Hackers are ready for IPv6'are you?
- By William Jackson
- Jan 05, 2006
One of the arguments for moving to version 6 of the Internet Protocols is that it will offer more security.
This may well be true in the long run. But for the time being, IPv6 is likely to introduce more complexity and create more problems than it solves.
'The hackers currently have the lead' in IPv6 technology, said Dave Goodrum, systems engineer for NFR Security Inc. of Rockville, Md.
Since 2003, there have been hundreds of attacks using IPv6 tunneling as an evasive technique for sending malicious packets through firewalls and other monitoring tools. As more equipment is IPv6-enabled and tunneling is used to accommodate both versions 4 and 6 of the protocols on the same network, these and other attacks are likely to become more common.
The additional security of IPv6 will come from IPsec, a set of security protocols for the IP layer that are mandatory for IPv6. But experts say IPsec is no panacea. It's already widely used in IPv4 for encrypting virtual private networks, but is not fully mature for IPv6, said Sheila Frankel, a computer scientist at the National Institute of Standards and Technology.
'It is not trivial to deploy, use and maintain IPsec,' Frankel said. 'There are going to be complications that will have to be dealt with as operational experience is gained.'
While you are coming to grips with IPsec, you will still have to maintain your existing firewalls, intrusion detection and prevention systems and other monitoring equipment. These will all have to be IPv6-capable and enabled to deal with IPv6 packets, and they will have to look inside packets when one IP version is encapsulated inside the other for transport across disparate networks.
Firewall policies will have to be modified to accommodate both IPv4 and 6. Current rules blocking unusual header lengths or configurations will not work with IPv6 because of optional data available in those headers that will be required for some applications. Long fields that are blocked now might have to be allowed under IPv6.Header problems
The sheer size of IPv6 headers could pose a problem, because a lot of security hardware cannot handle large fields.
'Traditionally, hardware can only parse 64 bits of a header' before deciding whether to pass a packet on, said Mike Frantzen, NFR senior software engineer.
'This is a huge denial-of-service issue,' said Goodrum.
IPv6 also can confuse some common techniques for identifying suspicious behavior. IPv6-enabled hosts can have multiple local and public IP addresses, forcing older network cards into a promiscuous mode in which they accept all packets. Because this behavior now is a common symptom of a device that has been infected by a malicious Trojan program, many older cards on IPv6 networks will appear suspicious to security scanners.
A primary driver for developing IPv6 was the expanded space provided by the 128-bit addresses. This large address means that the smallest IPv6 subnet will be some 4 billion times larger than the entire IPv4 address space. Since it would take years with current technology to scan an entire IPv6 subnet, assigning IPv6 addresses randomly rather than in sequence can make it impractical for worms or hackers to do an automated scan for target devices. Unfortunately, this also means that it will be easier to hide malicious traffic and that scanning by legitimate discovery and network management tools also will be impractical.
New tools will have to be developed both for attackers and network administrators.
William Jackson is freelance writer and the author of the CyberEye blog.