IPv6 Security

1. Massive Size of the IP Address Space

When they start, attackers usually employ port scanning as a reconnaissance technique to gather as much information as possible about a victim’s network. It is estimated that the entire IPv4 based Internet can be scanned in about 10 hours with enough bandwidth, given that IPv4 addresses are only 32 bits wide. IPv6 dramatically increases this limit by expanding the number of bits in address fields to 128 bits. By itself, such a massive address space creates a significant barrier for attackers wanting to conduct comprehensive port scanning.

However, it should be noted that the port scanning reconnaissance technique used in IPv6 is basically the same as in IPv4, apart from the larger IP address space. Therefore, current best practices used with IPv4, such as filtering internal-use IPv6 addresses in border routers, and filtering un-used services at the firewall, should be continued in IPv6 networks.

In IPv6, it is possible to bind a public signature key to an IPv6 address. The resulting IPv6 address is called a Cryptographically Generated Address (CGA)9. This provides additional security protection for the IPv6 neighbourhood router discovery mechanism, and allows the user to provide a "proof of ownership" for a particular IPv6 address. This is a key differentiator from IPv4, as it is impossible to retrofit this functionality to IPv4 with the current 32-bit address space constraint. CGA offers three main advantages:

2. IP Security (IPsec)

IP Security, or IPsec for short, provides interoperable, high quality and cryptographically based security services for traffic at the IP layer. It is optional in IPv4 but has been made mandatory in the IPv6 protocol. IPsec enhances the original IP protocol by providing authenticity, integrity, confidentiality and access control to each IP packet through the use of two protocols: AH (authentication header) and ESP (Encapsulating Security Payload).

3. Replacing ARP by Neighbour Discovery (ND) Protocol

In the IPv4 protocol, a layer two (L2) address is not statically bound to a layer three (L3) IP address. Therefore, it can run on top of any L2 media without making significant change to the protocol. Connection between L2 and L3 addresses is established with a protocol named Address Resolution Protocol (ARP), which dynamically establishes mapping between L2 and L3 addresses on the local network segment. ARP has its own security vulnerabilities (such as ARP Spoofing). In the IPv6 protocol, there is no need for ARP because the interface identifier (ID) portion of an L3 IPv6 address is directly derived from a device-specific L2 address (MAC Address). The L3 IPv6 address, together with its locally derived interface ID portion, is then used at the global level across the whole IPv6 network. As a result, the security issues related to ARP no longer apply to IPv6. A new protocol called Neighbour Discovery (ND) Protocol for IPv6 is defined in RFC4861 as a replacement to ARP.

1. IP Addressing Structure

The IP addressing structure defines the architecture of a network. A well-planned addressing structure will reduce potential risks associated with new features provided by IPv6. The following areas should be considered when designing an IPv6 network.

Numbering plan and hierarchical addressing

The numbering plan describes how the organisation segregates its IPv6 allocation, for example, if an organisation is granted with a 16 subnet bits (/48) address block, this will allow to support 65,000 subnets. A good numbering plan can simplify access control lists and firewall rules in security operations, and identify ownership of sites, links and interfaces easily. Organisations should carefully plan and create a site hierarchy by consider subnet methods as follows:

IPv6 cannot solve all security problems. Basically it cannot prevent attacks on layers above the network layer in the network protocol stack. Possible attacks that IPv6 cannot address include:

Transitioning tools allow IPv4 applications to connect to IPv6 services, and IPv6 applications to connect to IPv4 services. However, attackers might exploit this if the security issues have not been fully addressed.

There are a variety of IPv6 transition technologies, such as 6to4 (defined in RFC 3056), Simple Internet Transition (SIT) tunnels, and IPv6 over UDP (such as Teredo). IPv6 traffic can enter networks via these methods while administrators are not aware that networks are vulnerable to IPv6 exploits. In addition, many firewalls permit UDP traffic, allowing IPv6 over UDP to get through firewalls without the knowledge of administrators. Attackers might also use 6to4 tunnels to evade intrusion detection or prevention systems. Some firewall products are only capable of filtering IPv4 traffic and not IPv6 traffic. Attackers can exploit this loophole and hence compromise the network by using IPv6 packets

SIT tunnels and tunnelling routers make it possible to deploy islands of IPv6, within sea of IPv4 networks, without IPv6 routers being directly connected to each other. This arrangement allows intruders to subvert simple workstations and use them as routers to direct traffic across entire sub-networks without having to compromise infrastructure routers or firewalls. To inspect encapsulated traffic within tunnels, deploy security devices that can understand tunnelled traffic. Moreover, security policies should be enforced at both the inbound and outbound of the tunnel.

For host security on IPv4-IPv6 mixed networks, it should also be noted that applications are subject to attacks in both IPv6 and IPv4 networks. Therefore, if traffic blocking is required, it is necessary to block traffic for both IP versions on any host control systems (firewalls, VPN clients, intrusion detection or prevention systems, and so on). IPv6 network traffic should be monitored, router and neighbor solicitations should be audited to detect the insertion of any rogue router or unauthorised device to the network.

Below are some best practices for reference in building and maintaining secure IPv6 networks: