Chapter 9. Securing IPv6 Networks

It is regularly stated that IPv6 is more secure than IPv4. In fact, this argument is often used to promote the deployment of IPv6. The assertion stems from the original mandated use of IPsec in host-to-host communication, as specified in RFC 2401. It is a natural requirement in the context of IPv6's intent to provide a new infrastructure that supports peer-to-peer applications. If this mandate would be enforced by all hosts, properly implemented by all applications, and a reliable and efficient key-exchange system would be universally adopted, it would mean a more secure data transport. The consistent use of IPsec on host-to-host communication would also enable network operators to track sources of attacks. Nevertheless, it would not prevent application layer security threats, which are common.

At this time, however, the conditions for a consistent use of end-to-end security are not in place; so for the most part, IPv6 is neither more nor less secure than IPv4. Both protocols face most of the same threats. IPv6 specificities bring new perspectives on some types of attacks. These specificities along with protocol security enhancements intrinsically close the door for some threats, although open new doors for others. Moreover, the likely coexistence of the two versions of IP can potentially offer attackers new venues to exploit security holes and to circumvent the defenses of one protocol to attack the other.

This chapter reviews the security threats faced by an IPv6 infrastructure and its users. It draws a parallel to IPv4, highlighting differences and similarities. The review is based on an exhaustive study of this topic by Sean Convery and Darrin Miller in the white paper, "IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation." Table 9-1 summarizes the topics covered later in this chapter.

Table 9-1. Review of Security Threats

Threat	IPv6 Characteristics	Mitigation
Threats with New Considerations in IPv6
Reconnaissance	Scanning for hosts is not feasible because of large address space. Well-known addresses, in particular multicast, are vulnerable.	Same as IPv4. Privacy extensions can make reconnaissance less effective.
Unauthorized access	End-to-end security reduces the exposure. Extension headers (EH) open new attack venues.	Use privacy extensions to reduce a host's exposure. Use multiple addresses with different scopes. Manage EH use.
Header manipulation	IPv6 can take advantage of chained and large-size EHs. EHs that must be processed by all stacks are particularly useful to an attacker.	The EHs usage should be strictly controlled based on deployed services.
Fragmentation	No fragment overlap should be allowed in IPv6, but some stacks do reassemble overlapping fragments. The impact of tiny fragments is minimal in IPv6.	Use properly implemented stacks that do not allow fragment overlap.
Layer 3/layer 4 spoofing	The use of tunneling offers more spoofing opportunities even though they are not different from IPv4 tunneling.	Same mitigation techniques as with IPv4.
Host initialization and address-resolution attacks	DHCP has similar vulnerabilities for the two protocols. Neighbor Discovery has similar vulnerabilities as ARP. Stateless autoconfiguration and renumbering offer new attack options.	Use an interim solution such as static neighbors; the SEND recommendations are adopted by the IPv6 stacks.
Broadcast-amplification attacks (Smurf)	No concept of broadcast in IPv6, and that reduces the amplification options.	Use filtering for multicast traffic, in particular, because it is the only amplification option.
Routing attacks	IPsec provides additional peering security for some protocols. From a threat perspective, it is similar to IPv4.	Same as IPv4. Wherever possible, implement IPsec.
Viruses and worms	Same as IPv4. Random scanning used by worms to propagate is impractical in IPv6 because of the large address space.	Same as IPv4.
Transition-mechanism attacks	New ports to open in IPv4 firewalls. Automatic tunnels are more susceptible to attacks. IPv6-IPv4 translation can hide the sources of attacks.	Tighter control of ports opened in the firewalls; open only the ones needed. Use static tunnels when possible.
Mobile IP	Embedded in IPv6. Has specific security features.	Filter out all routing headers except Type 2 if MIPv6 is used. Securing MIPv6 beyond IPsec is a work in progress.
Threats with Similar Behavior in IPv4 and IPv6
Sniffing	Same as IPv4.	Same as IPv4
Application layer attacks	IPsec offers the potential to increase security and to track attackers.	Similar to IPv4, security ultimately relies on host defenses.
Rogue devices	Same as IPv4.	IPsec can prevent interaction with such devices. Lower-layer protocols such as 802.1x can be used to block unauthorized devices from connecting to the network.
Man-in-the-middle attacks	IPsec can protect so long as the key is not stolen.	There is a big need for a scalable and operationally feasible authentication and key-exchange mechanism.
Flooding attacks	Same as IPv4, with a few additional traffic types.	Use traffic-limiting mechanisms.

The analysis of the security threats is complemented with a set of best practices rules that apply in each case presented. The security tools available for IPv6 in Cisco devices are also discussed in this chapter.

Before tackling IPv6 security, it is important to discuss the typical IPv4 topology to implement perimeter security. On one hand, this discussion would help choose the best way to integrate IPv6 in the existent networks without weakening deployed security measures. On the other hand, because of the similarities between the two protocols, it is likely that the same concepts will be used to secure IPv6 networks, too.

Figure 9-1 shows the typical topology used in deploying perimeter security for IPv4 networks. You can add dedicated devices such as intrusion detection systems (IDSs) to this topology if the functionality is not supported by the same device that acts as a firewall. Additional levels of security are most likely implemented at the host level, particularly for important devices and resources.

This figure shows is a common approach to securing networks, but this setup relies on fact that its perimeter can be clearly identified. Many books are available for more in-depth information about IPv4 security such as Sean Convery's Network Security Architectures.