Common misconceptions about IPv6 security

By on 18 Mar 2019

Category: Tech matters

Tags: , ,

9 Comments

Blog home

Misconceptions can be dangerous. This is especially true when they lead to network insecurity.

In this post I’ll seek to set the record straight for several of the most common misconceptions about IPv6 security.

IPv6 is more/less secure than IPv4

There are two big misconceptions about IPv6 security:

  • IPv6 is more secure than IPv4
  • IPv6 is less secure than IPv4

Neither are true. Both assume that comparing IPv6 security with IPv4 security is meaningful. It is not.

Today’s networks, whether they have IPv6 deployed in them or not, are largely IPv6 compatible. All modern operating systems and network devices employ IPv6 dual-stacks, in which IPv6 is turned on by default. Even if you have not actively deployed IPv6, your networks still have the combined vulnerability surface of IPv4 and IPv6.

Therefore, comparing IPv4 security with IPv6 security is meaningless. They both have the vulnerabilities of IPv4 and IPv6. Every network should be secured for IPv4 and IPv6. Ideally, you should have done this well over a decade ago.

Learn more about IPv6 at APNIC

IPv6 is IPv4 with longer addresses

In network security, it is crucial not to underestimate the scale of risks. The most common misconception that I have heard in my twenty years of working with IPv6 is that IPv6 is IPv4 with longer addresses. It is not. IPv6 is vastly different from IPv4, often in complex and subtle ways. Sometimes, what is best practice in IPv4 is the opposite of best practice in IPv6.

Read: IPv6 misconceptions: It’s fake news

It is not possible to list all the differences here. Instead, I will illustrate this using addressing. This is one area where superficially the difference between IPv4 and IPv6 appears obvious. However, not only are IPv6 addresses longer, they are also inherently different in attributes, types, structure and how they are used. For example:

  • They have new attributes: length, scope and lifetimes.
  • It is normal for IPv6 interfaces to have multiple addresses.
  • IPv6 addresses can change over time.
  • Multicast plays a crucial role in core IPv6 protocols.
  • There are a vast number of methods for assigning interface identifiers (the bottom 64 bits).
  • How IPv6 addresses are used and managed is hugely different.
  • Global public addresses are normal.

This is only addressing. IPv6 has many other differences both in things we are familiar with in IPv4 and in completely new protocols and features. All of these have security implications; the biggest being that staff will not appreciate the differences, and therefore the need, to secure IPv6.

To give you a feel for the scope of the IPv6 vulnerability surface, I have included the figure below. Of course, it is not intended to compare IPv4 and IPv6 security (indeed IPv4 is included). However, it does illustrate that there are many new areas to consider, some of which are significant.


Figure 1 — The IPv6 vulnerability surface.

IPsec makes IPv6 more secure than IPv4

Internet Protocol Security (IPsec) was designed to provide network layer security (authentication and encryption). It was included as a mandatory feature in the IPv6 standards. Many believed, and some still believe, that this gives IPv6 an advantage over IPv4.

There are two reasons why this is not the case. Firstly, while including IPsec functionality in the IPv6 stack was mandatory, using IPsec is not mandatory. Secondly, IPv4 also has IPsec, so there is no difference. Or is there?

IPsec in IPv4 is often used for VPNs. These are terminated at the edge of networks. IPv4 IPsec is rarely used to secure end-to-end traffic. This is because of the widespread use of Network Address Translation in IPv4 (NAT44). NAT44 mangles the IPv4 headers and breaks IPsec. In IPv6 this restriction does not exist. Using IPsec end-to-end becomes more practical.

IPv6 is already facilitating new and innovative ways of using IPsec. We have clients who are using IPv6 IPsec to secure all traffic within their data centres. We also have clients who have deployed IPv6 to leverage IPsec based end-to-end security allowing them to decommission their existing VPN concentrators.

Address scanning is impossible in IPv6

The enormous number of IPv6 subnet addresses (264 = 18,446,744,073,709,551,616) is often thought to make it impossible for attackers to scan IPv6 subnets. There is some truth in this. To sequentially scan a gigabit ethernet subnet would take 491,351 years if there is no other traffic.

However, it is not impossible for an attacker to find addresses in a subnet, it is simply harder. How hard depends on the type of addresses that you are using and where the scanner is located.

Read: Zesplot: visualizing IPv6 address space

If the network’s IPv6 addresses have a known structure, then scanning them becomes much easier. For example, some organizations number their hosts sequentially: for example, 1, 2, 3. This is the first sequence a scanner is likely to try.

Some base their IPv6 address structure on IPv4 addresses. This is not considered to be a good idea. From a security perspective, it makes address scanning as trivial as it is in an IPv4 network. Even networks that use modified EUI-64 addresses that are based on MAC addresses can be scanned if an attacker has enough prior information.

Today, the use of opaque static and privacy addresses can make remote IPv6 address scanning impractical. However, discovering addresses by other means may still be possible.

Estimating the time required to scan an IPv6 subnet: Length of Neighbour Solicitation frame (including the preamble and interframe gap) = 840 bits

Time to send Neighbour Solicitation on gigabit ethernet = 0.00000084 seconds

Time to transmit all 264 Neighbour Solicitation = 1.54953 x 1013 seconds

= 1.54953 x 1013/31536000 = 491351.6306 years

(Assumes that there is no other traffic on the subnet!)

 

No NAT makes IPv6 insecure

One of the most common misconceptions regarding IPv6 security is that the lack of NAT makes IPv6 less secure. NAT44 is often seen as a security feature in IPv4 networks. The use of public addresses in IPv6 and the restoration of end-to-end connectivity is of great concern to many IPv4 network administrators.

Confusing brokenness with security is a mistake. Firewalls can easily provide equivalent and better protection than NAT without breaking end-to-end connectivity. Ironically, NAT44 and its associated myriad of NAT-traversal techniques have many security issues of their own.

Key lessons

These are just a few of the most common misconceptions about IPv6 security. There are many more.

The key lessons are:

  • Don’t underestimate the scale of the differences between IPv6 and IPv4.
  • Your IPv4 networks need to be secured against IPv6 vulnerabilities.
  • Your network and security staff need to be competent in IPv6 and in IPv6 security features.
  • How IPv6 is deployed will influence how secure it is in practice.

For a longer introduction to IPv6 security threats and security features, watch my presentation at the  UK IPv6 Council on IPv6 Security Fundamentals.

Dr David Holder is CEO and chief consultant at Erion Ltd. He has over twenty years’ experience providing IPv6 consultancy and training to enterprises and organizations around the world.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

9 Comments

  1. Chris Grundemann

    Great post! I came up with many of the same “myths” when exploring this space several years ago. On one hand that’s a nice “great minds think alike” moment – on the other hand, it’s a bit sad that the same myths plague us 5+ years on…

    Reply
    1. David Holder

      Hi Chris! Great to hear from you and thanks for the feedback.

      Agreed. Some of these myths have a surprisingly long lifetime. For example, I remember talking about the NAT and IPsec myths over 15 years ago!

      Reply
  2. Florian

    However there is another point you did not mention: You can’t ban people by ip anymore. You can theoretically create billions of proxies from one /64 subnets. But as a server owner you can’t just ban an entire subnet if one person is spamming, because many isp have thousands of users in one /64 subnet (which I know is bad practise, but that doesn’t stop people from doing it).

    I mean yes, you can also bypass ipv4 proxies, but not that many. Let’s imagine a web form which every ip can only submit once per day. You could literally send billions of requests there over ipv6, while you are very limited doing this over ipv4 as you will not get so many addresses.

    Reply
  3. treysis

    @Florian: this is not different from IPv4! You already have the problem that many customers are grouped together in DSLite setups, and access the internet via the same IPv4. So if you block that single IP, you will also block many good people. Same as you would for several people grouped under one /64 (how do you even do that?). And, to be true, I haven’t seen any ISP doing that so far (might be wrong about mobile networking).

    So, yes, just ban /64 subnets like you did ban IPv4 addresses. I see no problem in that.

    Reply
  4. Providing Appropriate Tools Required to Intercept and Obstruct Terrorism

    ipv6 is to ipv4 as window 10 is to windows 7

    Reply
  5. chris

    Ok , Me happy to get more accurate expertise on our different experiences and evaluation of IPV6 versus IPV4.Is not wrong is not good, but we need to evoluate…my conclusion is everybody (majority) is not aware neither prepared.
    This is why I posted the initial experience we had and found out.

    1. our actual security tools cannot handle IPV6, right or wrong (software,hardware)
    2. actual standard settings in firewalls routers (commercially sold) allows IPV6 standard and this is risk
    3. IPV6 on local network has no added value, as long as you don’t do Iot or end to end communication that needs more security than NAT
    4. managing IPV6 security will need more skills IT than IPV4
    5. Securing IPV6 will need adapted security systems (network switches,routers, software, antivirus and malware scanners….)

    Reply
  6. James Wolters

    Great article! Adoption of IPv6 by IoT customers has been slow. Security for remote machine-to-machine devices is important. The firewall protections that can make up for NAT – are these network firewalls that the mobile carrier must implement, or device-based controls on the mobile device? Thanks …

    Reply
  7. James McClay

    As of 2011, RFC 6434 Section 11, IPSec implementation in ipv6 is optional. It’s use is also optional but implementation is too. The ipv6 node you connect to may or may not be capable of ipv6 at all. That’s a lot different from “everyone with ipv6 has IPSec, they just don’t usually use it.”

    Reply
  8. fm

    It is no misconception that ipv6 is less secure.
    In ipv4 I can absolutely be sure that the hosts in my
    network cannot be access. ssh user@192.168.2.6 will never work. This is guaranteed by the local address space. In IPv6 this is not true anymore. I have to rely on others to do their job correct (firewall rules). What for instance when the other guy is Karpeles (MtGox) working at the Telekom. Who doesn’t care a shit about security ???

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Top