The following aspects would be analysed as part of this study
- IPv6 Protocol summary
- IPv6 Security options
- Types of Threats
- IPv6 Threats analysis
- IPv6 hacking tools
- IPv6 Security options
- Types of Threats
- IPv6 Threats analysis
- IPv6 hacking tools
IPv6 Protocol summary
IPv4 and IPv6 header comparison: The difference in the IPv4 and IPv6 protcol is displayed in the figure below. Some of the unwanted fields have been eliminated when moving from IPv4 to IPv6. For example the Header Checksum field which is used to check the header checksum has been removed. This would intrun improve packet roting speend. The Flow label field is used and would be used in the future.
IPv6 Header options: Header are processed only by node identified in the IPv6 destination address field. This means much lower overhand than IPv4 options. Exceptions ofcourse are hop-by-hop headers as as you can see from Figure 2. This also means the IPv4' 40 octet limit options has been emliminated. In IPv6 it depends on the total packets sixe or parh MTU in most cases.
IPv6 Address: The IPv6 address types are :- Unicast : A unicast address identifies a single interface within the scope of the type of unicast address. With the appropriate unicast routing topology, packets addressed to a unicast address are delivered to a single interface. The following types of address are unicast IPv6 addresses are Global, Site-local and Link-local.
Multicast: A multicast address identifies multiple interfaces. With the appropriate multicast routing topology, packets addressed to a multicast address are delivered to all interfaces that are identified by the address.
Anycast: An anycast address identifies multiple interfaces. With the appropriate routing topology, packets addressed to an anycast address are delivered to a single interface (the nearest interface that is identified by the address). The nearest interface is defined as being closest in terms of routing distance.
IPv6 security options
All implementations required to support authentication and encryption headers (AH & ESP of IPsec). Authentication separate from encryption for use in situations where encryption is prohibited or prohibitively expensive
Authentication header provides Origion authentication, Data Integrity, Anti-replay protection. The deault algorithams used are MD5 & SHA-1
Encapsulation Payload provides Origion authentication, Data Integrity, Anti-replay protection and confidentiality. The deault algorithams used are DES/3DES, MD5 and SHA-1
Types of Threats
IPv6 threat analysis
Reconaissance
How it is carried out?
1. DNS/IANA crawling (whois) to determine range
2.Ping sweeps and port scan
3. Application vulnerability scan
Reconnaissance in IPv6
1. Subnet size difference - Default subnet in IPv6 has 264 addresses approximately 18 quintillion At 100M pings / second (40 Gbpsfdx), it takes > 5,800years to scan the address range for just one subnet
2. Mutlicast address - IPv6 support new mutlicast addresses that can enable an adversary to identify key resources on a network and attack them. Example All routers (FF05::2) and all DHCP servers (FF05::1:3)
1. DNS/IANA crawling (whois) to determine range
2.Ping sweeps and port scan
3. Application vulnerability scan
Reconnaissance in IPv6
1. Subnet size difference - Default subnet in IPv6 has 264 addresses approximately 18 quintillion At 100M pings / second (40 Gbpsfdx), it takes > 5,800years to scan the address range for just one subnet
2. Mutlicast address - IPv6 support new mutlicast addresses that can enable an adversary to identify key resources on a network and attack them. Example All routers (FF05::2) and all DHCP servers (FF05::1:3)
Unauthorized access
Authorizing access to computer systems is a policy decision that is often implemented with
layer3 and layer 4 filtering
Unauthorized access in IPv6
1.Privacy extensions limit the exposure to a security threat that targets a IPv6 host directly
- End host harder to identify to an attacker
- End host harder to identify for even the network administrator
2. Local unicast filtering
- IPv6 allows multiple address on one adapter: link local, local unicast and global
- Local unicast addressing can be used to automatically deny inbound and out bound access for enterprise
only servers
Header Manipulation and Fragmentation
Header Manipulation in IPv6
1. Unlimited size of header chain can make filtering difficult
2. DoS a possibility with poor IPv6 stack implementation
1. Unlimited size of header chain can make filtering difficult
2. DoS a possibility with poor IPv6 stack implementation
Fragmentation in IPv6
1. In IPv6 fragmentation is done only the end system
2. For IPv6, we must traverse the Next Headers before reaching the fragment header to extract the flags and offset.
3. Then, we may need to traverse further NHs before reaching the ULP and then check if enough of the ULP header is within the first fragment.
4. This makes matching against the first fragment non-deterministic: tcp/udp/icmp might not be there.
1. In IPv6 fragmentation is done only the end system
2. For IPv6, we must traverse the Next Headers before reaching the fragment header to extract the flags and offset.
3. Then, we may need to traverse further NHs before reaching the ULP and then check if enough of the ULP header is within the first fragment.
4. This makes matching against the first fragment non-deterministic: tcp/udp/icmp might not be there.
Layer-3 and Layer-4 spoofing
Layer 3 spoofing in IPv6
1. IPv6 address are globally aggregated making spoof mitigation at aggregation points easy to deploy
2. Unfortunately each subnet still has huge range of IP addresses to spoof
3. IP4-IP6 tunnel can exploited as a conduit for spoofing
2. Unfortunately each subnet still has huge range of IP addresses to spoof
3. IP4-IP6 tunnel can exploited as a conduit for spoofing
Layer 4 spoofing in IPv6
L4 spoofing remains the same as IPv4
L4 spoofing remains the same as IPv4
ARP and DHCP attacks
DHCP attacks in IPv6
1. The stateless auto configuration procedure (based on ICMPv6) automatically assigns addresses. DHCPv6 is not considered “mature”, yet
2. The same process (stateless auto configuration) can be hijacked
2. The same process (stateless auto configuration) can be hijacked
ARP attacks in IPv6
1. ICMPv6 neighbor discovery replaces ARP, but suffers from the same problems
2. ICMP without IPSEC AH gives exactly the same level of security as ARP for IPv4 (Bootstrap security problem)
1. ICMPv6 neighbor discovery replaces ARP, but suffers from the same problems
2. ICMP without IPSEC AH gives exactly the same level of security as ARP for IPv4 (Bootstrap security problem)
Smurf attacks
Amplification (DDoS) attacks in IPv6
1. There are no broadcast address in IPv6
2. Broadcast address functionality is replaced with appropriate link local multicast address
- Link local all nodes multicast – FF02::1
- Link local all routers multicast - FF02::2
3. IPv6 specifications forbid the generation of ICMPv6 packets in response to messages to global multicast addresses
1. There are no broadcast address in IPv6
2. Broadcast address functionality is replaced with appropriate link local multicast address
- Link local all nodes multicast – FF02::1
- Link local all routers multicast - FF02::2
3. IPv6 specifications forbid the generation of ICMPv6 packets in response to messages to global multicast addresses
Routing attacks
1. The exact same purpose, requirements and protection are applicable in IPv6 routing
2. BGP, ISIS, EIGRP session protection remains the same for IPv6
3. Typically session protection is accomplished with the help of MD5 authentication of routing updates
4. OSPFv3 has changes, MD5 has been pulled from protocol and instead relies on IPSEC
5. RIPng also relies in IPSEC
Virus and Worms
1. Hybrid and pure worms today rely in internet scanning to infect other hosts, this is not feasible as explained before
2. Worm developers will adapt to IPv6 environment but pure random scanning worms will be problematic for attackers
3. Honeypot project already detected an IPv6 worm
2. BGP, ISIS, EIGRP session protection remains the same for IPv6
3. Typically session protection is accomplished with the help of MD5 authentication of routing updates
4. OSPFv3 has changes, MD5 has been pulled from protocol and instead relies on IPSEC
5. RIPng also relies in IPSEC
Virus and Worms
1. Hybrid and pure worms today rely in internet scanning to infect other hosts, this is not feasible as explained before
2. Worm developers will adapt to IPv6 environment but pure random scanning worms will be problematic for attackers
3. Honeypot project already detected an IPv6 worm
Honeynet Project's Solaris Honeynets was compromised. What made this attack unique was after breaking into the system, the attackers enabled IPv6 tunneling on the system, with communications being forwarded to another country. The attack and communications were captured using Snort, however the data could not be decoded due to the IPv6 tunneling. Also, once tunneled, this could potentially disable/bypass the capabilities of some IDS systems.
Threats that are similar and IPv4 and IPv6
Sniffing - Without IPsec, IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4
Application layer attacks - Even with IPsec, the majority of vulnerabilities on the Internet today are at the application layer, something that IPsec will do nothing to prevent
Rogue devices - Rogue devices will be as easy to insert into an IPv6 network as in IPv4
Man-in-the-Middle attacks - Without IPsec, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4
Flooding - Flooding attacks are identical between IPv4 and IPv6
Threat solution summary
IPv6 Hacking Tools
Conclusion
IPv6 makes some things better, other things worse, and most things are just different, but no more or less secure:
Conclusion
IPv6 makes some things better, other things worse, and most things are just different, but no more or less secure:
Better
1. Automated scanning and worm propagation is harder due to huge subnets
2. Link-local addressing can limit infrastructure attacks
3. IPsec will be routinely available for use where keys exist
Worse
1. Lack of familiarity with IPv6 among operators
2. Multiple addresses per interface is a different concept
3. Immaturity of software in the next few years
4. Improperly deployed transition techniques
