diff options
Diffstat (limited to 'doc/rfc/rfc4942.txt')
-rw-r--r-- | doc/rfc/rfc4942.txt | 2299 |
1 files changed, 2299 insertions, 0 deletions
diff --git a/doc/rfc/rfc4942.txt b/doc/rfc/rfc4942.txt new file mode 100644 index 0000000..e5a9221 --- /dev/null +++ b/doc/rfc/rfc4942.txt @@ -0,0 +1,2299 @@ + + + + + + +Network Working Group E. Davies +Request for Comments: 4942 Consultant +Category: Informational S. Krishnan + Ericsson + P. Savola + CSC/Funet + September 2007 + + + IPv6 Transition/Coexistence Security Considerations + +Status of This Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Abstract + + The transition from a pure IPv4 network to a network where IPv4 and + IPv6 coexist brings a number of extra security considerations that + need to be taken into account when deploying IPv6 and operating the + dual-protocol network and the associated transition mechanisms. This + document attempts to give an overview of the various issues grouped + into three categories: + o issues due to the IPv6 protocol itself, + o issues due to transition mechanisms, and + o issues due to IPv6 deployment. + + + + + + + + + + + + + + + + + + + + + + + +Davies, et al. Informational [Page 1] + +RFC 4942 IPv6 Security Overview September 2007 + + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 2. Issues Due to IPv6 Protocol . . . . . . . . . . . . . . . . . 4 + 2.1. IPv6 Protocol-Specific Issues . . . . . . . . . . . . . . 5 + 2.1.1. Routing Headers and Hosts . . . . . . . . . . . . . . 5 + 2.1.2. Routing Headers for Mobile IPv6 and Other Purposes . . 6 + 2.1.3. Site-Scope Multicast Addresses . . . . . . . . . . . . 7 + 2.1.4. ICMPv6 and Multicast . . . . . . . . . . . . . . . . . 7 + 2.1.5. Bogus Errored Packets in ICMPv6 Error Messages . . . . 8 + 2.1.6. Anycast Traffic Identification and Security . . . . . 9 + 2.1.7. Address Privacy Extensions Interact with DDoS + Defenses . . . . . . . . . . . . . . . . . . . . . . . 10 + 2.1.8. Dynamic DNS: Stateless Address Autoconfiguration, + Privacy Extensions, and SEND . . . . . . . . . . . . . 10 + 2.1.9. Extension Headers . . . . . . . . . . . . . . . . . . 11 + 2.1.10. Fragmentation: Reassembly and Deep Packet + Inspection . . . . . . . . . . . . . . . . . . . . . . 14 + 2.1.11. Fragmentation Related DoS Attacks . . . . . . . . . . 15 + 2.1.12. Link-Local Addresses and Securing Neighbor + Discovery . . . . . . . . . . . . . . . . . . . . . . 16 + 2.1.13. Securing Router Advertisements . . . . . . . . . . . . 17 + 2.1.14. Host-to-Router Load Sharing . . . . . . . . . . . . . 18 + 2.1.15. Mobile IPv6 . . . . . . . . . . . . . . . . . . . . . 18 + 2.2. IPv4-Mapped IPv6 Addresses . . . . . . . . . . . . . . . . 19 + 2.3. Increased End-to-End Transparency . . . . . . . . . . . . 20 + 2.3.1. IPv6 Networks without NATs . . . . . . . . . . . . . . 20 + 2.3.2. Enterprise Network Security Model for IPv6 . . . . . . 21 + 2.4. IPv6 in IPv6 Tunnels . . . . . . . . . . . . . . . . . . . 22 + 3. Issues Due to Transition Mechanisms . . . . . . . . . . . . . 23 + 3.1. IPv6 Transition/Coexistence Mechanism-Specific Issues . . 23 + 3.2. Automatic Tunneling and Relays . . . . . . . . . . . . . . 23 + 3.3. Tunneling IPv6 through IPv4 Networks May Break IPv4 + Network Security Assumptions . . . . . . . . . . . . . . . 24 + 4. Issues Due to IPv6 Deployment . . . . . . . . . . . . . . . . 26 + 4.1. Avoiding the Trap of Insecure IPv6 Service Piloting . . . 26 + 4.2. DNS Server Problems . . . . . . . . . . . . . . . . . . . 28 + 4.3. Addressing Schemes and Securing Routers . . . . . . . . . 28 + 4.4. Consequences of Multiple Addresses in IPv6 . . . . . . . . 28 + 4.5. Deploying ICMPv6 . . . . . . . . . . . . . . . . . . . . . 29 + 4.5.1. Problems Resulting from ICMPv6 Transparency . . . . . 30 + 4.6. IPsec Transport Mode . . . . . . . . . . . . . . . . . . . 30 + 4.7. Reduced Functionality Devices . . . . . . . . . . . . . . 31 + 4.8. Operational Factors when Enabling IPv6 in the Network . . 31 + 4.9. Security Issues Due to Neighbor Discovery Proxies . . . . 32 + 5. Security Considerations . . . . . . . . . . . . . . . . . . . 32 + 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 32 + 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 33 + + + +Davies, et al. Informational [Page 2] + +RFC 4942 IPv6 Security Overview September 2007 + + + 7.1. Normative References . . . . . . . . . . . . . . . . . . . 33 + 7.2. Informative References . . . . . . . . . . . . . . . . . . 34 + Appendix A. IPv6 Probing/Mapping Considerations . . . . . . . . . 37 + Appendix B. IPv6 Privacy Considerations . . . . . . . . . . . . . 38 + B.1. Exposing MAC Addresses . . . . . . . . . . . . . . . . . . 38 + B.2. Exposing Multiple Devices . . . . . . . . . . . . . . . . 39 + B.3. Exposing the Site by a Stable Prefix . . . . . . . . . . . 39 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Davies, et al. Informational [Page 3] + +RFC 4942 IPv6 Security Overview September 2007 + + +1. Introduction + + The transition from a pure IPv4 network to a network where IPv4 and + IPv6 coexist brings a number of extra security considerations that + need to be taken into account when deploying IPv6 and operating the + dual-protocol network with its associated transition mechanisms. + This document attempts to give an overview of the various issues + grouped into three categories: + o issues due to the IPv6 protocol itself, + o issues due to transition mechanisms, and + o issues due to IPv6 deployment. + + It is important to understand that deployments are unlikely to be + replacing IPv4 with IPv6 (in the short term), but rather will be + adding IPv6 to be operated in parallel with IPv4 over a considerable + period, so that security issues with transition mechanisms and dual + stack networks will be of ongoing concern. This extended transition + and coexistence period stems primarily from the scale of the current + IPv4 network. It is unreasonable to expect that the many millions of + IPv4 nodes will be converted overnight. It is more likely that it + will take two or three capital equipment replacement cycles (between + nine and 15 years) for IPv6 capabilities to spread through the + network, and many services will remain available over IPv4 only for a + significant period whilst others will be offered either just on IPv6 + or on both protocols. To maintain current levels of service, + enterprises and service providers will need to support IPv4 and IPv6 + in parallel for some time. + + This document also describes two matters that have been wrongly + identified as potential security concerns for IPv6 in the past and + explains why they are unlikely to cause problems: considerations + about probing/mapping IPv6 addresses (Appendix A) and considerations + with respect to privacy in IPv6 (Appendix B). + +2. Issues Due to IPv6 Protocol + + Administrators should be aware that some of the rules suggested in + this section could potentially lead to a small amount of legitimate + traffic being dropped because the source has made unusual and + arguably unreasonable choices when generating the packet. The IPv6 + specification [RFC2460] contains a number of areas where choices are + available to packet originators that will result in packets that + conform to the specification but are unlikely to be the result of a + rational packet generation policy for legitimate traffic (e.g., + sending a fragmented packet in a much larger than necessary number of + small segments). This document highlights choices that could be made + by malicious sources with the intention of damaging the target host + or network, and suggests rules that try to differentiate + + + +Davies, et al. Informational [Page 4] + +RFC 4942 IPv6 Security Overview September 2007 + + + specification-conforming packets that are legitimate traffic from + conforming packets that may be trying to subvert the specification to + cause damage. The differentiation tries to offer a reasonable + compromise between securing the network and passing every possible + conforming packet. To avoid loss of important traffic, + administrators are advised to log packets dropped according to these + rules and examine these logs periodically to ensure that they are + having the desired effect, and are not excluding traffic + inappropriately. + + The built-in flexibility of the IPv6 protocol may also lead to + changes in the boundaries between legitimate and malicious traffic as + identified by these rules. New options may be introduced in the + future, and rules may need to be altered to allow the new + capabilities to be (legitimately) exploited by applications. The + document therefore recommends that filtering needs to be configurable + to allow administrators the flexibility to update rules as new pieces + of IPv6 specification are standardized. + +2.1. IPv6 Protocol-Specific Issues + + There are significant differences between the features of IPv6 and + IPv4: some of these specification changes may result in potential + security issues. Several of these issues have been discussed in + separate documents but are summarized here to avoid normative + references that may not become RFCs. The following specification- + related problems have been identified, but this is not necessarily a + complete list. + +2.1.1. Routing Headers and Hosts + + All IPv6 nodes must be able to process routing headers [RFC2460]. + This RFC can be interpreted, although it is not explicitly stated, to + mean that all nodes (including hosts) must have this processing + enabled. The "Requirements for Internet Hosts" [RFC1122] permits + implementations to perform "local source routing", that is, + forwarding a packet with a routing header through the same interface + on which it was received: no restrictions are placed on this + operation even on hosts. In combination, these rules can result in + hosts forwarding received traffic to another node if there are + segments left in the Routing Header when it arrives at the host. + + A number of potential security issues associated with this behavior + have been identified. Some of these issues have been resolved (a + separate routing header (Type 2) has been standardized for Mobile + IPv6 [RFC3775], and ICMP Traceback has not been standardized), but + two issues remain: + + + + +Davies, et al. Informational [Page 5] + +RFC 4942 IPv6 Security Overview September 2007 + + + o Both existing types of routing header can be used to evade access + controls based on destination addresses. This could be achieved + by sending a packet ostensibly to a publicly accessible host + address but with a routing header containing a 'forbidden' + address. If the publicly accessible host is processing routing + headers, it will forward the packet to the destination address in + the routing header that would have been forbidden by the packet + filters if the address had been in the destination field when the + packet was checked. + + o If the packet source address can be spoofed when using a Type 0 + routing header, the mechanism described in the previous bullet + could be used with any host to mediate an anonymous reflection + denial-of-service attack by having any publicly accessible host + redirect the attack packets. (This attack cannot use Type 2 + routing headers because the packet cannot be forwarded outside the + host that processes the routing header, i.e., the original + destination of the packet.) + + To counteract these threats, if a device is enforcing access controls + based on destination addresses, it needs to examine both the + destination address in the base IPv6 header and any waypoint + destinations in a routing header that have not yet been reached by + the packet at the point where it is being checked. + + Various forms of amplification attack on routers and firewalls using + the routing header could be envisaged. A simple form involves + repeating the address of a waypoint several times in the routing + header. More complex forms could involve alternating waypoint + addresses that would result in the packet re-transiting the router or + firewall. These attacks can be counteracted by ensuring that routing + headers do not contain the same waypoint address more than once, and + performing ingress/egress filtering to check that the source address + is appropriate to the destination: packets made to reverse their path + will fail this test. + +2.1.2. Routing Headers for Mobile IPv6 and Other Purposes + + In addition to the basic Routing Header (Type 0), which is intended + to influence the trajectory of a packet through a network by + specifying a sequence of router waypoints, Routing Header (Type 2) + has been defined as part of the Mobile IPv6 specifications in + [RFC3775]. The Type 2 Routing Header is intended for use by hosts to + handle 'interface local' forwarding needed when packets are sent to + the care-of address of a mobile node that is away from its home + address. + + + + + +Davies, et al. Informational [Page 6] + +RFC 4942 IPv6 Security Overview September 2007 + + + It is important that nodes treat the different types of routing + header appropriately. It should be possible to apply separate + filtering rules to the different types of Routing Header. By design, + hosts must process Type 2 Routing Headers to support Mobile IPv6 but + routers should not: to avoid the issues in Section 2.1.1, it may be + desirable to forbid or limit the processing of Type 0 Routing Headers + in hosts and some routers. + + Routing Headers are an extremely powerful and general capability. + Alternative future uses of Routing Headers need to be carefully + assessed to ensure that they do not open new avenues of attack that + can be exploited. + +2.1.3. Site-Scope Multicast Addresses + + IPv6 supports multicast addresses with site scope that can + potentially allow an attacker to identify certain important resources + on the site if misused. + + Particular examples are the 'all routers' (FF05::2) and 'all Dynamic + Host Configuration Protocol (DHCP) servers' (FF05::1:3) addresses + defined in [RFC2375]. An attacker that is able to infiltrate a + message destined for these addresses on to the site will potentially + receive in return information identifying key resources on the site. + This information can then be the target of directed attacks ranging + from simple flooding to more specific mechanisms designed to subvert + the device. + + Some of these addresses have current legitimate uses within a site. + The risk can be minimized by ensuring that all firewalls and site + boundary routers are configured to drop packets with site-scope + destination addresses. Also, nodes should not join multicast groups + for which there is no legitimate use on the site, and site routers + should be configured to drop packets directed to these unused + addresses. + +2.1.4. ICMPv6 and Multicast + + It is possible to launch a Denial-of-Service (DoS) attack using IPv6 + that could be amplified by the multicast infrastructure. + + Unlike ICMP for IPv4, ICMPv6 [RFC4443] allows error notification + responses to be sent when certain unprocessable packets are sent to + multicast addresses. + + + + + + + +Davies, et al. Informational [Page 7] + +RFC 4942 IPv6 Security Overview September 2007 + + + The cases in which responses are sent are: + + o The received packet is longer than the next link Maximum + Transmission Unit (MTU): 'Packet Too Big' responses are needed to + support Path MTU Discovery for multicast traffic. + + o The received packet contains an unrecognized option in a hop-by- + hop or destination options extension header with the first two + bits of the option type set to binary '10': 'Parameter Problem' + responses are intended to inform the source that some or all of + the recipients cannot handle the option in question. + + If an attacker can craft a suitable packet sent to a multicast + destination, it may be possible to elicit multiple responses directed + at the victim (the spoofed source of the multicast packet). On the + other hand, the use of 'reverse path forwarding' checks (to eliminate + loops in multicast forwarding) automatically limits the range of + addresses that can be spoofed. + + In practice, an attack using oversize packets is unlikely to cause + much amplification unless the attacker is able to carefully tune the + packet size to exploit a network with smaller MTU in the edge than + the core. Similarly, a packet with an unrecognized hop-by-hop option + would be dropped by the first router without resulting in multiple + responses. However, a packet with an unrecognized destination option + could generate multiple responses. + + In addition to amplification, this kind of attack would potentially + consume large amounts of forwarding state resources in routers on + multicast-enabled networks. + +2.1.5. Bogus Errored Packets in ICMPv6 Error Messages + + Apart from the spurious load on the network, routers, and hosts, + bogus ICMPv6 error messages (types 0 to 127) containing a spoofed + errored packet can impact higher-layer protocols when the alleged + errored packet is referred to the higher layer at the destination of + the ICMPv6 packet [RFC4443]. The potentially damaging effects on TCP + connections, and some ways to mitigate the threats, are documented in + [ICMP-ATT]. + + Specific countermeasures for particular higher-layer protocols are + beyond the scope of this document, but firewalls may be able to help + counter the threat by inspecting the alleged errored packet embedded + in the ICMPv6 error message. Measures to mitigate the threat + include: + + + + + +Davies, et al. Informational [Page 8] + +RFC 4942 IPv6 Security Overview September 2007 + + + o The receiving host should test that the embedded packet is all or + part of a packet that was transmitted by the host. + + o The firewall may be able to test that the embedded packet contains + addresses that would have been legitimate (i.e., would have passed + ingress/egress filtering) for a packet sent from the receiving + host, but the possibility of asymmetric routing of the outgoing + and returning packets may prevent this sort of test depending on + the topology of the network, the location of the firewall, and + whether state synchronization between firewalls is in use. + + o If the firewall is stateful and the test is not prevented by + asymmetric routing, the firewall may also be able to check that + the embedded packet is all or part of a packet that recently + transited the firewall in the opposite direction. + + o Firewalls and destination hosts should be suspicious of ICMPv6 + error messages with unnecessarily truncated errored packets (e.g., + those that only carry the address fields of the IPv6 base header). + The specification of ICMPv6 requires that error messages carry as + much of the errored packet as possible (unlike ICMP for IPv4 which + requires only a minimum amount of the errored packet) and IPv6 + networks must have a guaranteed minimum MTU of 1280 octets. + Accordingly, the ICMPv6 message should normally carry all the + header fields of the errored packet, together with a significant + amount of the payload, in order to allow robust comparison against + the outgoing packet. + +2.1.6. Anycast Traffic Identification and Security + + IPv6 introduces the notion of anycast addresses and services. + Originally the IPv6 standards disallowed using an anycast address as + the source address of a packet. Responses from an anycast server + would therefore supply a unicast address for the responding server. + To avoid exposing knowledge about the internal structure of the + network, it is recommended that anycast servers now take advantage of + the ability to return responses with the anycast address as the + source address if possible. + + If the server needs to use a unicast address for any reason, it may + be desirable to consider using specialized addresses for anycast + servers, which are not used for any other part of the network, to + restrict the information exposed. Alternatively, operators may wish + to restrict the use of anycast services from outside the domain, thus + requiring firewalls to filter anycast requests. For this purpose, + firewalls need to know which addresses are being used for anycast + services: these addresses are arbitrary and not distinguishable from + any other IPv6 unicast address by structure or pattern. + + + +Davies, et al. Informational [Page 9] + +RFC 4942 IPv6 Security Overview September 2007 + + + One particular class of anycast addresses that should be given + special attention is the set of Subnet-Router anycast addresses + defined in "IP Version 6 Addressing Architecture" [RFC4291]. All + routers are required to support these addresses for all subnets for + which they have interfaces. For most subnets using global unicast + addresses, filtering anycast requests to these addresses can be + achieved by dropping packets with the lower 64 bits (the Interface + Identifier) set to all zeros. + +2.1.7. Address Privacy Extensions Interact with DDoS Defenses + + The purpose of the privacy extensions for stateless address + autoconfiguration [RFC4941] is to change the interface identifier + (and hence the global scope addresses generated from it) from time to + time. By varying the addresses used, eavesdroppers and other + information collectors find it more difficult to identify which + transactions actually relate to a specific node. + + A security issue may result from this if the frequency of node + address change is sufficiently great to achieve the intended aim of + the privacy extensions: with a relatively high rate of change, the + observed behavior has some characteristics of a node or nodes + involved in a Distributed Denial-of-Service (DDoS) attack. It should + be noted, however, that addresses created in this way are + topologically correct and that the other characteristics of the + traffic may reveal that there is no malicious intent. + + This issue can be addressed in most cases by tuning the rate of + change in an appropriate manner. + + Note that even if a node is well behaved, a change in the address + could make it harder for a security administrator to define an + address-based policy rule (e.g., access control list). However, + nodes that employ privacy addresses do not have to use them for all + communications. + +2.1.8. Dynamic DNS: Stateless Address Autoconfiguration, Privacy + Extensions, and SEND + + The introduction of Stateless Address Autoconfiguration (SLAAC) + [RFC2462] with IPv6 provides an additional challenge to the security + of Dynamic Domain Name System (DDNS). With manual addressing or the + use of DHCP, the number of security associations that need to be + maintained to secure access to the Domain Name Service (DNS) server + is limited, assuming any necessary updates are carried out by the + DHCP server. This is true equally for IPv4 and IPv6. + + + + + +Davies, et al. Informational [Page 10] + +RFC 4942 IPv6 Security Overview September 2007 + + + Since SLAAC does not make use of a single and potentially trusted + DHCP server, but depends on the node obtaining the address, securing + the insertion of updates into DDNS may need a security association + between each node and the DDNS server. This is discussed further in + [RFC4472]. + + Using the Privacy Extensions to SLAAC [RFC4941] may significantly + increase the rate of updates of DDNS. Even if a node using the + Privacy Extensions does not publish its address for 'forward' lookup + (as that would effectively compromise the privacy that it is + seeking), it may still need to update the reverse DNS records. If + the reverse DNS records are not updated, servers that perform reverse + DNS checks will not accept connections from the node and it will not + be possible to gain access to IP Security (IPsec) keying material + stored in DNS [RFC4025]. If the rate of change needed to achieve + real privacy has to be increased (see Section 2.1.7), the update rate + for DDNS may be excessive. + + Similarly, the cryptographically generated addresses used by SEND + [RFC3971] are expected to be periodically regenerated in line with + recommendations for maximum key lifetimes. This regeneration could + also impose a significant extra load on DDNS. + +2.1.9. Extension Headers + + A number of security issues relating to IPv6 Extension headers have + been identified. Several of these are a result of ambiguous or + incomplete specification in the base IPv6 specification [RFC2460]. + +2.1.9.1. Processing Extension Headers in Middleboxes + + In IPv4, deep packet inspection techniques are used to implement + policing and filtering both as part of routers and in middleboxes + such as firewalls. Fully extending these techniques to IPv6 would + require inspection of all the extension headers in a packet. This is + essential to ensure that policy constraints on the use of certain + headers and options are enforced and to remove, at the earliest + opportunity, packets containing potentially damaging unknown options. + + This requirement appears to conflict with Section 4 of the IPv6 + specification in [RFC2460] which requires that only hop-by-hop + options are processed at any node through which the packet passes + until the packet reaches the appropriate destination (either the + final destination or a routing header waypoint). + + Also, [RFC2460] forbids processing the headers other than in the + order in which they appear in the packet. + + + + +Davies, et al. Informational [Page 11] + +RFC 4942 IPv6 Security Overview September 2007 + + + A further ambiguity relates to whether an intermediate node should + discard a packet that contains a header or destination option which + it does not recognize. If the rules above are followed slavishly, it + is not (or may not be) legitimate for the intermediate node to + discard the packet because it should not be processing those headers + or options. + + Therefore, [RFC2460] does not appear to take account of the behavior + of middleboxes and other non-final destinations that may be + inspecting the packet, and thereby potentially limits the security + protection of these boxes. Firewall vendors and administrators may + choose to ignore these rules in order to provide enhanced security as + this does not appear to have any serious consequences with the + currently defined set of extensions. However, administrators should + be aware that future extensions might require different treatment. + +2.1.9.2. Processing Extension Header Chains + + There is a further problem for middleboxes that want to examine the + transport headers that are located at the end of the IPv6 header + chain. In order to locate the transport header or other protocol + data unit, the node has to parse the header chain. + + The IPv6 specification [RFC2460] does not mandate the use of the + Type-Length-Value (TLV) format with a fixed layout for the start of + each header although it is used for the majority of headers currently + defined. (Only the Type field is guaranteed in size and offset.) + + Therefore, a middlebox cannot guarantee to be able to process header + chains that may contain headers defined after the box was + manufactured. As discussed further in Section 2.1.9.3, middleboxes + ought not to have to know the detailed layout of all header types in + use but still need to be able to skip over such headers to find the + transport payload start. If this is not possible, it either limits + the security policy that can be applied in firewalls or makes it + difficult to deploy new extension header types. + + At the time of writing, only the Fragment Header does not fully + conform to the TLV format used for other extension headers. In + practice, many firewalls reconstruct fragmented packets before + performing deep packet inspection, so this divergence is less + problematic than it might have been, and is at least partially + justified because the full header chain is not present in all + fragments. + + + + + + + +Davies, et al. Informational [Page 12] + +RFC 4942 IPv6 Security Overview September 2007 + + + Hop-by-hop and destination options may also contain unknown options. + However, the options are required to be encoded in TLV format so that + intermediate nodes can skip over them during processing, unlike the + enclosing extension headers. + +2.1.9.3. Unknown Headers/Destination Options and Security Policy + + A strict security policy might dictate that packets containing either + unknown headers or destination options are discarded by firewalls or + other filters. This requires the firewall to process the whole + extension header chain, which may be currently in conflict with the + IPv6 specification as discussed in Section 2.1.9.1. + + Even if the firewall does inspect the whole header chain, it may not + be sensible to discard packets with items unrecognized by the + firewall: the intermediate node has no knowledge of which options and + headers are implemented in the destination node and IPv6 has been + deliberately designed to be extensible through adding new header + options. This poses a dilemma for firewall administrators. On the + one hand, admitting packets with 'unknown' options is a security + risk, but dropping them may disable a useful new extension. The best + compromise appears to be to select firewalls that provide a + configurable discard policy based on the types of the extensions. + Then, if a new extension is standardized, administrators can + reconfigure firewalls to pass packets with legitimate items that they + would otherwise not recognize because their hardware or software is + not aware of a new definition. Provided that the new extensions + conform to the TLV layout followed by current extensions, the + firewall would not need detailed knowledge of the function or layout + of the extension header. + +2.1.9.4. Excessive Hop-by-Hop Options + + IPv6 does not limit the number of hop-by-hop options that can be + present in a hop-by-hop option header, and any option can appear + multiple times. The lack of a limit and the provision of + extensibility bits that force nodes to ignore classes of options that + they do not understand can be used to mount denial-of-service attacks + affecting all nodes on a path. A packet with large numbers of + unknown hop-by-hop options will be processed at every node through + which it is forwarded, consuming significant resources to determine + what action should be taken for each option. Current options with + the exception of Pad1 and PadN should not appear more than once so + that packets with inappropriately repeated options can be dropped. + However, keeping track of which options have been seen adds + complexity to firewalls and may not apply to future extensions. See + Section 2.1.9.3 for a discussion of the advisability of dropping + packets with unknown options in firewalls. + + + +Davies, et al. Informational [Page 13] + +RFC 4942 IPv6 Security Overview September 2007 + + +2.1.9.5. Misuse of Pad1 and PadN Options + + IPv6 allows multiple padding options of arbitrary sizes to be placed + in both Hop-by-Hop and Destination option headers. + + PadN options are required to contain zero octets as 'payload'; there + is, however, no incentive for receivers to check this. It may + therefore be possible to use the 'payload' of padding options as a + covert channel. Firewalls and receiving hosts should actively check + that PadN only has zero octets in its 'payload'. + + There is no legitimate reason for padding beyond the next eight octet + boundary since the whole option header is aligned on an eight-octet + boundary but cannot be guaranteed to be on a 16 (or higher power of + two)-octet boundary. The IPv6 specification allows multiple Pad1 and + PadN options to be combined in any way that the source chooses to + make up the required padding. Reasonable design choices would appear + to be using however many Pad1 options (i.e., zero octets) are needed + or using a single PadN option of the required size (from two up to + seven octets). Administrators should consider at least logging + unusual padding patterns, and may consider dropping packets that + contain unusual patterns if they are certain of expected source + behavior. + +2.1.9.6. Overuse of Router Alert Option + + The IPv6 router alert option specifies a hop-by-hop option that, if + present, signals the router to take a closer look at the packet. + This can be used for denial-of-service attacks. By sending a large + number of packets containing a router alert option, an attacker can + deplete the processor cycles on the routers available to legitimate + traffic. + +2.1.10. Fragmentation: Reassembly and Deep Packet Inspection + + The current specifications of IPv6 in [RFC2460] do not mandate any + minimum packet size for the fragments of a packet before the last + one, except for the need to carry the unfragmentable part in all + fragments. + + The unfragmentable part does not include the transport port numbers, + so it is possible that the first fragment does not contain sufficient + information to carry out deep packet inspection involving the port + numbers. + + + + + + + +Davies, et al. Informational [Page 14] + +RFC 4942 IPv6 Security Overview September 2007 + + + Packets with overlapping fragments are considered to be a major + security risk, but the reassembly rules for fragmented packets in + [RFC2460] do not mandate behavior that would minimize the effects of + overlapping fragments. + + In order to ensure that deep packet inspection can be carried out + correctly on fragmented packets, many firewalls and other nodes that + use deep packet inspection will collect the fragments and reassemble + the packet before examining it. Depending on the implementation of + packet reassembly and the treatment of packet fragments in these + nodes, the specification issues mentioned potentially leave IPv6 open + to the sort of attacks described in [RFC1858] and [RFC3128] for IPv4. + + The following steps can be taken to mitigate these threats: + + o Although permitted in [RFC2460], there is no reason for a source + to generate overlapping packet fragments, and overlaps could be + prohibited in a future revision of the protocol specification. + Firewalls should drop all packets with overlapped fragments: + certain implementations both in firewalls and other nodes already + drop such packets. + + o Specifying a minimum size for packet fragments does not help in + the same way as it does for IPv4 because IPv6 extension headers + can be made to appear very long: an attacker could insert one or + more undefined destination options with long lengths and the + 'ignore if unknown' bit set. Given the guaranteed minimum MTU of + IPv6, it seems reasonable that hosts should be able to ensure that + the transport port numbers are in the first fragment in almost all + cases and that deep packet inspection should be very suspicious of + first fragments that do not contain them (see also the discussion + of fragment sizes in Section 2.1.11). + +2.1.11. Fragmentation Related DoS Attacks + + Packet reassembly in IPv6 hosts also opens up the possibility of + various fragment-related security attacks. Some of these are + analogous to attacks identified for IPv4. Of particular concern is a + DoS attack based on sending large numbers of small fragments without + a terminating last fragment that would potentially overload the + reconstruction buffers and consume large amounts of CPU resources. + + Mandating the size of packet fragments could reduce the impact of + this kind of attack by limiting the rate at which fragments could + arrive and limiting the number of fragments that need to be + processed, but this is not currently specified by the IPv6 standard. + In practice, reasonable design choices in protocol stacks are likely + to either maximize the size of all fragments except the final one + + + +Davies, et al. Informational [Page 15] + +RFC 4942 IPv6 Security Overview September 2007 + + + using the path MTU (most likely choice), or distribute the data + evenly in the required minimum number of fragments. In either case, + the smallest non-final fragment would be at least half the guaranteed + minimum MTU (640 octets) -- the worst case arises when a payload is + just too large for a single packet and is divided approximately + equally between two packets. Administrators should consider + configuring firewalls and hosts to drop non-final fragments smaller + than 640 octets. + +2.1.12. Link-Local Addresses and Securing Neighbor Discovery + + All IPv6 nodes are required to configure a link-local address on each + interface. This address is used to communicate with other nodes + directly connected to the link accessed via the interface, especially + during the neighbor discovery and autoconfiguration processes. Link- + local addresses are fundamental to the operation of the Neighbor + Discovery Protocol (NDP) [RFC2461] and Stateless Address + Autoconfiguration (SLAAC) [RFC2462]. NDP also provides the + functionality of associating link-layer and IP addresses provided by + the Address Resolution Protocol (ARP) in IPv4 networks. + + The standard version of NDP is subject to a number of security + threats related to ARP spoofing attacks on IPv4. These threats are + documented in [RFC3756], and mechanisms to combat them are specified + in SEcure Neighbor Discovery (SEND) [RFC3971]. SEND is an optional + mechanism that is particularly applicable to wireless and other + environments where it is difficult to physically secure the link. + + Because the link-local address can, by default, be acquired without + external intervention or control, it allows an attacker to commence + communication on the link without needing to acquire information + about the address prefixes in use or communicate with any authorities + on the link. This feature gives a malicious node the opportunity to + mount an attack on any other node that is attached to this link; this + vulnerability exists in addition to possible direct attacks on NDP. + Link-local addresses may also facilitate the unauthorized use of the + link bandwidth ('bandwidth theft') to communicate with another + unauthorized node on the same link. + + The vulnerabilities of IPv6 link-local addresses in NDP can be + mitigated in several ways. A general solution will require + + o authenticating the link-layer connectivity, for example, by using + IEEE 802.1X functionality [IEEE.802-1X] or physical security, and + + o using SEcure Neighbor Discovery (SEND) to create a + cryptographically generated link-local address (as described in + [RFC3971]) that is tied to the authenticated link-layer address. + + + +Davies, et al. Informational [Page 16] + +RFC 4942 IPv6 Security Overview September 2007 + + + This solution would be particularly appropriate in wireless LAN + deployments where it is difficult to physically secure the + infrastructure, but it may not be considered necessary in wired + environments where the physical infrastructure can be kept secure by + other means. + + Limiting the potentiality for abuse of link-local addresses in + general packet exchanges is more problematic because there may be + circumstances, such as isolated networks, where usage is appropriate + and discrimination between use and abuse requires complex filtering + rules which have to be implemented on hosts. The risk of misuse may + be deemed too small compared with the effort needed to control it, + but special attention should be paid to tunnel end-points (see 2.4, + 3.2, and 3.3). + + Any filtering has to be provided by a host-based or bridging + firewall. In general, link-local addresses are expected to be used + by applications that are written to deal with specific interfaces and + links. Typically these applications are used for control and + management. A node which is attached to multiple links has to deal + with the potentially overlapping link-local address spaces associated + with these links. IPv6 provides for this through zone identifiers + that are used to discriminate between the different address scopes + [RFC4007] and the scope identifier that can be associated with a + socket address structure [RFC3493]. Most users are unfamiliar with + these issues and general purpose applications are not intended to + handle this kind of discrimination. link-local addresses are not + normally used with the Domain Name System (DNS), and DNS cannot + supply zone identifiers. If it is considered necessary to prevent + the use of link-local addresses by means other than control and + management protocols, administrators may wish to consider limiting + the protocols that can be used with link-local addresses. At a + minimum, ICMPv6 and any intra-domain routing protocol in use (such as + Open Shortest Path First (OSPF) or Routing Information Protocol + (RIP)) need to be allowed, but other protocols may also be needed. + RIP illustrates the complexity of the filtering problem: its messages + are encapsulated as User Datagram Protocol (UDP) payloads, and + filtering needs to distinguish RIP messages addressed to UDP port 521 + from other UDP messages. + +2.1.13. Securing Router Advertisements + + As part of the Neighbor Discovery process, routers on a link + advertise their capabilities in Router Advertisement messages. The + version of NDP defined in [RFC2461] does not protect the integrity of + these messages or validate the assertions made in the messages with + the result that any node that connects to the link can maliciously + claim to offer routing services that it will not fulfill, and + + + +Davies, et al. Informational [Page 17] + +RFC 4942 IPv6 Security Overview September 2007 + + + advertise inappropriate prefixes and parameters. These threats have + been documented in [RFC3756]. + + A malicious node may also be able to carry out a DoS attack by + deprecating an established valid prefix (by advertising it with a + zero lifetime). Similar DoS attacks are possible if the optional + Router Selection mechanism is implemented as described in the + security considerations of [RFC4191]. + + SEND [RFC3971] can be used to provide verification that routers are + authorized to provide the services they advertise through a + certificate-based mechanism. This capability of SEND is also + particularly appropriate for wireless environments where clients are + reliant on the assertions of the routers rather than a physically + secured connection. + +2.1.14. Host-to-Router Load Sharing + + If a host deploys the optional host-to-router load-sharing mechanism + [RFC4311], a malicious application could carry out a DoS attack on + one or more of the load-sharing routers if the application is able to + use knowledge of the load-sharing algorithm to synthesize traffic + that subverts the load-sharing algorithm and directs a large volume + of bogus traffic towards a subset of the routers. The likelihood of + such an attack can be reduced if the implementation uses a + sufficiently sophisticated load sharing algorithm as described in the + security considerations of [RFC4311]. + +2.1.15. Mobile IPv6 + + Mobile IPv6 offers significantly enhanced security compared with + Mobile IPv4 especially when using optimized routing and care-of + addresses. Return routability checks are used to provide relatively + robust assurance that the different addresses that a mobile node uses + as it moves through the network do indeed all refer to the same node. + The threats and solutions are described in [RFC3775], and a more + extensive discussion of the security aspects of the design can be + found in [RFC4225]. + +2.1.15.1. Obsolete Home Address Option in Mobile IPv6 + + The Home Address option specified in early versions of Mobile IPv6 + would have allowed a trivial source spoofing attack: hosts were + required to substitute the source address of incoming packets with + the address in the option, thereby potentially evading checks on the + packet source address. The version of Mobile IPv6 as standardized in + + + + + +Davies, et al. Informational [Page 18] + +RFC 4942 IPv6 Security Overview September 2007 + + + [RFC3775] has removed this issue by ensuring that the Home Address + destination option is only processed if there is a corresponding + binding cache entry and securing Binding Update messages. + + A number of pre-standard implementations of Mobile IPv6 were + available that implemented this obsolete and insecure option: care + should be taken to avoid running such obsolete systems. + +2.2. IPv4-Mapped IPv6 Addresses + + Overloaded functionality is always a double-edged sword: it may yield + some deployment benefits, but often also incurs the price that comes + with ambiguity. + + One example of such is IPv4-mapped IPv6 addresses (::ffff/96): a + representation of an IPv4 address as an IPv6 address inside an + operating system as defined in [RFC3493]. Since the original + specification, the use of IPv4-mapped addresses has been extended to + a transition mechanism, Stateless IP/ICMP Translation algorithm + (SIIT) [RFC2765], where they are potentially used in the addresses of + packets on the wire. + + Therefore, it becomes difficult to unambiguously discern whether an + IPv4 mapped address is really an IPv4 address represented in the IPv6 + address format (basic API behavior) *or* an IPv6 address received + from the wire (which may be subject to address forgery, etc.). (SIIT + behavior). The security issues that arise from the ambiguous + behavior when IPv4-mapped addresses are used on the wire include: + + o If an attacker transmits an IPv6 packet with ::ffff:127.0.0.1 in + the IPv6 source address field, he might be able to bypass a node's + access controls by deceiving applications into believing that the + packet is from the node itself (specifically, the IPv4 loopback + address, 127.0.0.1). The same attack might be performed using the + node's IPv4 interface address instead. + + o If an attacker transmits an IPv6 packet with IPv4-mapped addresses + in the IPv6 destination address field corresponding to IPv4 + addresses inside a site's security perimeter (e.g., ::ffff: + 10.1.1.1), he might be able to bypass IPv4 packet filtering rules + and traverse a site's firewall. + + o If an attacker transmits an IPv6 packet with IPv4-mapped addresses + in the IPv6 source and destination fields to a protocol that swaps + IPv6 source and destination addresses, he might be able to use a + node as a proxy for certain types of attacks. For example, this + might be used to construct broadcast multiplication and proxy TCP + port scan attacks. + + + +Davies, et al. Informational [Page 19] + +RFC 4942 IPv6 Security Overview September 2007 + + + In addition, special cases like these, while giving deployment + benefits in some areas, require a considerable amount of code + complexity (e.g., in the implementations of bind() system calls and + reverse DNS lookups) that is probably undesirable but can be managed + in this case. + + In practice, although the packet translation mechanisms of SIIT are + specified for use in "Network Address Translator - Protocol + Translator (NAT-PT)" [RFC2766], NAT-PT uses a mechanism different + from IPv4-mapped IPv6 addresses for communicating embedded IPv4 + addresses in IPv6 addresses. Also, SIIT is not recommended for use + as a standalone transition mechanism. Given the issues that have + been identified, it seems appropriate that mapped addresses should + not be used on the wire. However, changing application behavior by + deprecating the use of mapped addresses in the operating system + interface would have significant impact on application porting + methods as described in [RFC4038], and it is expected that IPv4- + mapped IPv6 addresses will continue to be used within the API to aid + application portability. + + Using the basic API behavior has some security implications in that + it adds additional complexity to address-based access controls. The + main issue that arises is that an IPv6 (AF_INET6) socket will accept + IPv4 packets even if the node has no IPv4 (AF_INET) sockets open. + This has to be taken into account by application developers and may + allow a malicious IPv4 peer to access a service even if there are no + open IPv4 sockets. This violates the security principle of "least + surprise". + +2.3. Increased End-to-End Transparency + + One of the major design aims of IPv6 has been to maintain the + original IP architectural concept of end-to-end transparency. + Transparency can help foster technological innovation in areas such + as peer-to-peer communication, but maintaining the security of the + network at the same time requires some modifications in the network + architecture. Ultimately, it is also likely to need changes in the + security model as compared with the norms for IPv4 networks. + +2.3.1. IPv6 Networks without NATs + + The necessity of introducing Network Address Translators (NATs) into + IPv4 networks, resulting from a shortage of IPv4 addresses, has + removed the end-to-end transparency of most IPv4 connections: the use + of IPv6 would restore this transparency. However, the use of NATs, + and the associated private addressing schemes, has become + inappropriately linked to the provision of security in enterprise + networks. The restored end-to-end transparency of IPv6 networks can + + + +Davies, et al. Informational [Page 20] + +RFC 4942 IPv6 Security Overview September 2007 + + + therefore be seen as a threat by poorly informed enterprise network + managers. Some seem to want to limit the end-to-end capabilities of + IPv6, for example by deploying private, local addressing and + translators, even when it is not necessary because of the abundance + of IPv6 addresses. + + Recommendations for designing an IPv6 network to meet the perceived + security and connectivity requirements implicit in the current usage + of IPv4 NATs whilst maintaining the advantages of IPv6 end-to-end + transparency are described in "IP Version 6 Network Architecture + Protection" [RFC4864]. + +2.3.2. Enterprise Network Security Model for IPv6 + + The favored model for enterprise network security in IPv4 stresses + the use of a security perimeter policed by autonomous firewalls and + incorporating the NATs. Both perimeter firewalls and NATs introduce + asymmetry and reduce the transparency of communications through these + perimeters. The symmetric bidirectionality and transparency that are + extolled as virtues of IPv6 may seem to be at odds with this model. + Consequently, network managers may even see them as undesirable + attributes, in conflict with their need to control threats to and + attacks on the networks they administer. + + It is worth noting that IPv6 does not *require* end-to-end + connectivity. It merely provides end-to-end addressability; the + connectivity can still be controlled using firewalls (or other + mechanisms), and it is indeed wise to do so. + + A number of matters indicate that IPv6 networks should migrate + towards an improved security model, which will increase the overall + security of the network while at the same time facilitating end-to- + end communication: + + o Increased usage of end-to-end security especially at the network + layer. IPv6 mandates the provision of IPsec capability in all + nodes, and increasing usage of end-to-end security is a challenge + to current autonomous firewalls that are unable to perform deep + packet inspection on encrypted packets. It is also incompatible + with NATs because they modify the packets, even when packets are + only authenticated rather than encrypted. + + o Acknowledgement that over-reliance on the perimeter model is + potentially dangerous. An attacker who can penetrate today's + perimeters will have free rein within the perimeter, in many + cases. Also a successful attack will generally allow the attacker + to capture information or resources and make use of them. + + + + +Davies, et al. Informational [Page 21] + +RFC 4942 IPv6 Security Overview September 2007 + + + o Development of mechanisms such as 'Trusted Computing' [TCGARCH] + that will increase the level of trust that network managers are + able to place on hosts. + + o Development of centralized security policy repositories and secure + distribution mechanisms that, in conjunction with trusted hosts, + will allow network managers to place more reliance on security + mechanisms at the end-points. The mechanisms are likely to + include end-node firewalling and intrusion detection systems as + well as secure protocols that allow end-points to influence the + behavior of perimeter security devices. + + o Review of the role of perimeter devices with increased emphasis on + intrusion detection, and network resource protection and + coordination to thwart distributed denial-of-service attacks. + + Several of the technologies required to support an enhanced security + model are still under development, including secure protocols to + allow end-points to control firewalls: the complete security model + utilizing these technologies is now emerging but still requires some + development. + + In the meantime, initial deployments will need to make use of similar + firewalling and intrusion detection techniques to IPv4 that may limit + end-to-end transparency temporarily, but should be prepared to use + the new security model as it develops and avoid the use of NATs by + the use of the architectural techniques described in [RFC4864]. In + particular, using NAT-PT [RFC2766] as a general purpose transition + mechanism should be avoided as it is likely to limit the exploitation + of end-to-end security and other IPv6 capabilities in the future as + explained in [RFC4966]. + +2.4. IPv6 in IPv6 Tunnels + + IPv6 in IPv6 tunnels can be used to circumvent security checks, so it + is essential to filter packets both at tunnel ingress and egress + points (the encapsulator and decapsulator) to ensure that both the + inner and outer addresses are acceptable, and the tunnel is not being + used to carry inappropriate traffic. [RFC3964], which is primarily + about the 6to4 transition tunneling mechanism (see Section 3.1), + contains useful discussions of possible attacks and ways to + counteract these threats. + + + + + + + + + +Davies, et al. Informational [Page 22] + +RFC 4942 IPv6 Security Overview September 2007 + + +3. Issues Due to Transition Mechanisms + +3.1. IPv6 Transition/Coexistence Mechanism-Specific Issues + + The more complicated the IPv6 transition/coexistence becomes, the + greater the danger that security issues will be introduced either + + o in the mechanisms themselves, + + o in the interaction between mechanisms, or + + o by introducing unsecured paths through multiple mechanisms. + + These issues may or may not be readily apparent. Hence, it would be + desirable to keep the mechanisms simple (as few in number as possible + and built from pieces as small as possible) to simplify analysis. + + One case where such security issues have been analyzed in detail is + the 6to4 tunneling mechanism [RFC3964]. + + As tunneling has been proposed as a model for several more cases than + are currently being used, its security properties should be analyzed + in more detail. There are some generic dangers to tunneling: + + o It may be easier to avoid ingress filtering checks. + + o It is possible to attack the tunnel interface: several IPv6 + security mechanisms depend on checking that Hop Limit equals 255 + on receipt and that link-local addresses are used. Sending such + packets to the tunnel interface is much easier than gaining access + to a physical segment and sending them there. + + o Automatic tunneling mechanisms are typically particularly + dangerous as there is no pre-configured association between end + points. Accordingly, at the receiving end of the tunnel, packets + have to be accepted and decapsulated from any source. + Consequently, special care should be taken when specifying + automatic tunneling techniques. + +3.2. Automatic Tunneling and Relays + + Two mechanisms have been specified that use automatic tunneling and + are intended for use outside a single domain. These mechanisms + encapsulate the IPv6 packet directly in an IPv4 packet in the case of + 6to4 [RFC3056] or in an IPv4 UDP packet in the case of Teredo + [RFC4380]. In each case, packets can be sent and received by any + similarly equipped nodes in the IPv4 Internet. + + + + +Davies, et al. Informational [Page 23] + +RFC 4942 IPv6 Security Overview September 2007 + + + As mentioned in Section 3.1, a major vulnerability in such approaches + is that receiving nodes must allow decapsulation of traffic sourced + from anywhere in the Internet. This kind of decapsulation function + must be extremely well secured because of the wide range of potential + sources. + + An even more difficult problem is how these mechanisms are able to + establish communication with native IPv6 nodes or between the + automatic tunneling mechanisms: such connectivity requires the use of + some kind of "relay". These relays could be deployed in various + locations such as: + + o all native IPv6 nodes, + + o native IPv6 sites, + + o in IPv6-enabled ISPs, or + + o just somewhere in the Internet. + + Given that a relay needs to trust all the sources (e.g., in the 6to4 + case, all 6to4 routers) that are sending it traffic, there are issues + in achieving this trust and at the same time scaling the relay system + to avoid overloading a small number of relays. + + As authentication of such a relay service is very difficult to + achieve, and particularly so in some of the possible deployment + models, relays provide a potential vehicle for address spoofing, + (reflected) denial-of-service attacks, and other threats. + + Threats related to 6to4 and measures to combat them are discussed in + [RFC3964]. [RFC4380] incorporates extensive discussion of the + threats to Teredo and measures to combat them. + +3.3. Tunneling IPv6 through IPv4 Networks May Break IPv4 Network + Security Assumptions + + NATs and firewalls have been deployed extensively in the IPv4 + Internet, as discussed in Section 2.3. Operators who deploy them + typically have some security/operational requirements in mind (e.g., + a desire to block inbound connection attempts), which may or may not + be misguided. + + The addition of tunneling can change the security model that such + deployments are seeking to enforce. IPv6-over-IPv4 tunneling using + protocol 41 is typically either explicitly allowed, or disallowed + implicitly. Tunneling IPv6 over IPv4 encapsulated in UDP constitutes + a more difficult problem as UDP must usually be allowed to pass + + + +Davies, et al. Informational [Page 24] + +RFC 4942 IPv6 Security Overview September 2007 + + + through NATs and firewalls. Consequently, using UDP implies the + ability to punch holes in NATs and firewalls although, depending on + the implementation, this ability may be limited or only achieved in a + stateful manner. In practice, the mechanisms have been explicitly + designed to traverse both NATs and firewalls in a similar fashion. + + One possible view is that the use of tunneling is especially + questionable in home and SOHO (small office/home office) environments + where the level of expertise in network administration is typically + not very high; in these environments, the hosts may not be as tightly + managed as in others (e.g., network services might be enabled + unnecessarily), leading to possible security break-ins or other + vulnerabilities. + + Holes allowing tunneled traffic through NATs and firewalls can be + punched both intentionally and unintentionally. In cases where the + administrator or user makes an explicit decision to create the hole, + this is less of a problem, although (for example) some enterprises + might want to block IPv6 tunneling explicitly if employees were able + to create such holes without reference to administrators. On the + other hand, if a hole is punched transparently, it is likely that a + proportion of users will not understand the consequences: this will + very probably result in a serious threat sooner or later. + + When deploying tunneling solutions, especially tunneling solutions + that are automatic and/or can be enabled easily by users who do not + understand the consequences, care should be taken not to compromise + the security assumptions held by the users. + + For example, NAT traversal should not be performed by default unless + there is a firewall producing a similar by-default security policy to + that provided by IPv4 NAT. IPv6-in-IPv4 (protocol 41) tunneling is + less of a problem, as it is easier to block if necessary; however, if + the host is protected in IPv4, the IPv6 side should be protected as + well. + + As is shown in Appendix A, it is relatively easy to determine the + IPv6 address corresponding to an IPv4 address in tunneling + deployments. It is therefore vital NOT to rely on "security by + obscurity", i.e., assuming that nobody is able to guess or determine + the IPv6 address of the host especially when using automatic + tunneling transition mechanisms. + + The network architecture must provide separate IPv4 and IPv6 + firewalls with tunneled IPv6 traffic arriving encapsulated in IPv4 + packets routed through the IPv4 firewall before being decapsulated, + and then through the IPv6 firewall as shown in Figure 1. + + + + +Davies, et al. Informational [Page 25] + +RFC 4942 IPv6 Security Overview September 2007 + + + +--------+ +--------+ +--------+ + Site | Native | IPv6 |v6 in v4| IPv4 | Native | Public + Network <--->| IPv6 |<---->| Tunnel |<---->| IPv4 |<---> Internet + |Firewall| |Endpoint| |Firewall| + +--------+ +--------+ +--------+ + + Figure 1: Tunneled Traffic and Firewalls + +4. Issues Due to IPv6 Deployment + +4.1. Avoiding the Trap of Insecure IPv6 Service Piloting + + Because IPv6 is a new service for many networks, network managers + will often opt to make a pilot deployment in a part of the network to + gain experience and understand the problems as well as the benefits + that may result from a full production quality IPv6 service. + + Unless IPv6 service piloting is done in a manner that is as secure as + possible, there is a risk that if security in the pilot does not + match up to what is achievable with current IPv4 production service, + the comparison can adversely impact the overall assessment of the + IPv6 pilot deployment. This may result in a decision to delay or + even avoid deploying an IPv6 production service. For example, hosts + and routers might not be protected by IPv6 firewalls, even if the + corresponding IPv4 service is fully protected by firewalls. The use + of tunneling transition mechanisms (see Section 3.3) and the + interaction with virtual private networks also need careful attention + to ensure that site security is maintained. This is particularly + critical where IPv6 capabilities are turned on by default in new + equipment or new releases of operating systems: network managers may + not be fully aware of the security exposure that this creates. + + In some cases, a perceived lack of availability of IPv6 firewalls and + other security capabilities, such as intrusion detection systems may + have led network managers to resist any kind of IPv6 service + deployment. These problems may be partly due to the relatively slow + development and deployment of IPv6-capable security equipment, but + the major problems appear to have been a lack of information, and + more importantly a lack of documented operational experience on which + managers can draw. In actual fact, at the time of writing, there are + a significant number of alternative IPv6 packet filters and firewalls + already in existence that could be used to provide sufficient access + controls. + + However, there are a small number of areas where the available + equipment and capabilities may still be a barrier to secure + deployment as of the time of writing: + + + + +Davies, et al. Informational [Page 26] + +RFC 4942 IPv6 Security Overview September 2007 + + + o 'Personal firewalls' with support for IPv6 and intended for use on + hosts are not yet widely available. + + o Enterprise firewalls are at an early stage of development and may + not provide the full range of capabilities needed to implement the + necessary IPv6 filtering rules. Network managers often expect the + same devices that support and are used for IPv4 today to also + become IPv6-capable -- even though this is not really required and + the equipment may not have the requisite hardware capabilities to + support fast packet filtering for IPv6. Suggestions for the + appropriate deployment of firewalls are given in Section 3.3 -- as + will be seen from this section, it is usually desirable that the + firewalls are in separate boxes, and there is no necessity for + them to be same the model of equipment. + + o A lesser factor may be that some design decisions in the IPv6 + protocol make it more difficult for firewalls to be implemented + and work in all cases, and to be fully future-proof (e.g., when + new extension headers are used) as discussed in Section 2.1.9. It + is significantly more difficult for intermediate nodes to process + the IPv6 header chains than IPv4 packets. + + o Adequate Intrusion Detection Systems (IDS) are more difficult to + construct for IPv6. IDSs are now beginning to become available + but the pattern-based mechanisms used for IPv4 may not be the most + appropriate for long-term development of these systems as end-to- + end encryption becomes more prevalent. Future systems may be more + reliant on traffic flow pattern recognition. + + o Implementations of high availability capabilities supporting IPv6 + are also in short supply. In particular, development of the IPv6 + version of the Virtual Router Redundancy Protocol (VRRP) [VRRP] + has lagged the development of the main IPv6 protocol although + alternatives may be available for some environments. + + In all these areas, developments are ongoing and they should not be + considered a long-term bar to the deployment of IPv6 either as a + pilot or production service. The necessary tools are now available + to make a secure IPv6 deployment, and with careful selection of + components and design of the network architecture, a successful pilot + or production IPv6 service can be deployed. Recommendations for + secure deployment and appropriate management of IPv6 networks can be + found in the documentation archives of the European Union 6net + project [SIXNET] and in the Deployment Guide published by the IPv6 + Promotion Council of Japan [JpIPv6DC]. + + + + + + +Davies, et al. Informational [Page 27] + +RFC 4942 IPv6 Security Overview September 2007 + + +4.2. DNS Server Problems + + Some DNS server implementations have flaws that severely affect DNS + queries for IPv6 addresses as discussed in [RFC4074]. These flaws + can be used for DoS attacks affecting both IPv4 and IPv6 by inducing + caching DNS servers to believe that a domain is broken and causing + the server to block access to all requests for the domain for a + precautionary period. + +4.3. Addressing Schemes and Securing Routers + + Whilst in general terms brute force scanning of IPv6 subnets is + essentially impossible due to the enormously larger address space of + IPv6 and the 64-bit interface identifiers (see Appendix A), this will + be obviated if administrators do not take advantage of the large + space to use unguessable interface identifiers. + + Because of the unmemorability of complete IPv6 addresses, there is a + temptation for administrators to use small integers as interface + identifiers when manually configuring them, as might happen on point- + to-point links or when provisioning complete addresses from a DHCPv6 + server. Such allocations make it easy for an attacker to find active + nodes that they can then port scan. + + To make use of the larger address space properly, administrators + should be very careful when entering IPv6 addresses in their + configurations (e.g., access control lists), since numerical IPv6 + addresses are more prone to human error than IPv4 due to their length + and unmemorability. + + It is also essential to ensure that the management interfaces of + routers are well secured (e.g., allowing remote access using Secure + Shell (SSH) only and ensuring that local craft interfaces have non- + default passwords) as the router will usually contain a significant + cache of neighbor addresses in its neighbor cache. + +4.4. Consequences of Multiple Addresses in IPv6 + + One positive consequence of IPv6 is that nodes that do not require + global access can communicate locally just by the use of a link-local + address (if very local access is sufficient) or across the site by + using a Unique Local Address (ULA). In either case it is easy to + ensure that access outside the assigned domain of activity can be + controlled by simple filters (which should be the default for link- + locals). However, the security hazards of using link-local addresses + for general purposes, as documented in Section 2.1.12, should be + borne in mind. + + + + +Davies, et al. Informational [Page 28] + +RFC 4942 IPv6 Security Overview September 2007 + + + On the other hand, the possibility that a node or interface can have + multiple global scope addresses makes access control filtering (both + on ingress and egress) more complex and requires higher maintenance + levels. Vendors and network administrators need to be aware that + multiple addresses are the norm rather than the exception in IPv6: + when building and selecting tools for security and management, a + highly desirable feature is the ability to be able to 'tokenize' + access control lists and configurations in general to cater for + multiple addresses and/or address prefixes. + + The addresses could be from the same network prefix (for example, + privacy mechanisms [RFC4941] will periodically create new addresses + taken from the same prefix, and two or more of these may be active at + the same time), or from different prefixes (for example, when a + network is multihomed, when for management purposes a node belongs to + several subnets on the same link or is implementing anycast + services). In all these cases, it is possible that a single host + could be using several different addresses with different prefixes + and/or different interface identifiers. It is desirable that the + security administrator be able to identify that the same host is + behind all these addresses. + + Some network administrators may find the mutability of addresses when + privacy mechanisms are used in their network to be undesirable + because of the current difficulties in maintaining access control + lists and knowing the origin of traffic. In general, disabling the + use of privacy addresses is only possible if the full stateful DHCPv6 + mechanism [RFC3315] is used to allocate IPv6 addresses and DHCPv6 + requests for privacy addresses are not honored. + +4.5. Deploying ICMPv6 + + In IPv4 it is commonly accepted that some filtering of ICMP packets + by firewalls is essential to maintain security. Because of the + extended use that is made of ICMPv6 [RFC2461] with a multitude of + functions, the simple set of dropping rules that are usually applied + in IPv4 need to be significantly developed for IPv6. The blanket + dropping of all ICMP messages that is used in some very strict + environments is simply not possible for IPv6. + + In an IPv6 firewall, policy needs to allow some messages through the + firewall but also has to permit certain messages to and from the + firewall, especially those with link-local sources on links to which + the firewall is attached. These messages must be permitted to ensure + that Neighbor Discovery [RFC2462], Multicast Listener Discovery + ([RFC2710], [RFC3810]), and Stateless Address Configuration [RFC4443] + work as expected. + + + + +Davies, et al. Informational [Page 29] + +RFC 4942 IPv6 Security Overview September 2007 + + + Recommendations for filtering ICMPv6 messages can be found in + [RFC4890]. + +4.5.1. Problems Resulting from ICMPv6 Transparency + + As described in Section 4.5, certain ICMPv6 error packets need to be + passed through a firewall in both directions. This means that some + ICMPv6 error packets can be exchanged between inside and outside + without any filtering. + + Using this feature, malicious users can communicate between the + inside and outside of a firewall, thus bypassing the administrator's + inspection (proxy, firewall, etc.). For example, it might be + possible to carry out a covert conversation through the payload of + ICMPv6 error messages or to tunnel inappropriate encapsulated IP + packets in ICMPv6 error messages. This problem can be alleviated by + filtering ICMPv6 errors using a stateful packet inspection mechanism + to ensure that the packet carried as a payload is associated with + legitimate traffic to or from the protected network. + +4.6. IPsec Transport Mode + + IPsec provides security to end-to-end communications at the network + layer (layer 3). The security features available include access + control, connectionless integrity, data origin authentication, + protection against replay attacks, confidentiality, and limited + traffic flow confidentiality (see [RFC4301] Section 2.1). IPv6 + mandates the implementation of IPsec in all conforming nodes, making + the usage of IPsec to secure end-to-end communication possible in a + way that is generally not available to IPv4. + + To secure IPv6 end-to-end communications, IPsec transport mode would + generally be the solution of choice. However, use of these IPsec + security features can result in novel problems for network + administrators and decrease the effectiveness of perimeter firewalls + because of the increased prevalence of encrypted packets on which the + firewalls cannot perform deep packet inspection and filtering. + + One example of such problems is the lack of security solutions in the + middlebox, including effective content-filtering, ability to provide + DoS prevention based on the expected TCP protocol behavior, and + intrusion detection. Future solutions to this problem are discussed + in Section 2.3.2. Another example is an IPsec-based DoS (e.g., + sending malformed ESP/AH packets) that can be especially detrimental + to software-based IPsec implementations. + + + + + + +Davies, et al. Informational [Page 30] + +RFC 4942 IPv6 Security Overview September 2007 + + +4.7. Reduced Functionality Devices + + With the deployment of IPv6 we can expect the attachment of a very + large number of new IPv6-enabled devices with scarce resources and + low computing capacity. The resource limitations are generally + because of a market requirement for cost reduction. Although the + [RFC4294] specifies some mandatory security capabilities for every + conformant node, these do not include functions required for a node + to be able to protect itself. Accordingly, some such devices may not + be able even to perform the minimum set of functions required to + protect themselves (e.g., 'personal' firewall, automatic firmware + update, enough CPU power to endure DoS attacks). This means a + different security scheme may be necessary for such reduced + functionality devices. + +4.8. Operational Factors when Enabling IPv6 in the Network + + There are a number of reasons that make it essential to take + particular care when enabling IPv6 in the network equipment: + + Initially, IPv6-enabled router software may be less mature than + current IPv4-only implementations, and there is less experience with + configuring IPv6 routing, which can result in disruptions to the IPv6 + routing environment and (IPv6) network outages. + + IPv6 processing may not happen at (near) line speed (or at a + comparable performance level to IPv4 in the same equipment). A high + level of IPv6 traffic (even legitimate, e.g., Network News Transport + Protocol, NNTP) could easily overload IPv6 processing especially when + it is software-based without the hardware support typical in high-end + routers. This may potentially have deleterious knock-on effects on + IPv4 processing, affecting availability of both services. + Accordingly, if people don't feel confident enough in the IPv6 + capabilities of their equipment, they will be reluctant to enable it + in their "production" networks. + + Sometimes essential features may be missing from early releases of + vendors' software; an example is provision of software enabling IPv6 + telnet/SSH access (e.g., to the configuration application of a + router), but without the ability to turn it off or limit access to + it! + + Sometimes the default IPv6 configuration is insecure. For example, + in one vendor's implementation, if you have restricted IPv4 telnet to + only a few hosts in the configuration, you need to be aware that IPv6 + telnet will be automatically enabled, that the configuration commands + + + + + +Davies, et al. Informational [Page 31] + +RFC 4942 IPv6 Security Overview September 2007 + + + used previously do not block IPv6 telnet, that IPv6 telnet is open to + the world by default, and that you have to use a separate command to + also lock down the IPv6 telnet access. + + Many operator networks have to run interior routing protocols for + both IPv4 and IPv6. It is possible to run them both in one routing + protocol, or have two separate routing protocols; either approach has + its tradeoffs [RFC4029]. If multiple routing protocols are used, one + should note that this causes double the amount of processing when + links flap or recalculation is otherwise needed -- which might more + easily overload the router's CPU, causing slightly slower convergence + time. + +4.9. Security Issues Due to Neighbor Discovery Proxies + + In order to span a single subnet over multiple physical links, a new + experimental capability is being trialed in IPv6 to proxy Neighbor + Discovery messages. A node with this capability will be called an + NDProxy (see [RFC4389]). NDProxies are susceptible to the same + security issues as those faced by hosts using unsecured Neighbor + Discovery or ARP. These proxies may process unsecured messages, and + update the neighbor cache as a result of such processing, thus + allowing a malicious node to divert or hijack traffic. This may + undermine the advantages of using SEND [RFC3971]. + + If a form of NDProxy is standardized, SEND will need to be extended + to support this capability. + +5. Security Considerations + + This memo attempts to give an overview of security considerations of + the different aspects of IPv6, particularly as they relate to the + transition to a network in which IPv4- and IPv6-based communications + need to coexist. + +6. Acknowledgements + + This document draws together the work of many people who have + contributed security-related documents to the IPV6 and V6OPS working + groups. Alain Durand, Alain Baudot, Luc Beloeil, Sharon Chisholm, + Tim Chown, Lars Eggert, Andras Kis-Szabo, Vishwas Manral, Janos + Mohacsi, Mark Smith, Alvaro Vives, and Margaret Wassermann provided + feedback to improve this document. Satoshi Kondo, Shinsuke Suzuki, + and Alvaro Vives provided additional inputs in cooperation with the + Deployment Working Group of the Japanese IPv6 Promotion Council and + the Euro6IX IST co-funded project, together with inputs from Jordi + Palet, Brian Carpenter, and Peter Bieringer. Michael Wittsend and + Michael Cole discussed issues relating to probing/mapping and + + + +Davies, et al. Informational [Page 32] + +RFC 4942 IPv6 Security Overview September 2007 + + + privacy. Craig Metz and Jun-ichiro itojun Hagino did the original + work identifying the problems of using IPv4-mapped IPv6 addresses on + the wire. Vishwas Manral made further investigations of the impact + of tiny fragments on IPv6 security. Francis Dupont raised the issues + relating to IPv6 Privacy Addresses. Finally, Pekka Savola wrote a + number of documents on aspects IPv6 security which have been subsumed + into this work. His document on "Firewalling Considerations for + IPv6" (October 2003) originally identified many of the issues with + the base IPv6 specification which are documented here. + +7. References + +7.1. Normative References + + [RFC1122] Braden, R., "Requirements for Internet Hosts - + Communication Layers", STD 3, RFC 1122, October 1989. + + [RFC2375] Hinden, R. and S. Deering, "IPv6 Multicast Address + Assignments", RFC 2375, July 1998. + + [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version + 6 (IPv6) Specification", RFC 2460, December 1998. + + [RFC2461] Narten, T., Nordmark, E., and W. Simpson, "Neighbor + Discovery for IP Version 6 (IPv6)", RFC 2461, + December 1998. + + [RFC2462] Thomson, S. and T. Narten, "IPv6 Stateless Address + Autoconfiguration", RFC 2462, December 1998. + + [RFC2710] Deering, S., Fenner, W., and B. Haberman, "Multicast + Listener Discovery (MLD) for IPv6", RFC 2710, + October 1999. + + [RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 + Domains via IPv4 Clouds", RFC 3056, February 2001. + + [RFC3775] Johnson, D., Perkins, C., and J. Arkko, "Mobility + Support in IPv6", RFC 3775, June 2004. + + [RFC3810] Vida, R. and L. Costa, "Multicast Listener Discovery + Version 2 (MLDv2) for IPv6", RFC 3810, June 2004. + + [RFC3964] Savola, P. and C. Patel, "Security Considerations for + 6to4", RFC 3964, December 2004. + + + + + + +Davies, et al. Informational [Page 33] + +RFC 4942 IPv6 Security Overview September 2007 + + + [RFC4007] Deering, S., Haberman, B., Jinmei, T., Nordmark, E., + and B. Zill, "IPv6 Scoped Address Architecture", + RFC 4007, March 2005. + + [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing + Architecture", RFC 4291, February 2006. + + [RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through + Network Address Translations (NATs)", RFC 4380, + February 2006. + + [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet + Control Message Protocol (ICMPv6) for the Internet + Protocol Version 6 (IPv6) Specification", RFC 4443, + March 2006. + + [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy + Extensions for Stateless Address Autoconfiguration in + IPv6", RFC 4941, September 2007. + +7.2. Informative References + + [FNAT] Bellovin, S., "Technique for Counting NATted Hosts", + Proc. Second Internet Measurement Workshop , + November 2002, + <http://www.research.att.com/~smb/papers/fnat.pdf>. + + [ICMP-ATT] Gont, F., "ICMP attacks against TCP", Work + in Progress, May 2007. + + [IEEE.802-1X] Institute of Electrical and Electronics Engineers, + "Port-Based Network Access Control", IEEE Standard for + Local and Metropolitan Area Networks 802.1X-2004, + December 2004. + + [JpIPv6DC] Deployment WG, "IPv6 Deployment Guideline (2005 + Edition)", IPv6 Promotion Council (Japan) Deployment + Working Group, 2005, <http://www.v6pc.jp/>. + + [RFC1858] Ziemba, G., Reed, D., and P. Traina, "Security + Considerations for IP Fragment Filtering", RFC 1858, + October 1995. + + [RFC2765] Nordmark, E., "Stateless IP/ICMP Translation Algorithm + (SIIT)", RFC 2765, February 2000. + + + + + + +Davies, et al. Informational [Page 34] + +RFC 4942 IPv6 Security Overview September 2007 + + + [RFC2766] Tsirtsis, G. and P. Srisuresh, "Network Address + Translation - Protocol Translation (NAT-PT)", + RFC 2766, February 2000. + + [RFC3128] Miller, I., "Protection Against a Variant of the Tiny + Fragment Attack (RFC 1858)", RFC 3128, June 2001. + + [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, + C., and M. Carney, "Dynamic Host Configuration + Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. + + [RFC3493] Gilligan, R., Thomson, S., Bound, J., McCann, J., and + W. Stevens, "Basic Socket Interface Extensions for + IPv6", RFC 3493, February 2003. + + [RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 + Neighbor Discovery (ND) Trust Models and Threats", + RFC 3756, May 2004. + + [RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, + "SEcure Neighbor Discovery (SEND)", RFC 3971, + March 2005. + + [RFC4025] Richardson, M., "A Method for Storing IPsec Keying + Material in DNS", RFC 4025, March 2005. + + [RFC4029] Lind, M., Ksinant, V., Park, S., Baudot, A., and P. + Savola, "Scenarios and Analysis for Introducing IPv6 + into ISP Networks", RFC 4029, March 2005. + + [RFC4038] Shin, M-K., Hong, Y-G., Hagino, J., Savola, P., and E. + Castro, "Application Aspects of IPv6 Transition", + RFC 4038, March 2005. + + [RFC4074] Morishita, Y. and T. Jinmei, "Common Misbehavior + Against DNS Queries for IPv6 Addresses", RFC 4074, + May 2005. + + [RFC4191] Draves, R. and D. Thaler, "Default Router Preferences + and More-Specific Routes", RFC 4191, November 2005. + + [RFC4225] Nikander, P., Arkko, J., Aura, T., Montenegro, G., and + E. Nordmark, "Mobile IP Version 6 Route Optimization + Security Design Background", RFC 4225, December 2005. + + [RFC4294] Loughney, J., "IPv6 Node Requirements", RFC 4294, + April 2006. + + + + +Davies, et al. Informational [Page 35] + +RFC 4942 IPv6 Security Overview September 2007 + + + [RFC4301] Kent, S. and K. Seo, "Security Architecture for the + Internet Protocol", RFC 4301, December 2005. + + [RFC4311] Hinden, R. and D. Thaler, "IPv6 Host-to-Router Load + Sharing", RFC 4311, November 2005. + + [RFC4389] Thaler, D., Talwar, M., and C. Patel, "Neighbor + Discovery Proxies (ND Proxy)", RFC 4389, April 2006. + + [RFC4472] Durand, A., Ihren, J., and P. Savola, "Operational + Considerations and Issues with IPv6 DNS", RFC 4472, + April 2006. + + [RFC4864] Van de Velde, G., Hain, T., Droms, R., Carpenter, B., + and E. Klein, "Local Network Protection for IPv6", + RFC 4864, May 2007. + + [RFC4890] Davies, E. and J. Mohacsi, "Recommendations for + Filtering ICMPv6 Messages in Firewalls", RFC 4890, + May 2007. + + [RFC4966] Aoun, C. and E. Davies, "Reasons to Move NAT-PT to + Historic Status", RFC 4966, July 2007. + + [SCAN-IMP] Chown, T., "IPv6 Implications for Network Scanning", + Work in Progress, March 2007. + + [SIXNET] 6Net, "Large Scale International IPv6 Pilot Network", + EU Information Society Technologies Project , 2005, + <http://www.6net.org/>. + + [TCGARCH] The Trusted Computing Group, "TCG Specification + Architecture Overview", April 2004, <https:// + www.trustedcomputinggroup.org/groups/ + TCG_1_0_Architecture_Overview.pdf>. + + [VRRP] Hinden, R. and J. Cruz, "Virtual Router Redundancy + Protocol for IPv6", Work in Progress, March 2007. + + + + + + + + + + + + + +Davies, et al. Informational [Page 36] + +RFC 4942 IPv6 Security Overview September 2007 + + +Appendix A. IPv6 Probing/Mapping Considerations + + One school of thought wanted the IPv6 numbering topology (either at + network or node level) to match IPv4 as exactly as possible, whereas + others see IPv6 as giving more flexibility to the address plans, not + wanting to constrain the design of IPv6 addressing. Mirroring the + address plans is now generally seen as a security threat because an + IPv6 deployment may have different security properties from IPv4. + + Given the relatively immature state of IPv6 network security, if an + attacker knows the IPv4 address of the node and believes it to be + dual-stacked with IPv4 and IPv6, he might want to try to probe the + corresponding IPv6 address, based on the assumption that the security + defenses might be lower. This might be the case particularly for + nodes which are behind a NAT in IPv4, but globally addressable in + IPv6. Naturally, this is not a concern if similar and adequate + security policies are in place. + + On the other hand, brute-force scanning or probing of addresses is + computationally infeasible due to the large search space of interface + identifiers on most IPv6 subnets (somewhat less than 64 bits wide, + depending on how identifiers are chosen), always provided that + identifiers are chosen at random out of the available space, as + discussed in [SCAN-IMP]. + + For example, automatic tunneling mechanisms typically use + deterministic methods for generating IPv6 addresses, so probing/ + port-scanning an IPv6 node is simplified. The IPv4 address is + embedded at least in 6to4, Teredo, and ISATAP addresses. + Additionally, it is possible (in the case of 6to4 in particular) to + learn the address behind the prefix; for example, Microsoft 6to4 + implementation uses the address 2002:V4ADDR::V4ADDR while older Linux + and FreeBSD implementations default to 2002:V4ADDR::1. This could + also be used as one way to identify an implementation and hence + target any specific weaknesses. + + One proposal has been to randomize the addresses or subnet identifier + in the address of the 6to4 router. This does not really help, as the + 6to4 router (whether a host or a router) will return an ICMPv6 Hop + Limit Exceeded message, revealing the IP address. Hosts behind the + 6to4 router can use methods such as privacy addresses [RFC4941] to + conceal themselves, provided that they are not meant to be reachable + by sessions started from elsewhere; they would still require a + globally accessible static address if they wish to receive + communications initiated elsewhere. + + + + + + +Davies, et al. Informational [Page 37] + +RFC 4942 IPv6 Security Overview September 2007 + + + To conclude, it seems that when an automatic tunneling mechanism is + being used, given an IPv4 address, the corresponding IPv6 address + could possibly be guessed with relative ease. This has significant + implications if the IPv6 security policy is less adequate than that + for IPv4. + +Appendix B. IPv6 Privacy Considerations + + The generation of IPv6 addresses from MAC addresses potentially + allows the behavior of users to be tracked in a way which may + infringe their privacy. [RFC4941] specifies mechanisms which can be + used to reduce the risk of infringement. It has also been claimed + that IPv6 harms the privacy of the user, either by exposing the MAC + address, or by exposing the number of nodes connected to a site. + + Additional discussion of privacy issues can be found in [RFC4864]. + +B.1. Exposing MAC Addresses + + Using stateless address autoconfiguration results in the MAC address + being incorporated in an EUI64 that exposes the model of network + card. The concern has been that a user might not want to expose the + details of the system to outsiders, e.g., fearing a resulting + burglary if a thief identifies expensive equipment from the vendor + identifier embedded in MAC addresses, or allowing the type of + equipment in use to be identified, thus facilitating an attack on + specific security weaknesses. + + In most cases, this seems completely unfounded. First, such an + address must be learned somehow -- this is a non-trivial process; the + addresses are visible, e.g., in Web site access logs, but the chances + that a random Web site owner is collecting this kind of information + (or whether it would be of any use) are quite slim. Being able to + eavesdrop the traffic to learn such addresses (e.g., by the + compromise of DSL (Digital Subscriber Line) or Cable modem physical + media) seems also quite far-fetched. Further, using statically + configured interface identifiers or privacy addresses [RFC4941] for + such purposes is straightforward if worried about the risk. Second, + the burglar would have to be able to map the IP address to the + physical location; typically this would only be possible with + information from the private customer database of the Internet + Service Provider (ISP) and, for large sites, the administrative + records of the site, although some physical address information may + be available from the WHOIS database of Internet registries. + + + + + + + +Davies, et al. Informational [Page 38] + +RFC 4942 IPv6 Security Overview September 2007 + + +B.2. Exposing Multiple Devices + + Another concern that has been aired involves the user wanting to + conceal the presence of a large number of computers or other devices + connected to a network; NAT can "hide" all this equipment behind a + single address, but it is not perfect either [FNAT]. + + One practical reason why some administrators may find this desirable + is being able to thwart certain ISPs' business models. These models + require payment based on the number of connected computers, rather + than the connectivity as a whole. + + Similar feasibility issues as described above apply. To a degree, + the number of machines present could be obscured by the sufficiently + frequent reuse of privacy addresses [RFC4941] -- that is, if during a + short period, dozens of generated addresses seem to be in use, it's + difficult to estimate whether they are generated by just one host or + multiple hosts. + +B.3. Exposing the Site by a Stable Prefix + + When an ISP provides IPv6 connectivity to its customers, including + home or consumer users, it delegates a fixed global routing prefix + (usually a /48) to them. This is in contrast to the typical IPv4 + situation where home users typically receive a dynamically allocated + address that may be stable only for a period of hours. + + Due to this fixed allocation, it is easier to correlate the global + routing prefix to a network site. With consumer users, this + correlation leads to a privacy issue, since a site is often + equivalent to an individual or a family in such a case. Consequently + some users might be concerned about being able to be tracked based on + their /48 allocation if it is static [RFC4941]. On the other hand, + many users may find having a static allocation desirable as it allows + them to offer services hosted in their network more easily. + + This situation is not affected even if a user changes his/her + interface ID or subnet ID, because malicious users can still discover + this binding. On larger sites, the situation can be mitigated by + using "untraceable" IPv6 addresses as described in [RFC4864], and it + is possible that in the future ISPs might be prepared to offer + untraceable addresses to their consumer customers to minimize the + privacy issues. + + This privacy issue is common to both IPv4 and IPv6 and is inherent in + the use of IP addresses as both identifiers for node interfaces and + locators for the nodes. + + + + +Davies, et al. Informational [Page 39] + +RFC 4942 IPv6 Security Overview September 2007 + + +Authors' Addresses + + Elwyn B. Davies + Consultant + Soham, Cambs + UK + + Phone: +44 7889 488 335 + EMail: elwynd@dial.pipex.com + + + Suresh Krishnan + Ericsson + 8400 Decarie Blvd. + Town of Mount Royal, QC H4P 2N2 + Canada + + Phone: +1 514-345-7900 + EMail: suresh.krishnan@ericsson.com + + + Pekka Savola + CSC/Funet + + EMail: psavola@funet.fi + + + + + + + + + + + + + + + + + + + + + + + + + + +Davies, et al. Informational [Page 40] + +RFC 4942 IPv6 Security Overview September 2007 + + +Full Copyright Statement + + Copyright (C) The IETF Trust (2007). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND + THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF + THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + + + + + + + + + + + + +Davies, et al. Informational [Page 41] + |