All that you know is at an end…
– Silver Surfer
No Soup for YOU!
At a ceremony held on 3 February, 2011 the Internet Assigned Numbers Authority (IANA) allocated the remaining last five /8s of IPv4 address space to the Regional Internet Registries (RIRs) in accordance with the Global Policy for the Allocation of the Remaining IPv4 Address Space. With this action, the free pool of available IPv4 addresses is now fully depleted.
To read the full text of this announcement please go to:
Like it or not, IPv6 is here today: Purchased a desktop or laptop computer lately? Or perhaps a UNIX or MS Windows based smartphone, router, server, WWW server, or firewall? In fact, there aren’t many devices out there that don’t have support for IPv6; it’s been in these devices for the last few years. Interestingly enough, many devices come with IPv6 on, and auto configuring itself by default. In almost every class of Enterprise application, there are IPv6 versions by major vendors like IBM, Microsoft, HP, Apple. Incidently, you’ve been adopting IPv6 during your regular tech refresh.
But IPv6 is not just another protocol or type of application. Nor is it just IPv4 with more numbers. Consider the following:
Mandatory IPSEC (with all the associated crypto code)
Automatic configuration of interfaces (DHCP replacement)
All devices Internet addressable (no more NAT)
Massive (up to 4GB) packet sizes
Many new rules for routing, private addresses, DNS, packet analysis, fragmentation, and so on.
How ironic, Tony! Trying to rid the world of Protocol Exposures, you gave it its best one ever! And now, I’m going to kill you with it!
– Tony Stark’s Mentor, Obadiah Stane
Granted, as with any necessary midcourse correction there are many new complications, and IPv6 is no exception. But there are some items that require the immediate attention of network administrators, in specific, covert attack channels and security monitoring.
A covert channel is a mechanism that can be used to transfer information from one user of a system to another using means not intended for this purpose by the system developers. Skilled hackers have engineered tools that let them establish IPv6 network communications on IPv4 networks using this IPv6 capability. One prominent example is the tool dubbed VoodooNet or v00d00n3t, it exploits ICMPv6 echo request/Reply Packets and uses the IP portion of flowlabel data field to deliver data (1 to 32 bytes at a time). It sends the data to a network without identifying the root or the destination addresses because its spoofed. IPv6’s Network Solicitation and the responding Network Advertisement (IPv6’s ARPs replacement) correctly delivers the data. Because most security hardware appliances and host-based intrusion detection programs have not been programmed to inspect IPv6 packets in depth, data can bypass most network security, said independent security researcher Robert Murphy, who presented the tool at the DEFCON hacking conference few years back has now had time to perfect the tool. The result, new avenues of attack are opened up, and new covert channels for data extraction are established that current IPv4 networking monitoring devices have a hard time catching. VoodooNet is RFC compliant and makes the information look like a Windows Ping Packet and an echo request and Network Solicitation (from the ARP replacement NDP) ensures proper delivery.
Basically, if your devices on your network are less than 3 years old, your network has devices capable of running IPv6. If you have not consciously taken steps to mitigate this threat of a covert IPv6 channel in your IPv4 network, you may be subject to exploitation. In addition, even if your organization has adopted an IPv6 implementation, there are few monitoring and event management tools available to security professionals for managing the security posture of the network. Using an active external performance monitoring service will be critical with the advent of IPv6. Network and website managers must have a true view into end-user connectivity and the ability to receive instant notification whenever a problem occurs. There are a few tools out there, one accepted solution is using Netflow with plug-ins.
FlowMon exporter + plug-in ? NetFlow v9.
Transport of data to collector over IPv6.
NfSen 1.3.4 + NFDUMP 1.6.1.
Enabled extensions 6 (src/dst vlan id labels).
native IPv6, Teredo, 6to4, SATAP., M. Elich, et al. Tunneled IPv6 T
With great power comes great responsibility…
– Peter Parker’s Uncle Ben
So what Should One Do?
Stop IPv6 Traffic
If your organization is not running IPv6 and don’t plan to run it anytime soon, efforts to block IPv6 traffic from coming in and out of their networks should be initiated. Note this should be a temporary measure because IPv6-based traffic is only on the rise. The easiest approach may be to have firewalls drop IPv6 traffic.
–David Banner on a off day…
There are three flavors of IPv6 tunnels —Teredo, 6 to 4, and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) — allow IPv6 packets to be encapsulated inside IPv4 packets that can be sent through IPv4-enabled firewalls or network address translation devices. These are slow, and should be avoided when possible, but are a necessary evil in a hybrid environment. Know that, tunneled IPv6 packets look like normal IPv4 traffic, so in order to detect these packets; one needs deep packet inspections systems that can peer into tunnels to examine what’s inside of them. Preferably, firewalls with intrusion-prevention systems that “support IPv6 and full inspection for the tunneling mode. Remember, voodooNet is RFC compliant and makes the information look like a Windows Ping Packet and an echo request and Network Solicitation ensures proper delivery. There are tools out there that will scan through tunnels for IPv6 traffic – as this list is changing every day, call us for the information.
Rogue IPv6 devices
A rogue device uses IPv6 auto-configuration devices and assigns IP addresses to all the other devices on the network. In essence, a rogue device like a router can be set up to assign IPv6 addresses on your network, and you wouldn’t even know it. Then all the traffic can be diverted to the rogue router, which can not only copy the detailed info, but delete it as well. Scan and Identify all IPv6 tunneled or otherwise traffic and isolate their origins for validity.
Type 0 Routing Header
This well-known IPv6 vulnerability creates the opportunity for denial-of-service attacks because it gives a hacker the ability to manipulate how traffic flows over the Internet. This feature of IPv6 allows you to specify in the header what route is used to forward traffic. So if you specify a route that is from point A to point B back to point A and again to point B, etc… A hacker could use this feature to saturate a particular part of the network by having the packets spin between the two devices indefinitely effectively executing a Denial of Service attack. Have your firewall deep packet filter your traffic and drop any Type 0 Headers.
Built-in ICMP and multicast
Unlike IPv4, IPv6 features built-in Internet Control Message Protocol (ICMP) and multicast. These two types of network traffic are integral to how IPv6 works. With IPv4, network managers can block ICMP and multicast traffic to prevent attacks coming over these channels. But for IPv6, network managers will need to fine-tune the filters on their firewalls or routers to allow some ICMP and multicast traffic through.
Truth is… I am Iron Man…
– Tony Stark
It’s not IPv6 technology that will get us in trouble; it will be organizations choices in deploying the technology. Organizations that carefully plan and consider how to put things on the network with IPv6 will have less of an issue. Detailed security plans should be in place to ensure that the transition doesn’t become an ELE (Extinction–Level Event)
By the way, if you haven’t been to one of our events yet, click here to check them out.
About Affant Communication
Affant Communication is a leading provider of Network/Security Solutions and one of the nation’s premier infrastructure solution providers. Offerings include, but are not limited to Telco/Network & Security Solutions, Software Programming, 24 x 7 Network/Security Monitoring, and Wireless Broadband and Mobile Solutions.
About Rick Ricker
An IT professional with over 20 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.
for more information, contact Rick at (714) 338-7137