IPv6 - The devil you don't know...

This is the first in a four-part series of articles on IPv6 security issues.

“Better the devil you know than the devil you don't”. No matter how bad something is, knowing about it is half the battle won. So when something new comes along, like IPv6, its very newness is an issue.

Where IPv6 works the same as IPv4, our knowledge translates quite directly. But there are fundamental differences; it will take time and operational experience to understand their subtleties.

The basic problem is that you don't yet know what those differences are. Nor do your suppliers, staff, or service providers. Even where differences are known about, there is no feel yet for how they will play out operationally. Ignorance means risk that cannot be managed, but equally importantly for IPv6, opportunity that cannot be grasped.

The fact that IPv6 has more addresses seems simple enough, but it has game- changing effects. IPv4 address planning always starts with “how many hosts?” In IPv6 we work with subnets and can forget the addresses. This is a hugely liberating thing, but it takes real effort to get over the assumption, born of many years of IPv4 address scarcity, that we must conserve addresses.

Another game-changer is that there is no longer any need for NAT (network address translation). NAT too was born of address scarcity, which with IPv6 is a thing of the past. NAT does stateful packet inspection as a side-effect, but that can be had independently of NAT – global addressability is not the same as global reachability! What are the risks and opportunities where end-to-end transparency is ubiquitous?
If we model our IPv6 networks on our IPv4 networks we may end up with something that works, but we will be tying ourselves to old topologies and blocking our ability to innovate.

Another new aspect of IPv6 is stateless address autoconfiguration (SLAAC). In the presence of an IPv6 router, an IPv6 interface will give itself a globally-routable IPv6 address, completely automatically. It builds the address from a prefix supplied by the router and locally held information – by default, the hardware identifier of the interface.

This means that the hardware identifier of the interface (typically a MAC address) is visible to any host that receives a packet from you. And as long as you don't change the hardware, the last part of your address will stay the same, even as you move from network to network.

Whether this is a security issue is debatable. My own opinion is that information about host network hardware is rarely of significant advantage to an attacker; and in any case only if the host is reachable, which most enterprise hosts will not be. From a privacy point of view, however, an autoconfigured address is a sort of super-cookie. It allows a particular host to be tracked wherever it goes.

IPv6 allows you to avoid this by using “privacy addresses”. With privacy addressing, a host builds its address using a random sequence of bits instead of a hardware identifier. It changes the random sequence every so often, making it very hard to track the host.

Autoconfiguration takes place without any policy hooks and without any logging. For these and other reasons (including privacy concerns), DHCP is likely to retain a place in most enterprises, either as an adjunct to or instead of SLAAC.
Stateless address autoconfiguration is a good example of something new in IPv6 that needs to be thought about and considered as you deploy IPv6.

©Copyright 2011 Karl Auer

About the author: Karl is technical manager atIPv6Now a company specialising in helping organisations get into and get the most out of IPv6.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityipv4online newsIPv6 securityAutoconfigurationNAT (network address translation)ipv6

More about etwork

Show Comments