Jun 5, 2012

The IPv6 digital dilemma

We are now entering the time of permanent IPv6 presence. 6th june is ‘IPv6 Launch Day‘ and following this, we’ll expect quite a large number of companies enabling IPv6 on their services, lots of ISP’s will make IPv6 available to their customers and you need to ask now, are you ready to accept the new and improved, the unknown and available, secure and open network standard now, later or never?
My first impression of IPv6 after reading some material was, ‘yes and no’, and it still is. I’ve made steps to improving my setup, I’ve tested and tested and still remain hesitant because I cannot suggest to anyone, neither home users or companies that they implement IPv6 now… But if your decision is to try and test, I can make some suggestions…
Whatever they say about stuff included with IPv6, IPsec, protocol differences etc., remember it’s only as secure as your least secure item on the network – so find your lowest common denominator and figure out how you’ll apply security and some will find easy ways of doing monitoring and auditing, while others will quickly notice that they’ve got none at all.
Lots of users will have hands on experience with their loggers, Event Viewer, syslog, console log etc. But there will be new issues with IPv6. My immediate realization and my experience:
  • Mostly not reading the log *all the time* and missing most stuff… for my parts, it’s ok since it’s mostly firewalled and ACL’s in the appropriate location
  • Firewalls and AntiVirus apps, not knowing anything about IPv6
  • IPv6 traffic which *I* don’t know anything about, like toredo tunnels and others (HE.NET, Freenet…)
  • Services defaulting to IPv6 servers with variable reliability and added delays, DNS issues with PTR records, hosts.allow messed up, all accurate responses to unexpected queries and traffic
Several accidental issues popped up after IPv6 enabled services where introduced, i.e. the service is implemented and tested and the AAAA record is added to the DNS and the service starts to popup *and failing*, why?
  • Routing and response issues, local firewall not accepting the new traffic. The new traffic isn’t as easy as “tcp port X is opened, and we respond”, oh no, we’ve got to worry about advertisments and neighbour discovery and this will be your issue if you’ve got rogues on your network because you’ll have to trust your neighbours or use software and correct configuration to ensure your traffic is secure. After configuring neighbour discovery and accepting the correct packages from the router, traffic starts to flow and ACL’s drop traffic again.
  • IPv6 addresses in ACL’s are commonly wrapped with []’s and the subnet mask *following*, i.e. [2001:470::]/32 (Hurricane Electric).
  • IPv6 isn’t correctly supported on all operating systems. Our users had MacOSX Leopard, which had problems with manual configuration and Snow Leopard which doesn’t correctly allow neighbour advertisments with ip6fw unless you strip PowerPC code from the binary…
  • On any network with a router advertisment daemon, any linux, MacOSX and many Windows Vista and all Windows 7 machines will popup with and IPv6 address. Windows XP machines shouldn’t do it unless specifically enabled.
  • Operating Systems *don’t* block IPv6 traffic by default. Your firewall may be *oblivious* to IPv6 traffic. You may have services which are enabled, fully protected on IPv4 – but they’ll be visible on IPv6 and may be hacked, even if they *are* the secure services. Do you watch your laptop or work machine for attempts to authorize users, the SSH daemon or SMB/CIFS services? Usually we just *block* access to authentication services but there are always servers which will allow this and if you don’t start dropping connections, you may be opening up a system for infinite hack attempts on generally secured services.
If you think you’re part of a network which is *too large to scan* – because your smallest network is 64 bits large, and your machine or server is hidden somewhere – remember many devices are servers, and will present AAAA records and PTR records may give away some information. A local machine will be able to discover the neighbours, so your immediate danger of ‘scanning’ is already a part of your neighbourhood. Also, this is all about discovery and when you start accessing services, you’ll start to leave your footprints and your digital fingerprint will be all over the internet and a port scanning device, sniffer or data mining tools will start collecting IPv6 addresses and information. Remember that the default setup for router advertisments will use your network cards MAC address (ethernet address) and when you move to a new network, you’ll already carry a identifier which can be datamined. IPv6 does have some methods of randomizing your IPv6 address for security. This will of course make it more difficult to maintain AAAA and PTR records and some services will refuse connection from addresses missing the PTR records or have a mismatch between AAAA and PTR (RFC931).
One contingency plan was to make the address space enourmously large, but it will be filled. Several vendors, users and companies will simply make lots and lots of networks, spend their CPU cycles in routing and ACL’s for a simpler setup, but it’s not a good solution. It’s an situation where a secure webserver may be hosted in a dedicated /64 network because we can’t as yet break it down to /120 and then manage that by ACL on the routing level BUT we can do it on a local level – if you implement strict policies, know your devices and have trustworthy management and auditing, but it’s a management nightmare which needs solutions. There will be many views on how to implement security and they are all important because security will be required.


My suggestions?
  • If you have a System Administrator, make sure he’s up to date, and that he’s met IPv6 people and knows what’s what.
  • If you don’t have a System Administrator, get advice – should you do it and how.
  • Get into the habit of audit and monitoring, free tools include ntop and cacti
  • Realize that there are holes which you cannot cover, since they may be your published application
  • Backup, backup and backup
  • Your system may be viable for separating services and users, this will make ACL’s and firewalls manageable… sort of
  • Remember your digital footprint. You may want to reduce it and if so, use the privacy extensions but it’s an addon to security, it’s not “the security”
  • Because native IPv6 will create a direct connection between nodes, each node should include security of some sort. Although you can implement a firewall on your routers, it’s not a solutions but an interim fix while you apply your internal IPv6 deployment and solve your internal issues.
Björn R. (My opinions are my own)

To top