Beware of "disobedient" IPv6

Everything has two sides, and there is always one disadvantage if there is a benefit. Just like IPv6, it brings almost unlimited IP Address resources to the Internet, but also changes the security environment of the Internet, bringing greater risks to it.

According to the information of some network attack events, although the transition from IPv4 to IPv6 has just begun, Some attackers have begun to spread spam through IPv6 infrastructure, it even uses the IPv6 address space to initiate an attack on the IPv4 network.

Is there a larger security black hole in IPv6 that looks pretty good? While greeting IPv6 with enthusiasm, do we see security risks hidden in the transition process? Is the security experience accumulated in the IPv4 environment applicable to IPv6?

Is it enough to pass "authentication "?

Three years ago, a message about the potential security risks of the Teredo technology contained in Windows Vista exposed some IPv4-to-IPv6 security issues. Teredo is an Address Allocation and automatic tunneling technology. It can transmit IPv6 traffic over an IPv4 network, helping clients achieve compatibility between IPv4 and IPv6 protocols. At that time, some security experts pointed out that the Teredo client can bypass network-based source route control and penetrate security devices such as firewalls while passing IPv6 packets to another destination, this feature is also enabled by default in the Vista system. The security vulnerabilities caused by this technology are easily exploited by hackers. Since no system can effectively filter all Teredo data packets at that time, experts can only recommend that the network administrator disable the Teredo function first, and suggest that firewall, intrusion detection system, routers, and other vendors increase support for the Teredo protocol, to ensure that conventional network security products can filter all Teredo packets.

In fact, the "Teredo event" is just a microcosm of IPv6's security risks. Three years later, the problem of Teredo has not been completely solved. A large number of similar transitional technologies have begun to use standard transitional methods such as 6to4, SIT mechanism, and IPv6-based UDP communication ), in addition, products related to these technologies have also passed IPv6 authentication. In this situation, the reporter is worried about the real effect of a large number of network security products with IPv6 certification marks.

Radware security product director Ron Meyran told reporters that although many vendors claim that they have IPv6-certified security products, many vendors only provide a special version, it only supports the ability to communicate with IPv6 networks or relies on a License to run. This does not mean that these products can effectively solve the security problems caused by IPv6. Even when many security products handle issues similar to Teredo, they do not have limitations or are completely ineffective.

He said that enterprises should be careful when selecting some certified security devices. You cannot purchase them blindly without understanding their operating mechanisms. For example, enterprises still need to check whether the firewall can easily pass some uninspected IPv6 traffic, rather than regard it as a non-IPv6 application version for interception and inspection; whether IPv6 traffic can bypass hardware components of multiple deep packet engines. In addition, because the IPv6 address length is four times that of IPv4, it will significantly affect the traffic processing speed of network security products. Based on this feature, we can also help you determine whether IPv6 is supported by related security products.

Note its inherent limitations

Compared with IPv4, IPv6 has made more security considerations at the beginning of its design. With IPSecInternet Protocol Security), IPv6 Security performance is indeed improved. However, recent network attacks show that IPSec cannot handle all vulnerabilities in IPv6 networks. Compared with IPv4, the new network environment is more complex and the resulting Network Vulnerabilities are more unpredictable. For example, an attacker's IPv6 router can use fake advertisements to automatically create new IPv6 addresses for devices with IPv6 enabled in the network. Some transition mechanisms enable mutual influence between IPv6 and IPv4 networks, instead, it provides more available resources for network attackers. The transition tool can provide various IPv4 applications with connection methods to the IPv6 service, and IPv6 applications can also connect to the IPv4 service, this situation can make network attacks more crazy. The length of IPv6 addresses will also become a powerful tool for attackers, because IPv6-based traffic filtering will increase the CPU burden on security devices, the traffic generated by DDoS attacks initiated by attackers is more likely to paralyze network devices and servers than ever before.

In addition, although the internal encryption mechanism of IPv6 provides identity authentication and confidentiality for communication between users and servers, this function also adds a flaw to firewalls and IPS ". Attackers can use encryption mechanisms to bypass firewalls and IPS checks and initiate attacks directly to the server because these security devices cannot detect encrypted content. Ron Meyran pointed out that attackers can also use Teredo, 6to4, ISATAP, and other IPv6 Protocol Mechanisms to disguise various attacks. Attackers will make the allowed information packets look like normal IPv4 traffic. They can pass the in-depth packet Detection Technology DPI only through the accurate verification of the firewall and IPS) completes content detection for IPv6 traffic. "Currently, there are only a few IPS and firewall products that support IPv6 and can truly implement IPv6 DPI. If no other security device or border security gateway is deployed, attackers may exploit this negligence to use IPv6 packets to access the enterprise's core network ."

In addition, the security risks in the IPv6 redirection protocol are also worthy of attention. In IPv6, the main function of redirection packets is to provide the correct route selection for nodes in the LAN. The main function of the IPv6 redirection protocol is to ensure that the host has a dynamic, small and optimal route table to improve the forwarding efficiency of packets. However, due to the lack of source address authentication in IPv6 redirection protocol, for malicious nodes in the LAN, IPv6 redirection packets can be used to achieve illegal redirection of data packets, thus implementing multiple attack measures. For example, it first disguise the router and then sends a Redir packet to inform the attacker that it is better to use its own route to send data packets to an Internet node, then the attacked node will forward the data packets to the malicious node, while the malicious node may not forward and prohibit communication or tamper with it.

Beware of "disobedient" IPv6

During the transition from IPV4 to IPV6, enterprises will face more information security problems and re-understand and adjust the information security system.

First, to achieve seamless compatibility between IPv4 and IPv6, many IPv6 devices have built-in stateless automatic configuration functions, but such network devices become uncontrollable devices for network administrators. Administrators cannot detect which network devices are out of control, but Attackers can exploit this situation. For example, attackers can easily control an abnormal network device so that it can modify or reduce traffic without being noticed by network administrators. I am afraid many network administrators have not expected this risk caused by IPv6.

Secondly, when enterprises welcome IPv6, IT management becomes more difficult. James Lyne, director of Sophos technical strategy, told reporters that companies that are not interested in IPv6 traffic want to set up clear rules to strictly block IPv6 packets. However, IT administrators must know "How to Talk to IPv6" before writing corresponding rules to handle the protocol.

James Lyne also pointed out some current problems. He believes that there are few questions in the industry about how IPv6 built-in functions can help users improve privacy protection. Instead, he focuses more on how to deploy IPv6 more quickly and quickly, this allows many insecure protocols, standards, and technologies to be widely used without any consequence. Enterprises are vulnerable to attacks in such a transitional environment.

Compared with the security experience accumulated on IPv4, the industry's experience in IPv6 Security is still insufficient. In the days when IPv6 was introduced, all network devices had to support two versions of network protocols. Therefore, the increased network security risks may cause huge losses. Before looking at IPv6, people's vigilance and enthusiasm obviously need to coexist.

Edit recommendations]