Amid IPv6 Foot Dragging Security is Growing Issue

John Curran, president & CEO, ARIN

John Curran, president & CEO, ARIN

By Fred Dawson
June 7, 2013 – After years of meetings and campaigns, Internet officialdom’s efforts to drive faster adoption of the new IPv6 addressing system remain encumbered by market resistance to the hassles of transitioning from IPv4 amid pervasive doubts about the urgency of IPv4 address exhaustion.

But a more worrisome sticking point for wide-scale embrace of IPv6 could turn out to be security. Here the issue is a matter of fundamental flaws in the design of IPv6 and the reluctance of manufacturers to implement compensatory measures. In an Internet environment plagued by security issues, IPv6 is no better and, in some cases, worse than the existing IPv4 address system, experts say.

“We’re quite concerned about security on the network,” says Internet pioneer Vint Cerf, who is chief Internet evangelist at Google and honorary chairman of the IPv6 Forum. “Whether you’re using IPv4 or IPv6, they’re not good against denial-of-service attacks. There are many things to worry about beyond getting IPv6 up and running.”

Latif Ladid, president of the IPv6 Forum, is blunter still. In terms of the security issue, when compared to IPv4 “IPv6 is a viral app,” Ladid says.

“The IETF (Internet Engineering Task Force) built a beautiful addressing system with IPv6, but now we’re seeing security issues emerge in real-world operations,” agrees Jeremy Duncan, director of IPv6 products and services at Salient Federal Solutions, which is working with entities around the world, including the Defense Department’s Defense Threat Reduction Agency and the Air Force, to address these issues. “Enterprises are deploying v6 assuming it’s just like v4 from a security standpoint, but there are open gaping holes they need to be concerned about.”

While security issues are showing up, they’re not causing major waves at current v6 penetration levels, Duncan notes. “But if these things don’t get addressed, once you get to 10 percent [penetration], you’re going to have a big problem.”

For now, the primary cause behind the lethargic response to warnings about IPv4 address exhaustion is there’s no great sense of urgency that would overcome the reluctance of website owners, service providers and enterprises to undertake the hard work of enabling IPv6 in their domains. Surprisingly, after a surge in requests from service providers for IPv6 addresses in 2011, the request rate tailed off significantly in 2012, according to statistics released by the American Registry for Internet Numbers (ARIN), which oversees disbursement of address numbers in North America.

“2012 wasn’t a fortunate year for IPv6 expansion,” says Ciprian Popoviciu, president and CEO of Nephos6, which tracks v6 performance worldwide. While trends in 2013 suggest “we’re recovering a little bit,” just 2.31 percent of users in the U.S. can connect to the Internet using v6 addresses, Popoviciu notes. IT jobs calling for expertise in v6 “are orders of magnitude smaller than the most popular IT jobs.”

“We meet resistance everywhere,” Ladid acknowledges. “It’s going to take another ten years to make this happen.”

By “this” he means the transition to ubiquitous use of IPv6 on websites and networks everywhere. But, like Popoviciu, Ladid sees cause for hope. “v6 traffic is tripling every six months,” Ladid says.

Of course, a tripling of trickles takes a while to get to flood tide. So far, only 9.4 percent of websites based in the U.S. are equipped to respond to users operating from devices that are running on v6 addresses. Naming other examples, Ladid says five percent of Chinese sites are running v6 while 10.3 percent are on v6 in Germany. Worldwide, 22.4 percent of the top 500 sites have deployed v6.

Websites are just a piece of the massive transformation that must be undertaken to accommodate the fact that, eventually, no more IPv4 addresses will be available to assign to new devices coming onto the Internet. But websites are critical to driving the transition to v6, since, as ARIN president and CEO John Curran notes, it won’t do much good if service providers undertake conversion of their networks to support v6 and there are few sites that will respond to v6 requests.

“Ninety percent of Internet traffic is driven by the websites,” Curran says. “When the websites transition over to IPv6, ISPs can start connecting new customers using IPv6 addresses. Things are going to get very exciting very fast.”

But getting websites to move is part of the problem. Curran admonishes any company that’s concerned about the situation to “bludgeon” their suppliers to make the transition. If a supplier finds it has lost business from a customer because it isn’t using v6, its managers will realize there’s a real cost to not making the transition, Curran says.

Clearly, it will take pressure of some kind to get people to invest the time and resources it takes to enable IPv6, whether on websites, over networks or in offices. “There’s a great deal of work to do to get v6 up and running in a fashion comparable to v4,” says Vint Cerf. Google has been on IPv6 since June 2012, but it too a “very long time” to get there, he adds.

“The biggest barrier has been to get service providers to turn on v6,” Cerf says, underscoring the chicken-and-egg issue that causes website owners to be less than enthusiastic about making the conversion. He and others stress that merely projecting address demand based on historical trends is to miss what’s starting to happen. “The Internet of things is now upon us,” Cerf observes. “We’re going to have to be able to deal with an avalanche of information from embedded devices.”

This, of course, is what IPv6 is meant to facilitate. Two years ago the Internet Assigned Numbers Authority (IANA), the global numbering authority, allocated the last of the regional blocks of 16 million IPv4 addresses available for public use. No one can imagine that there will come a time when this will happen with IPv6, given that the 128-bit numbering system the IETF used in developing the new platform can support about 340 trillion, trillion, trillion addresses

The price paid in getting to such numbers was that v6 could not be made to work with v4, requiring that a whole new end-to-end v6 infrastructure be implemented to run in tandem with the legacy numbering system. This means every device that interacts with the Internet – network routers, servers, CPE, etc. – must be coded for v6.

Something as trivial seeming as expanding the field space for inserting v6 numbers is a big deal. While v6 addressing employs the base-16 hexadecimal notation system rather than the traditional 10-base system, which cuts the character count from 128 to anywhere from 40 to 57, depending on the number of buffer characters used, this is still more than three times the space v4 address fields were designed for.

For network operators, who have a variety of transition modes to choose from, all with significant drawbacks, every network component must be geared to work in sync with the selected transition mode. While, as Cerf mentioned, service providers in general have been slow to move, cable operators have been the exception in many instances.

Most have implemented dual-stack operations, which is to say the ability to transmit IPv6 as well as v4 traffic, on their backbones, and some have begun running v6 end to end with initial allocations of v6 addresses to end users now underway. Time Warner Cable, for example, is v6-enabled in several markets, most of them in Texas, says Lee Howard, director of network technology at TWC.

“We now have 98,000 users, mostly residential, on v6,” Howard says. “Anyone on our fiber networks can get v6.”

Cable operators are working cooperatively through the auspices of CableLabs and the Society of Cable Telecommunications Engineers (SCTE) to learn from each other, develop common practices and drive v6 capabilities into the supplier ecosystem. These include support for v6 in DOCSIS 3.0 and PacketCable 2.0 specifications as well as spec enhancements for DOCSIS 2.0.

CableLabs has also defined “eRouter” specification for a lightweight dual-stack cable modem router that allows a stateful DHCPv6 (IPv6 Dynamic Host Control Protocol) -provisioned device to pass both stateful and Stateless Auto Address Configuration (SLAAC) provisioning commands through to devices in accord with whichever provisioning system is required by a given device. (SLAAC, used in telco provisioning of IP addresses, depends on the host assigning itself an address that is automatically configured by router discovery, in contrast to the cable address-assigning process used with DHCP in v4 and v6).

But even for network operators moving ahead aggressively with IPv6 deployments there are risks ahead, which are hard to quantify at this point. One of those has to do with the consequences of using what’s known as Carrier Grade Network Address Translation (CGN), which operators generally regard as a necessary evil unless they can manage to transfer the entire network to IPv6 before the v4 addresses run out.

CGN serves as a way to slow v4 exhaustion by allowing new subscribers who are given an IPv6 address for their primary gateway router to use devices that are not v6-enabled. To avoid having to assign public IPv4 addresses individually to such devices, operators will have to use CGN as an alternative to today’s NAT, a universally employed means of providing private addresses to connected devices that run behind a publicly addressed v4 modem.

Because IPv6-addressed devices cannot support NAT, NAT has to be moved into the network, which allows a public address to be used to support multiple private addresses running across a large number of IPv4 devices on the premises of multiple IPv6-addressed subscribers.

This introduces many complications tied to the need to achieve seamless operations across so many privately addressed connection points on the open network. While CableLabs has identified a version of CGN known as NAT444 as the best option for cable operators, tests have identified several points of potential disruption to network operations and consumer experience, starting with all the applications such as e-mail systems, monitoring platforms, some provisioning systems, law enforcement tracking and much else that depend on the fact that a public v4 address has traditionally been used to uniquely identify a single subscriber.

While steps can be taken in the network to make sure private addresses are linked to the public addresses in these applications, the mitigation can introduce delays and even breakdowns in certain applications. For example, adaptive streaming and fast-action gaming are especially subject to delays in the CGN environment, CableLabs found.

As for the security issues that loom as potential gotchas in a more v6-saturated Internet environment, here, too, some of the issues have to do with the vulnerabilities that are intrinsic to running v4 and v6 in parallel. But, notwithstanding the fact that IPv6 was actually designed with some new security enhancements that were meant to create a more secure Internet environment, some of the security vulnerabilities are intrinsic to the way the system was designed.

Moreover, the new security mechanisms are not viewed as particular significant at this point. One of them was the mandatory inclusion of IPSEC protection in the v6 protocol stack, which has long been an option for v4. As Curran notes, the wide adoption of IPSEC in v4 in recent years has largely neutralized that benefit for v6 in comparisons to the state of security on v4. “IPSEC has saturated on v4, so it’s not a big selling point for v6 anymore,” he says.

While the other new security components, including Secure Neighbor Discover (SeND), Privacy Addresses and Unique Local Address, are of marginal value, they don’t address the vulnerabilities that are being exposed by the most worrisome activity on the Internet today. In fact, notes Salient’s Jeremy Dunlap, there’s good reason to believe SeND will never be implemented.

Practically speaking, Curran says, “v6 is no more secure than v4.”

In a blog posted last year, Danny McPherson, chief security officer for VeriSign, notes some of the transitional vulnerabilities, such as the ability of hackers using v4 to secretly tunnel into v6 devices, can be countered by alert administrators. “If network operators [including operators of enterprise private networks] don’t properly manage IPv6 – and recognize that it’s enabled “out of the box” in most devices today – this will have a substantial impact on their security posture,” McPherson says.

In other words, just because a device is labeled “IPv6 ready,” don’t assume it has been equipped to deal with the kinds of attacks in play today. “As an industry, we’ve already observed IPv6 being used to compromise systems ‘under-the-radar’ of IPv4-only sensors, and several folks have reported IPv6 being expressly enabled by miscreants in order to exfiltrate data, facilitate malware propagation and enable botnet C&C (command and control) infrastructure and

Indeed, says Duncan, producers of firewalls and other security-related products have shown a great reluctance to spend money on necessary protections, given the state of demand for such devices in today’s market. “Everybody knows about the risks,” Duncan says “We’ve been yelling about this for years. The problem is security vendors are not implementing the necessary features. It’s a small market.”

Salient’s business is built on overcoming these deficiencies. The company supplies a software system, Assure6, running on standard servers that acts like a deep-packet inspection process operating at line rate to monitor and protect points of vulnerability.

Some of these vulnerabilities stem from the unintended consequences of IPv4 tunneling. “You don’t want rogue tunnels,” Duncan says. “Random accidental ones happen a lot.”

Microsoft Windows 7 servers, for example, come equipped with tunneling mechanisms that are meant to minimize the hassles of setting up a VPN (virtual private network). The tunneling mechanism known as Teredo, which encapsulates IPv6 datagram packets within IPv4 UDP (User Datagram Protocol) packets, is widely used as a way to connect IPv6 hosts and clients over an IPv4 network.

This “shadow” network is open to all kinds of misuse. For example, a hacker with access to a LAN running on IPv6 can exploit the fact the v6 work stations are always listening for v6 router advertisements. The hacker can set up a tunnel on the work station or a simple v6 router, solicit all the enterprise data from other work stations and send the information out over the tunnel completely undetected. “You basically have an easy way of tunneling through and causing exfiltration,” Duncan says.

Fragmentation of IPv6 packets is another source of vulnerability. Rather than using variable size headers to incorporate commands for special applications beyond basic routing, as is the case with IPv4, IPv6 uses a 40-byte fixed header in conjunction with extension headers that can be chained together to support multiple applications. Here the issue has to do with the fact that when packet fragmentation is used to shorten long packets, which is common, the security system is designed to look for maliciously inserted extension headers in the first fragment, but not in the header extensions associated with succeeding fragments.

Thus it becomes relatively easy for hackers to insert tunneling instructions that are followed by the routers on the path of the compromised fragments. Duncan notes that when Salient first began working with clients transitioning to v6, “within 24 hours we saw Chinese packets coming to our border routers trying to route our v6 packets through Taiwan.” Without a mechanism like Assure6, such rerouting strategies will go undetected.

Like it or not, these vulnerabilities must be addressed, because IPv6 implementation is inevitable. The lethargy in play today only will make it harder to deal with security threats as IPv6 becomes ubiquitous.

“My hope,” says Vint Cerf, “is that v6 will become the order of the day and v4 becomes just a bit of ancient history.” Whether he has reason to hope that massive hack attacks will suffer the same fate remains to be seen.