IPv6 will change network attack surface, albeit slowly: Huston

APNIC's Geoff Huston speaks at this week's IPv6 Summit in Melbourne

Changes in security profiles and vulnerabilities, "truly awesome" failure rates and still-evolving administrative techniques mean companies are right to hold off on embracing IPv6 for now, a senior technologist has advised after airing the results of a detailed global study evaluating IPv6 preparedness.

Speaking at this week's IPv6 Summit in Melbourne, Geoff Huston, chief scientist with the Asia Pacific Network Information Centre (APNIC), said that despite the depletion of the IPv4 address space earlier this year, widespread discussion about the need to shift to IPv6 has still failed to translate into widespread support for the protocol, which offers easier management and a massively increased range of possible addresses.

The sheer size of IPv6, which eliminates the need for network address translation (NAT) that has helped stave off the extinction of the IPv4 domain space, makes traditional 'plus-one scanning' – in which attackers progressively poll one IP address within a subnet after another until they find a vulnerability – impossible.

"The vector of infection and attack in IPv6 will be different," Huston explained. "It would take approximately six times the life of the universe to scan a single /48 name space even if you could scan 1 million addresses per second. So, the way in which viruses and malware will rendezvous with the victims in IPv6 will not happen in the same way they do in IPv4. Because plus-one scanning in 4 is easy; plus-one scanning in 6 is impossible."

That said, he added, network administrators should take advantage of IPv6's large address space and introduce randomness into their address assignments rather than using IPv4-like sequential numbering.

This would make even large numbers of Internet-connected clients less obvious targets for attack – although Huston suspects many administrators will struggle to break their old habits. "There will be an endless parade of morons who insist on preparing their v6 with ::1, ::2, and so on," he explained. "Those morons will get infected and there's nothing you or I can do about it."

"But if you actually do the privacy addressing fields and leave it on, and as long as you build in decent randomness in the bottom 64 bits, you won't be discovered by accident. You will only be discovered because of something on the other side, and that makes the entire environment of accidental infection totally different in IPv6. I don't mean it will be totally virus free, but the vector of infection will change – and that's the bit that will make that whole profile of IPv6 radically different than what we know."

It will be some time before the new architecture of IPv6 has any real impact, however: Huston shared research statistics that found IPv6 is still barely registering a blip on the Internet at large.

By setting up a purpose-built Flash ad and distributing it through Google's advertising networks, APNIC was able to query and track end-user computers' ability to resolve IPv6 addresses, which consist of four sets of four-digit hexadecimal numbers rather than the four-number IPv4 addresses that are ubiquitous now. The centre gets around 300,000 impressions per day and has used the data to generate a detailed picture of which systems are most prepared to support the new technology.

That picture offered some surprising findings – most notably that IPv6 is still barely even a blip on the global Internet. The protocol is widely supported in operating systems like Windows 7 and Windows Vista as well as associated applications, but still only managed to increase from 0.2% of installed systems to 0.4% of installed systems since 2008, Huston said.

This was because when IPv6 was enabled by default, clients trying to connect to other, IPv4-connected systems waited an average of 22 seconds – per page element – before giving up and reverting to IPv4. This introduced unacceptable delays in performance that drove Microsoft to revert to IPv4 as the default.

"The theory was that operating systems, if they could use v6, they would use it in preference to v4," Huston said. "That was the rule – so that when you turned on v6 in XP, all of the sudden you'd get a shift – but when IPv6 didn't work, it took 22 seconds to figure out what was happening."

Interestingly, Apple's Mac OS X 'Lion' operating system had resolved the issue, Huston said, by attempting simultaneous IPv4 and IPv6 network requests, then terminating whichever request took longer to resolve. This had driven a rise in direct 'unicast' IPv6 traffic from Macs since July, when Lion was released.

When APNIC restricted the embedded test set to only support IPv6 devices, usage increased to around 4% of connected clients; these were systems that had no opportunity to fall back onto IPv4, giving a better picture of the penetration of IPv6-capable systems. Yet trying another approach gave a surprising result, with more than 30 percent of clients responding when actually fed an IPv6 address to resolve.

This finding led Huston and his team to an interesting conclusion: around one in three Internet-connected computers are actually capable of using IPv6, but most of them are still choosing to work using native IPv4 connections. Even attempts to facilitate IPv6 usage by encapsulating IPv6 addresses inside universally-supported IPv4 packets – a technique known as 6to4, or 'Teredo' tunneling – was failing miserably, showing what Huston called a "truly amazing failure rate" of around 45 percent.

"Laziness about IPv6 is the best possible business decision they could make," Huston said. "If you want control of the relationship between users and services, and if you wish to erect a toll gate, and spread that toll across the network, there's no better way of doing it."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags network securitysecurityAsia-Pacific Network Information Centre (APNIC)apnicGeoff Hustonipv6

More about AppleetworkGoogleIPv6 SummitMacsMicrosoftNIC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts