Whether or not a wholesale return to the protocol drawing boards on the part of the IETF would be necessary is not something we’re qualified to assess. But the time to do whatever must be done to make the new Internet addressing system more secure is sooner than later.
As Internet pioneer Vint Cerf, now chief Internet evangelist at Google and honorary chairman of the IPv6 Forum put it at a forum this past spring, security is a big concern whether the addressing system is IPv4 or IPv6. “There are many things to worry about beyond getting IPv6 up and running,” he said.
At the same meeting, Latif Ladid, president of the IPv6 Forum, was blunter still. In Ladid’s words, when compared to IPv4, “IPv6 is a viral app.”
Security issues have been bubbling under the surface as v6 advocates beat the drums for speedier adoption in the face of an exhausting supply of v4 addresses. But they’re becoming more evident as usage in real-world operations, largely at the government and enterprise levels, becomes more prevalent.
For example, a consultant helping the Defense Department’s Defense Threat Reduction Agency and the Air Force with IPv6 implementations reports expectation that IPv6 will be at least as secure as IPv4 are ill-founded. There are “gaping holes” in security that people need to be concerned about, he says. What may be negligible issues at very low penetration could become major problems once v6 penetration goes above 10 percent.
One sense of false security about v6 stems from the fact that the IETF included IPSEC protection in the v6 protocol stack, which at the time created the impression that v6 would be better protected intrinsically than was the case with v4. But since that happened, IPSEC has become widely adopted in v4, which means that element of improvement is more or less neutralized in the context of how things work today.
Moreover, while the other new security components in v6, including Secure Neighbor Discover (SeND), Privacy Addresses and Unique Local Address, are of marginal value, they don’t address the vulnerabilities that are being exposed by the most worrisome activities on the Internet today. As noted by Danny McPherson, chief security officer for VeriSign in a blog posted last year, some of these vulnerabilities can be addressed by alert administrators, who should not assume a device is secure just because it’s labeled “IPv6 ready.”
“As an industry,” McPherson wrote, “we’ve already observed IPv6 being used to compromise systems ‘under-the-radar’ of IPv4-only sensors, and several folks have reported IPv6 being expressly enabled by miscreants in order to exfiltrate data, facilitate malware propagation and enable botnet C&C (command and control) infrastructure and distributed denial of service attacks.”
Producers of firewalls and other security-related products have shown a great reluctance to spend money on necessary protections. While IT personnel can add new layers of security explicitly designed to counter such flaws, the real solution lies with creating public pressure on vendors to take such steps themselves rather than simply offering equipment that exploits misplaced confidence in the security aspects of v6. Some have, but it adds costs, and therefore puts them at a competitive disadvantage to suppliers who are whistling past the threats.
Another crucial vulnerability has to do with use of IPv4 tunneling to encapsulate v6 datagrams for delivery of v6-addressed messages over v4 infrastructure. “Rogue” tunnels, such as tunnels that are implemented as a matter of convenience for enabling v6 over VPNs, are creating shadow networks that are open to all kinds of abuse.
For example, a hacker with access to a LAN running on v6 can exploit the fact the v6 work stations are always listening for v6 router advertisements. The hacker can set up a tunnel on the work station or a simple v6 router, solicit all the enterprise data from other work stations and send the information out over the tunnel completely undetected.
More fundamental to the security issue with v6 is the packet fragmentation used in adding applications in v6 headers, which is totally different from the way applications are built on v4 headers. Rather than using variable size headers to incorporate commands for special applications beyond basic routing, as is the case with v4, v6 uses a 40-byte fixed header in conjunction with extension headers that can be chained together to support multiple applications.
Here the issue has to do with the fact that when packet fragmentation is used to shorten those long extension packets, which is common, the security system is designed to look for maliciously inserted extension headers in the first fragment, but not in the header extensions associated with succeeding fragments. Thus it becomes relatively easy for hackers to insert tunneling instructions that are followed by the routers on the path of the compromised fragments.
The aforementioned defense security contractor notes that when his company first began working with clients transitioning to v6, “within 24 hours we saw Chinese packets coming to our border routers trying to route our v6 packets through Taiwan.” Without additional security mechanisms such rerouting strategies will go undetected. This represents a vulnerability that could emerge on a massive scale as v6 penetrates the marketplace.
Like it or not, these vulnerabilities must be addressed, because IPv6 implementation is inevitable. The lethargy in play today only will make it harder to deal with security threats as IPv6 becomes ubiquitous.