IPv6 firewall security: problems caused by new protocols

When you deploy IPv6 in a WAN, an IPv6 firewall is also deployed. This article introduces some security issues caused by IPv6 and the problems that IT professionals should consider when deploying and operating IPv6 firewalls.

Introduce IPv6 Firewall

The first line of defense for most enterprise networks is a firewall, which is used to defend against public Internet attacks and restrict access to the public Internet of local users. After IPv6 is deployed on an enterprise network, an IPv6 firewall will also be deployed, so that the security policies currently implemented by IPv4 will also be implemented in IPv6.

Although IPv6 and IPv4 provide the best data packet Service), there are some nuances between the two Protocols, which has a great impact on firewall devices and operations. This article describes the differences between them and how they affect IPv6 firewall design and operations. It will also explain how these differences may be exploited maliciously to reduce and eliminate IPv6 firewall security vulnerabilities.

IPv6 Header Structure

One major change in IPv6 is the adoption of fixed-length protocol headers, rather than the adoption of variable-length protocol headers as in IPv4. Any necessary options must be added to the subsequent extension header. The extension header is located between the fixed IPv6 Header and the encapsulated IPv6 upper-layer protocol. It uses different extension headers based on different systems with processing options. For example, the options to be processed on the target host are included in a "target options" header, the options processed by the router are included in a "Hop option" header. Theoretically, this will at least allow the router and host to parse and process their options -- IPv4 is different, and all nodes that process data packets must parse all options.

This header structure determines the IPv6 Header information chain: multiple headers will be linked together in sequence. The first is the IPv6 Header, and the last is the upper layer protocol. Each extension header contains the specific header length and the header information type of the next header link. Therefore, any IPv6 stream uses a complete IPv6 Header information chain and then processes the required header information. Is an IPv6 Header information chain

 

Figure 1: IPv6 Header information chain example

The split header is a special type of extension header, which includes the mechanisms required to implement IPv6 sharding. Different from IPv4 headers, IPv6 does not store all part-related information in a fixed IPv6 Header, but stores the information in an optional segment header. Therefore, the host that executes the shard only needs to insert a shard header information in the IPv6 Header information chain, and then add the original data packet to the shard.

Security Impact of IPv6 Firewall

The above IPv6 Header information chain structure is more flexible than IPv4 because it does not limit the number of packets that can be contained. However, this flexibility also comes at a cost.

Any system that needs to obtain the upper-layer information, such as the TCP port number, must process the entire IPv6 Header information chain. In addition, because the current protocol standard supports any number of extension headers, including multiple instances with the same extension header, it will have multiple effects on devices such as firewalls:

The firewall needs to Parse Multiple extension headers to perform in-depth packet inspection DPI). It may reduce WAN performance and cause DoS attacks, or the firewall is bypassed.

Combined expansion headers and shards may impede packet detection.

As described above, because the current protocol specification supports any number of extension headers, including multiple instances of the same extension header type, therefore, the firewall must be able to process packets that contain abnormal multi-IPv6 extension header information in detail. This may be exploited by some attackers. They may intentionally Add a large number of extension headers to the data packets, causing the firewall to waste too much resources when processing the preceding data packets. In the end, this may cause firewall performance degradation or DoS problems. In addition, some poorly performing firewalls may not be able to process the entire IPv6 Header information chain when applying filtering policies, which may allow some attackers to use the extended header to threaten the corresponding firewall.

IPv6 fragments may also be maliciously exploited, similar to IPv4. For example, in order to disrupt the firewall's filtering policy, attackers may send overlapping fragments, thus affecting the part reorganization process of the target host. In IPv6, this problem is even more serious, because the combination of multiple IPv6 extension headers and shards may produce some incorrect fragments, even though their packet sizes are "normal ", however, they lose some basic information that is usually required to implement the filter policy, such as the TCP port number. That is, the first shard of a packet may contain many IPv6 options, so that the upper-layer protocol header may belong to another Shard, rather than the first shard.

IPv6 conversion/coexistence Technology

The IPv6 translation/coexistence technology brings another problem to the IPv6 firewall. Most conversion technologies use a channel mechanism, which encapsulates another network-layer protocol, which is usually IPv6 ). This will have a lot of impact on the security of the firewall.

First, the firewall may not be able to identify specific conversion technologies or apply some filtering policies supported by native IPv6 traffic. For example, when using native IPv4 or native IPv6, a website can block packets destined for TCP port 25, but it may not block these packets after Teredo and other conversion mechanisms are deployed.

Second, the conversion technology may aggravate the above problems, because not only the encapsulated traffic may use a combination of IPv6 extension headers and fragments, but other data packets sent externally are usually IPv4) may also be sharded, therefore, this will greatly increase the complexity of the final traffic. This complexity not only reduces the network traffic transmission speed, but more seriously, it may also affect the firewall's filtering policy. For example, the firewall may not be able to process the entire header information chain and thus cannot find TCP Fragments. For more information, see ). The example shows the syntax of TCP/IPv6 data packets using Teredo, indicating the complexity of the final traffic.

 

Figure 2: An example of a TCP/IPv6 packet using Teredo

The structure of this data packet may become more complex. For example, if both internal and external data packets are split.

Possible IPv6 Security Problems

Obviously, to apply the IPv6 packet filtering policy, the firewall must support at least the processing of the entire IPv6 Header information chain. Ideally, these Firewalls should also support IPv6 conversion technology, so that the filtering policies applied to native IPv6 traffic can also be applied to the conversion traffic. That is to say, the firewall should have a "default deny" policy, so that the firewall can block unnecessary traffic, such as conversion traffic.

For attacks that may use multiple extension headers to consume resources, limit the maximum number of extension headers supported by an IPv6 packet on the firewall. The reasonable limit is that only one instance is allowed for each defined extension header. However, you can also use other limit values such as "16"-for example, OpenBSD uses this limit value. This limit allows legal traffic, but does not allow an excessive number of extension headers. Packets that exceed the limit must be discarded. Although this may affect the performance, it can prevent DoS attacks.

Finally, it is stipulated that the first shard of an IPv6 packet contains the complete packet header information required by the application packet filtering policy, which can cope with the use of the firewall bypass technology. That is to say, if the first part of the packet received by the firewall does not contain the complete upper-layer protocol header information, such as the TCP header, the packet will be discarded. Firewall bypass technology can also be solved by re-combining the packets in the firewall before applying the filtering policy. However, for a network-based firewall, at least this is not a recommended method because it may leave DoS Vulnerabilities.

Resolve IPv6 firewall Problems

As described in this article, IPv6 firewalls face many problems, but they can be solved through reasonable firewall design and operations. When purchasing a firewall device, you must carefully evaluate IPv6 firewall support. Because the support for different products varies greatly, firewalls with poor support may have a negative impact on enterprise network security.

Edit recommendations]