems support both IPv4 and IPv6 traffic simultaneously, in what is known as a dual stack configuration. The important thing to understand about this configuration is that IPv6 and IPv4 utilize different stacks. This means that if you have Access Control Lists (ACLs) configured for IPv4 traffic, they will not stop IPv6 traffic (since a different stack is processing the IPv6 traffic). This can be a big problem on devices, such as PCs, which have IPv6 enabled by default (since users may not even think about deploying IPv6 ACLs because they are not using IPv6). Since IPv6 supports automated neighbor discovery and address creation, interfaces can automatically generate both local and global IPv6 addresses without any user interaction. Furthermore, even if the local network does not support IPv6 traffic, an attacker can get IPv6 traffic to your host through other mechanisms. For instance, it is possible to send IPv6 traffic to a system over an IPv4 SSH connection that supports port forwarding. Therefore, it is vital to deploy appropriate IPv6 firewall rules on your internal systems.

IPv6 Issues regarding Spam

The IPv6 network supports 2128–32 times more unique IP addresses than IPv4. Generally, service providers allocate prefix ranges to each home or small business network. Each of these networks would therefore have direct control over at least 264 unique IP addresses within their assigned subnet. Spammers might search for insecure SMTP-enabled computers in these networks. They might then start sending spam messages using different IP addresses accessible in that subnet. The sheer size of the addressable IPv6 address space threatens to render useless many antispam technologies that are based on IPv4 addresses, such as IP blacklisting. In IPv6 networks, spammers have one extra powerful weapon at their disposal: the large address space available.

Firewall issues

Considering security, especially problematic is the transition period of coexistence of both protocols. Because of that, security issues due to different transition mechanisms are analysed. Further, the paper studies firewalls in IPv6 networks. Implementation of firewalls in IPv6 networks and IPv6 specific firewall configurations are analysed. Different tests of firewalls are performed, and their results are analysed. Also, comparison with IPv4 firewalls is made. Some suggestions referring to proper deployment of firewalls are given. This paper also deals with detection of unauthorised intrusion. Different approaches to intrusion detection are explained and different types of intrusion detection systems are described. Suggestions for proper positioning of intrusion detection systems in the local area network are given. In absence of non-commercial intrusion detection systems with IPv6 support, some alternative possibilities of intrusion detection are explained.

Extension headers

IP options in IPv4 are replaced with extension headers in IPv6. With this replacement, extension headers may be used in an attempt to circumvent security policy. For example, all IPv6 endpoints are required to accept IPv6 packets with a routing header. It is possible that in addition to accepting IPv6 packets with routing headers, end hosts also process routing headers and forward the packet. With this possibility, routing headers can be used to circumvent security policy implemented on filtering devices such as firewalls.

Elimination of NAT

With IPv4, most home firewalls implement a default configuration, which performs dynamic NAT to allow multiple internal systems to appear to be a single IP address to the external world. By default, this configuration usually only allows outbound connections from your internal network while denying any connections initiated from the Internet to your internal systems. This default configuration provides security to home networks by limiting inbound traffic, while still allowing your computers to easily access the Internet. With IPv6, however, addresses are not as limited so NAT is no longer needed. The downside to this is that the default setup for home IPv6 firewalls is likely to be much more open, to guarantee that your internal devices can access the Internet. From a security perspective, in many situations this may be similar to plugging you computer directly into your cable modem. Therefore, you must make sure that you apply ACLs to limit access into your IPv6 home network.

This has been a quick look at some of the things to consider when securing your IPv6 network (definitely nothing close to a comprehensive guide to securing your IPv6 network). Hopefully, this overview has encouraged you to start seeking out IPv6 best practice guides as they continue to evolve, so that even before you deploy IPv6 on your network you understand the risks, since many of the features of IPv6 essentially operate automatically (such as address creation and some tunnel creation). Then when you deploy IPv6 on your network, you will be able to successfully harden the network so that it is no more insecure than your current IPv4 network. Also, keep an eye out for the next post in this series where we’ll be talking about things to consider when performing security testing on IPv6 devices.

Considering security, especially problematic is the transition period of coexistence of both protocols. Because of that, security issues due to different transition mechanisms are analysed. Further, the paper studies firewalls in IPv6 networks. Implementation of firewalls in IPv6 networks and IPv6 specific firewall configurations are analysed. Different tests of firewalls are performed, and their results are analysed. Also, comparison with IPv4 firewalls is made. Some suggestions referring to proper deployment of firewalls are given. This paper also deals with detection of unauthorised intrusion. Different approaches to intrusion detection are explained and different types of intrusion detection systems are described. Suggestions for proper positioning of intrusion detection systems in the local area network are given. In absence of non-commercial intrusion detection systems with IPv6 support, some alternative possibilities of intrusion detection are explained.

Conclusion

The migration over to IPv6 is a necessity in the long term, but IPv6 is not just about IP address space - there are some other advantages including long-term cost savings and better performance. Although transitional approaches are the short-term solution for the IP protocol evolvement, network implemented with single routing policy is more agile and flexible with response to network status. As for the IPv6 migration, currently small countries are ahead of the IPv6 deployment schedule as compared to 'larger' or more developed countries. Problems arise with hardware differences around the world, and it would be unfeasible to recommend a change in a short period of time. Companies and individuals should be cautious with any sustained investment in IPv4 networks, since older technologies such as NAT devices cannot bring long term benefits. With backing and drive from the government, specific time frames should be decided for a partial or regional switchover as a temporary trial to investigate the sustainability of IPv6 where the current IPv4 network dominates. Awareness needs to be made before the implementation. One difficulty of this approach is there is no clear understanding to how long IPv4 will last.