IPv6 vs IPv4.com

This article aims to highlight the security issues with IPv6 and whether the new protocol solves security problems to which IPv4 networks were venerable.

First and foremost it is important to realise that IPv6 is not a super set of IPv4. IPv6 is a whole new protocol suite. Therefore this article will highlight only a few of the most important IPv6 security issues. Believe it or not, the approach to IPv6 security is only marginally better than that of IPv4.

Port Scanning

Firstly let’s look at the IPv4 and IPv6 address structure.

The IPv4 address is 32 bits in length, where as the IPv6 address is 128 bits. One main concern for IPv4 network administrators is “Port Scanning”. Black hat hackers use port scanners to detect open ports on a network node which are associated with well-known vulnerabilities. They then exploit these ports to gain access to the network.

Scanning an IP address of only 32 bits is a relatively simple and quick, which means possible to cover every address within a couple of minutes. However, to scan a whole 128 bit IPv6 address would literally take hundreds of thousands of years. Therefore, Ipv6 makes the option of port scanning nearly impossible, but not completely.

IPSec

One main security feature of IPv4 was IPSec. In brief IPSec provides secure data communication and key exchange. For IPv4 networks IPSec is optional. However, within IPv6 networks IPSec has become mandatory to increase IPv6 security.

• Authentication Header.

The Authentication Header (AH) is used to check whether incoming packets have been tampered with. In a typical IPv4 header the AH is stored within the payload of the packet. When it was introduced there was concern about how to integrate this into the new IPv6 header, as the IPv6 header changes in transit. To overcome this problem AH only authenticates and performs integrity checks on parts of the IPv6 header that do not change. Typically AH is located at the end of the header before any higher level extensions such as TCP or UDP.

• Encapsulating Security Payload.

Encapsulating Security Payload (ESP) can also be used to provide authentication, integrity and confidentiality within IPv6. Within the extension EPC a Security Parameter Index (SPI) field identifies the group of security the packet sender is using to secure communications. ESP supports multiple encryption methods. However, the default method uses is DES-CBC. While AH authenticates parts of the IPv6 Header which don’t change. ESP only authenticates information which follows it. For integrity purposes EPC uses an integrity check value (ICV) which is computed once encryption is complete. The ICV uses hash message authentication code such as MD5 for cryptographic purposes.

Neighbour Discovery and Address Auto-Configuration

In brief ND (Neighbour Discovery) is the mechanism responsible for router and prefix discovery, duplicate address and network unreachability detection and also for link layer resolution. Auto-configuration is responsible for providing a node with either a stateless address or a stateful address. Both work together to make the new protocol more secure as stateful configuration can be provided selectively which reduces the potential for rouge nodes.

IPv6 and IPv4 Dual Stack

As the internet slowly migrates to a pure IPv6 network its inevitable that networks will using the old and the new protocol together, this means making use of dual stack technology which supports both protocols. This will without a doubt increase the potential for new security threats. Therefore, network administrators will need to be careful when configuring equipment as most threats will most likely be caused by careless configurations.

Mobility

As IPv6 supports stateless auto-configuration this means that devices can become mobile with the ability to leaving old and enter new networks seamlessly. When entering a new network the device will have two IPv6 addresses, one temporary and one real address. The temporary address is stored within the IPv6 header. This second temporary address can easily be exposed to spoofing attacks. Network administrators should be fully aware of this feature.

Conclusion

This article aimed highlight a few security issues with the IPv6 protocol. Although significant improvements are made with the new protocol if it is far from solving all problems and difficulties. In fact by introducing the new protocol we are solving some of the old problems with IPv4 while introducing totally new ones. Ultimately the new protocol creates as many problems as it solves. Therefore, becomes no more secure than IPv4. Only the future will tell if the new protocol will offer greater security as we start the migration period.