Network Security with IPv6 is a tough area to write about. I have avoided the topic for a long time and finally decided to write down my thoughts rather unedited and invite to discussion. This area can easily fill your 30 minutes of IPv6 this Friday – and possibly much more. Stay with me for half an hour and follow up on some of the links to get an overview! Many IPv6 evangelists keep repeating the end2end mantra – that IPv6 will finally restore the original architecture of the Internet and IP networks. With a global address scheme and no private address spaces to hide in, every node on the net will be able to reach any node on the net again. While this sounds like a dream for many application developers, other people fear that it is a dream also for developers that we don’t want – the hacker. Let’s talk about IPv6 security!
IPv6 Network Security compared with IPv4 – What’s different?
From my point of view – and please give me feedback on this – I see a few major areas I want to focus on today:
- The IPv6 Protocol – header chains and the new protocols – RA, SLAAC, ND
- Running dual stacks
- IP filtering – access control lists
- The possibility to operate a network without NAT
Busting the myth: IPv6 is not more secure than IPv4
While IPv6 is new to many people, it’s not a new protocol. The first work was started in the early 90’s, so parts of IPv6 are more than 15 years old. In the IPv6 project many new technologies, that did not exist at the time in IPv4, was developed – like IPsec. IPsec is a technology for setting up secure tunnels between hosts or networks. Like many other new things invented for IPv6, IPsec was ported to IPv4 and has been around for many years. At the time where IPv6 and IPsec was invented, there may have been reasons to claim that IPv6 could be more secure than IPv4 (which did not have any secure VPNs). Today, that claim is no longer valid. There are no differences between IPv4 and IPv6 in terms of security. Yes, more IPv6 stacks will have built in support for IPsec, which is a good thing. But to me that doesn’t make the protocol by itself more secure.
For homes and small offices – replacing the NAT
The NAT has been a way to set up a default firewall ruleset – if there’s no traffic from the inside out first, don’t let anyone come in. The years of home routers and ADSL gateways/routers have taught people about this, but also about port forwarding. We even have protocols for enabling port forwarding from the router to a device on the inside, opening up holes in the security barrier. Services like back-to-my-mac and various home-to-my-PC cloud services keep opening up for connections that break the default firewall policy.
With IPv6 the difference is that the world is a bit upside down. Without a firewall, all connections go directly between connected devices, regardless of which side of the broadband router they are on. Forget port forwarding, here’s the real stuff, how it was supposed to be.
The router, if the follow the standard specifications, will still have a default firewall policy saying that no traffic is allowed to reach the inside, unless someone on the inside started a session. To break this, you have to install special firewall rules that open up for the IP phone or a web cam you need to reach from the outside. Security-wise, it’s the same. Port forwarding replaced with firewall port enabling – the user interface will probably look very similar. NAT replaced by a real firewall. And an endless amount of new possibilities. For more information about IPv6 and NAT replacements – read our earlier article here.
For enterprises – dual stacks, dual work
Remember the network layer schema? TCP, UDP and STCP running on top of IP running on top of Ethernet, Wifi or something else. Well, when we change from IPv4 to IPv6, the rules for the TCP- and UDP-based protocols stay the same. These protocols doesn’t change, they just continue to work as before.
Going down the layers we find IPv4, ARP and ICMP. A group or related protocols that make TCP/IP work. For IPv6 these are replaced with IPv4 and even more ICMP than before. And that’s the first big difference. In IPv4 many firewall admins block ICMP. In IPv6 you can not do that. ICMP is used for quite a lot of functionality, especially to find the allowed packet size for a flow. If you disable ICMP, packets that are too big will just be dropped and the sending party can’t adjust the size of the IP packet. In addition you have new helpers, router advertisements, neighbor discovery, DHCPv6 that will have to be handled. The IETF has just started to handle many issues here and have written documents about how to handle router advertisements in switches (RA Guard), how to handle various combinations of address assignment and discovery and packet fragmentation and multiple IPv6 packet headers. Like all security, IPv6 security requires a constant learning process!
The second big difference is of course multicast. For IPv4 it was a sexy add on. For IPv6 it’s core functionality that the whole stack depends on.When adding IPv6 to your enterprise firewall, you can’t just take the ruleset that worked for IPv4 and copy it. You have to build a whole new rule set. It’s a new stack you’re adding. Be careful out there!
Built in firewalls and IPv6
Looking at the common built-in firewall platforms in servers most of them handle IPv6. In LInux, you have ip6tables that works like the IPv4 counterpart iptables. In FreeBSD you have ipfw and in OpenBSD (and some FreeBSD installations) pf. All of these support IPv6. The support for more advanced functions are implemented only in the latest releases, so if you are running a Linux distribution that have an old kernel and netfilter implementation, you might lack some IPv6 support. It’s very hard to find good example configuration scripts for these when looking for IPv6. It’s easy to find broken ones that drop all ICMPv6 traffic, so be careful. The popular Firewall Builder that many organizations use to create configurations for Cisco, IPtables, IPfw and pf has full support for IPv6.
- Man page for ip6tables (linux) – example
- Man page for IPfw (FreeBSD)
- Example PF configuration for IPv4 and IPv6 – another example from tunnel broker.net forums
There’s one book about IPv6 security that covers all kinds of technical aspects in a very good way – it’s IPv6 Security by Scott Hogg and Eric Vyncke (Cisco Press 2008). It’s worth your time reading it. Do not buy any older books on the topic, it’s not worth your time. (And be careful with the e-book version of this book. It’s has a weird DRM system that is not compatible with trying to read it on an airplane in off line mode).
A very good presentation to read is the RIPE 61 IPv6 Security presentation by Merike Kaeo, Double shot security (2010). It contains many good examples and lists of addresses, packet types and other data you need to have on your desk as you start working building an IPv6 firewall policy.
Download the PDF and read it!
My personal view is that the information on the web is very confusing and in most cases incomplete. I’ve read the Cisco book and have worked from that to build various configurations. Be sure that there will be more articles about IPv6 security coming up on future Fridays. I really look forward to your feedback here. Let’s spend at least 30 minutes on IPv6 security today, then continue the work and build a shared knowledge base.
- NIST: SP 800-119, Guidelines for the Secure Deployment of IPv6, (Jan 2011)
- Eric Vyncke: IPv6 Security (Network World blogs)
- Dark reading: Five security flaws in IPv6 (May 2007)
- Microsoft Technet: IPv6 Security considerations and recommendations (2006) – mostly covers tunnel management.
- Firewall builder blog: Are your firewalls ready for IPv6?