WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
The rise of IPv6 could give you some severe security headaches -- even if you have no current plans to implement the new networking protocol.
That was the stark warning issued by Eric Vyncke, a security expert from Cisco, talking at the RSA Conference Europe in London this month.
On the face of it, there is not much to worry about with IPv6. After all, it is simply a protocol with a much, much larger address space than IPv4. That certainly makes rigorous network scanning impossible in practice, and it does away with the need for network address translation, but nothing changes at the data-link layer, the transport layer or the application layer. Ethernet, TCP, HTTP -- all remain unchanged. So what's the problem?
Here are seven ways IPv6 can make your organization less secure:
Effective rate limiting is hard to achieve
Rate limiting is a straightforward tactic you probably use to protect your network from automated attack tools. This works on IPv4 networks, making automated attacks less likely to succeed or harder to launch by forcing hackers to deliberately slow their automated attack tools, or to use multiple hosts from which to launch attacks on your network.
The tactic doesn't really work on IPv6 networks. That's because IPv6 networks are so vast that it's impractical to rate limit at the 128-bit address level, Vyncke pointed out. In any case, hackers may be allotted millions or even billions of IPv6 addresses, meaning that to rate limit effectively you would need to limit addresses at the 48-bit or 64-bit level. Right now it's simply not clear what practical approach you should use to provide the same level of protection. "The industry has yet to learn how to do it," Vyncke warned.
Reputation-based protection does not (yet) exist
Many security software vendors use the reputation of IP addresses to filter out malicious websites that are known sources of malware. While reputation systems for IPv4 addresses already exist, it's a bit of a chicken-and-egg situation when it comes to IPv6. No one has established an IPv6 reputation database, so no one is using reputation-based security with IPv6 addresses -- and therefore no one is building a reputation database. It's something the security industry will surely eventually adopt, but for now it’s a missing piece in the security puzzle.
Logging systems may not work properly
The key feature of IPv6 is that it uses 128-bit addresses, which are stored as a 39-digit string. IPv4 addresses, on the other hand, are written in the form 192.168.211.255 and may therefore be stored in a 15-character field. If your logging systems expect 15-character IP addresses, they may crash when they encounter "monster" 39 -digit IPv6 addresses (creating possible buffer overflow error-related security problems) or they may only store only the first 15 characters, rendering the logged information useless. The only solution is to upgrade all your logging systems to support IPv6 addresses.
IPv6 may run by default
You may think you are running an IPv4-only data center, with IPv4-only IDS, monitoring and so on, but IPv6 could be activated and running without your knowledge. That's because in some circumstances (such as an attacker on your network sending router advertisements), devices on your network can start communicating with each other by default over IPv6 using link-local addresses. (For more information, see the IETF Rogue IPv6 Router Advertisement Problem Statement.) "Your IDS will see none of this traffic, so you should definitely upgrade it to IPv6 now, and make sure that its operators are trained to use IPv6," warned Vyncke.
SIEM systems may not work properly
Another problem with IPv6 is that every host -- inside or outside your network perimeter -- can have multiple IPv6 addresses simultaneously. This is not usual in the IPv4 world, and it can cause serious problems. "For example, how do you know by looking at your logs that different entries refer to the same host?" asked Vyncke. In order to make sense of your logs you need to be able to correlate addresses to hosts, but Vyncke warned that thus far no SIEM system fully supports IPv6 fully. It may support it at the network level, for example, but the correlation engine may not.
Simple log analysis using grep won't work
Yet another problem is that the same IPv6 address can be written in multiple ways, for example: 2001:0DB8:0BAD::0DAD
2001:db8:bad::dad (this is the canonical RFC 5952 format)
As a result, a grep search through your log files is not going to work as before. If devices log in using different IPv6 formats, you may have to reconfigure the way they log or change the way you search to catch all the information in your logs about a device.
Implications of service provider NAT
IPv6 will probably never completely replace IPv4, and service providers are increasingly likely to resort to service provider network address translation (NAT) in order to be able to produce distinct IPv4 addresses to customers when no new routable ones are available. These customers may in turn use NAT to share the IP address they receive with multiple devices on their home or corporate networks. The security impact of this on IPv4 networks may not be obvious yet, but it is significant nonetheless.
One of the effects is the diminished usefulness of rate limiting IPv4 addresses. When thousands (or more) of people effectively share the same IPv4 address (through service provider NAT and the home or office NAT), your security systems could be fooled into thinking that traffic is coming in from a single source when it is in fact coming from many different sources. It may then block the legitimate traffic.
Similarly, attempting to block a denial of service attack or a source of spam by blocking a single IP address could potentially block thousands of other users who are in no way responsible, and who may in fact be potential users or customers.
There is no obvious way to get around this problem. Thus the effectiveness of rate limiting and IP address blocking as security tools to protect against automated attack tools, denial of service attacks and spam will be limited.
The good news
The good news about IPv6, Vyncke pointed out, is that the majority of vulnerabilities on the Internet are at the applications layer, and that means IPv4 IPS signatures can be reused in IPv6 IPS systems.
Other network -based escapades such as Man In The Middle attacks or networking sniffing are also unaffected by the protocol version, so they will be no more (or less) likely to succeed with IPv6 than they are with IPv4.
But he warns that any notion that IPv6 is a new, improved, security-from-the-ground-up replacement for IPv4 should be quickly dispelled. Don't forget, he concludes, that IPv6 was originally specified almost 20 years ago.
Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.