IPv6: how to be "more secure"

The research and construction of the next-generation Internet is gradually becoming one of the hot topics in the information technology field. The Network Security of the Next Generation Internet is an important area in the research of the Next Generation Internet. This article first introduces the basic features of the IPv6 protocol and the embedded security mechanism, and then analyzes and compares the similarities and differences of security issues in IPv4 and IPv6 networks. Finally, the status quo and trends of IPv6 Security at home and abroad are introduced.

During the transition from the IPv4 protocol to the IPv6 protocol, more security problems will be exposed to solve these security problems and build a trusted next-generation Internet, it will be a long-term and arduous task.

The evolution from an IPv4-based Internet to an IPv6-based next-generation Internet will be a historical necessity. The next-generation Internet means more applications, faster speeds, and larger scales. At the same time, as the number of network applications increases, the speed increases, and the scale increases, more security risks must be faced, therefore, network security research is an important area in the next generation Internet research.

The IPv6 protocol is required to implement IPSec and has a huge address space, which increases the difficulty of address scanning. From this perspective, the next generation Internet will be more secure. However, due to the difficulty of widely deploying and implementing IPSec key management, many security attacks occur at the application layer rather than the network layer. Therefore, IPv6 still faces many security problems.

IPv6 Protocol Introduction

Compared with the IPv4 protocol, IPv6 has many important improvements and has the following basic features:

Huge address space: ipv6 expands the IPv4 address size from 32 to 128, which allows unlimited expansion of the network size and connects all possible devices and devices, and use a unique global network address.

Simplified packet header: IPv4 has many fields and options, and its header length is not fixed. IPv6 reduces many fields and the header length is fixed, reducing the header processing time for common situations. At the same time, IPv6 allows more effective transmission of Header Options and increases flexibility of new options.

Better support for quality of service (QoS): stream tags can be used to identify transmission information flows of upper-layer special applications to facilitate special processing.

Improved routing performance: hierarchical Address Allocation facilitates route aggregation and reduces table items in the route table. The simplified IP grouping header reduces the processing load of the router.

Embedded Security Mechanism: Forced IPSec is required. It supports data source authentication, integrity, and confidentiality, and can defend against replay attacks. The security mechanism embedded in IPv6 is mainly implemented by the following two Extended Headers: Authentication Header AH (authentication header) and encapsulation security load ESP (encapsulation security payload ). The authentication header ah can implement the following three functions: Data Integrity Protection (that is, data source authentication (that is, protection from source address counterfeiting) and anti-replay (replay) attacks.

The encapsulated Security load ESP adds support for data confidentiality Based on the security functions implemented by ah.

Both AH and ESP can be used in two modes: Transmission Mode and tunnel mode. The transmission mode can only be applied to the host, and only provides protection for the upper-Layer Protocol, without protecting the IP header. Tunnel mode can be used for host or security gateway. In tunneling mode, the internal IP header carries the final source and destination addresses, while the external IP header may contain different IP addresses, such as the security gateway address.

However, because IPSec has not yet solved the large-scale key distribution and management issues, although IPv6 requires the implementation of IPSec, there are still many difficulties in deploying and implementing IPSec throughout the network.

　Comparison of IPv4 and IPv6 Security Issues

Compared with the security issues under IPv4 and IPv6 protocols, we can see that the principles and features of some security problems have not changed, such as eavesdropping attacks, application layer attacks, man-in-the-middle attacks, and flood attacks. On the other hand, due to the introduction of IPv6 protocol, the principles and features of many security problems have undergone significant changes, including reconnaissance, unauthorized access, packet header and segment information tampering, and source address forgery.

Compared with IPv4, security issues with basic principles and features that have not changed can be divided into three categories: security issues at the network layer or above; security issues related to the confidentiality and integrity of Network-layer data and security issues related to network-layer availability.

Security problems at the network layer and above: mainly attacks at various application layers. Their features and principles have not changed.

Security issues related to the confidentiality and integrity of network layer data: Mainly eavesdropping attacks and man-in-the-middle attacks. IPSec has not yet solved the difficulties of large-scale key distribution and management, so it lacks extensive deployment. Therefore, there can still be eavesdropping and man-in-the-middle attacks in IPv6 networks.

Security issues related to network-layer availability: flood attacks, such as common tcp syn flooding attacks.

 

Security issues with significant changes in principles and features mainly include the following aspects.

Reconnaissance

Reconnaissance is a basic network attack method and the initial step of many other network attacks. Attackers attempt to obtain as much information as possible about the attacked network address, service, and application.

The default subnet address space of IPv6 is 264, which is a very large astronomical number, compared with the subnet address space of only 28 in IPv4. It is calculated that, in an IPv6 subnet with 10 thousand hosts, the IP addresses are randomly and evenly distributed and scanned at 1 million times per second, it is found that the average time required for the first host is more than 28 years.

However, attackers can simplify and speed up subnet scanning by using some policies. For example, you can find the host address through DNS, and guess some simple addresses that the Administrator often uses. Because the site address usually uses the NIC address, you can use the vendor's NIC address range to narrow the scanning space; attackers can break through the DNS or vro, read the cache information, and use the new multicast address, such as all routers (ff05: 2) and all DHCP servers (ff05: 1: 3 ).

Unauthorized access

Similar to IPv4, IPv6 Access Control also relies on control policies such as firewalls or access control lists (ACLs) to implement control based on address, port, and other information.

For an address translation firewall, the IP address of the protected host is invisible to machines on the internet, protecting machines inside the firewall from attacks. However, the address translation technology (NAT) it does not match IPSec functions. Therefore, in an IPv6 environment, it is difficult to use IPsec to communicate through the address translation firewall.

For the packet filter firewall, if the IPSec ESP is used, the information above Layer 3 is invisible, making the control more difficult.

In addition, You must be more careful when controlling ICMP messages, because ICMPv6 is critical to IPv6, such as MTU detection, automatic configuration, and duplicate address detection.

　Group header and segment information tampering

In an IPv4 network, both network devices and the end system can partition groups. A multipart attack is usually used in two scenarios. One is to escape network monitoring devices, such as firewalls and IDs; the other is to directly launch attacks on network devices by exploiting the Protocol Stack Vulnerability of network devices and using the incorrect part grouping header information.

In an IPv6 network, intermediate devices are no longer sharded. Due to the existence of multiple IPv6 extension headers, it is difficult for the firewall to calculate the minimum size of valid data packets, at the same time, the transport layer protocol header may not be in the first shard group, which makes it impossible for network monitoring devices to implement port-based access control policies without reorganizing the shards.

Source Address forgery

Source Address Spoofing attacks are common in IPv4 networks, such as SYN Flooding and UDP flood Smurf attacks. There are two main methods to prevent such attacks: one is the filtering method based on prior prevention, which indicates that there are ingress filtering and so on; the other type is the Backtracking Method Based on post-event tracing, which indicates ICMP backtracking and group marking. These solutions all have deployment difficulties. However, due to the existence of Network Address Translation (NAT), tracking after attacks is particularly difficult.

In IPv6 networks, on the one hand, the implementation of filtering methods such as Address Aggregation and ingress filtering will be simpler and the load will be smaller. On the other hand, due to the rare translation of network addresses, tracing is easier. However, to transition from IPv4 to IPv6, it is important to prevent the packet traversal tunnel of forged source addresses.

IPv6 Security Research Status and Trends

At present, "security" and "trust" have become one of the key fields of research on the next-generation Internet architecture at home and abroad.

More than 100 U.S. universities and enterprises jointly launched the internet2 Research Program at the end of 1996. The program aims to use existing network technologies to explore new-generation network applications in the high-speed information network environment, at the same time, we try to find out the defects and inapplicable parts of the existing network architecture theory. In the architecture of the Next Generation Network proposed by internet2, middleware (middleware) is a set of public services provided between networks and applications for various application systems, security services. At present, the I2-MI (internet2 middleware Initiative) is starting to research and deploy the core network Middleware on internet2, divided into five aspects of security services: identification, authentication, authorization, directory, and PKI. However, at the network layer, internet2 has not conducted any research on security services and security mechanisms at the network layer from the perspective of architecture.

The Institute of Information Science of the University of Southern California and the Computer Science Laboratory of the Massachusetts Institute of Technology jointly conducted a new generation Internet architecture research project called newarch. In the latest technical report of this project, the "Trust-modulated transparency" principle of the next-generation Internet architecture design is proposed. Their research believes that the new generation of Internet needs to map the trust relationship in the real society to the network. Based on the trust requirements statement of the Interaction users, the network can provide a certain range of services. If both parties fully trust them, their interaction is transparent and unrestricted, if the two sides are not fully trusted, their interaction needs to be checked, filtered, and constrained. Identity Authentication and deployment are the key to achieving "transparency of trust adjustment.

In China, 863 projects and 973 Projects all have important support for the research on the next-generation Internet security architecture.

At the beginning of the design of the existing Internet, there is a lack of complete security architecture considerations. Most of the existing security technologies are the Unit security technologies that are revised and supplemented on the existing Internet architecture. Network devices do not verify the authenticity of the source address of the forwarding group, which is an important reason for the difficulty of tracking existing security attacks, the extremely low cost, and the difficulty of implementing security services.

The research and construction of next-generation Internet based on IPv6 technology provides an opportunity for us to fundamentally solve Internet security problems from the perspective of architecture: on the one hand, IPv6 has a huge address space, it can achieve better hierarchical address clustering, which provides favorable conditions for all network terminals to access through real IP addresses. On the other hand, the construction of the Next Generation Internet provides opportunities and platforms for the deployment and application of new network architecture and network technologies.

Relying on the research and construction of the Next Generation Internet, real IP address access across the network is realized at the network infrastructure level, and trusted security service middleware is implemented at the network security service layer, to support new secure and trusted Internet applications, solving the security problem of the Internet from the fundamental point of view of the architecture is the direction of the Next Generation Internet security research.