Misconceptions can be dangerous. This is especially true when they lead to network insecurity.
In this post I’ll seek to set the record straight for several of the most common misconceptions about IPv6 security.
IPv6 is more/less secure than IPv4
There are two big misconceptions about IPv6 security:
- IPv6 is more secure than IPv4
- IPv6 is less secure than IPv4
Neither are true. Both assume that comparing IPv6 security with IPv4 security is meaningful. It is not.
Today’s networks, whether they have IPv6 deployed in them or not, are largely IPv6 compatible. All modern operating systems and network devices employ IPv6 dual-stacks, in which IPv6 is turned on by default. Even if you have not actively deployed IPv6, your networks still have the combined vulnerability surface of IPv4 and IPv6.
Therefore, comparing IPv4 security with IPv6 security is meaningless. They both have the vulnerabilities of IPv4 and IPv6. Every network should be secured for IPv4 and IPv6. Ideally, you should have done this well over a decade ago.
IPv6 is IPv4 with longer addresses
In network security, it is crucial not to underestimate the scale of risks. The most common misconception that I have heard in my twenty years of working with IPv6 is that IPv6 is IPv4 with longer addresses. It is not. IPv6 is vastly different from IPv4, often in complex and subtle ways. Sometimes, what is best practice in IPv4 is the opposite of best practice in IPv6.
It is not possible to list all the differences here. Instead, I will illustrate this using addressing. This is one area where superficially the difference between IPv4 and IPv6 appears obvious. However, not only are IPv6 addresses longer, they are also inherently different in attributes, types, structure and how they are used. For example:
- They have new attributes: length, scope and lifetimes.
- It is normal for IPv6 interfaces to have multiple addresses.
- IPv6 addresses can change over time.
- Multicast plays a crucial role in core IPv6 protocols.
- There are a vast number of methods for assigning interface identifiers (the bottom 64 bits).
- How IPv6 addresses are used and managed is hugely different.
- Global public addresses are normal.
This is only addressing. IPv6 has many other differences both in things we are familiar with in IPv4 and in completely new protocols and features. All of these have security implications; the biggest being that staff will not appreciate the differences, and therefore the need, to secure IPv6.
To give you a feel for the scope of the IPv6 vulnerability surface, I have included the figure below. Of course, it is not intended to compare IPv4 and IPv6 security (indeed IPv4 is included). However, it does illustrate that there are many new areas to consider, some of which are significant.
IPsec makes IPv6 more secure than IPv4
Internet Protocol Security (IPsec) was designed to provide network layer security (authentication and encryption). It was included as a mandatory feature in the IPv6 standards. Many believed, and some still believe, that this gives IPv6 an advantage over IPv4.
There are two reasons why this is not the case. Firstly, while including IPsec functionality in the IPv6 stack was mandatory, using IPsec is not mandatory. Secondly, IPv4 also has IPsec, so there is no difference. Or is there?
IPsec in IPv4 is often used for VPNs. These are terminated at the edge of networks. IPv4 IPsec is rarely used to secure end-to-end traffic. This is because of the widespread use of Network Address Translation in IPv4 (NAT44). NAT44 mangles the IPv4 headers and breaks IPsec. In IPv6 this restriction does not exist. Using IPsec end-to-end becomes more practical.
IPv6 is already facilitating new and innovative ways of using IPsec. We have clients who are using IPv6 IPsec to secure all traffic within their data centres. We also have clients who have deployed IPv6 to leverage IPsec based end-to-end security allowing them to decommission their existing VPN concentrators.
Address scanning is impossible in IPv6
The enormous number of IPv6 subnet addresses (264 = 18,446,744,073,709,551,616) is often thought to make it impossible for attackers to scan IPv6 subnets. There is some truth in this. To sequentially scan a gigabit ethernet subnet would take 491,351 years if there is no other traffic.
However, it is not impossible for an attacker to find addresses in a subnet, it is simply harder. How hard depends on the type of addresses that you are using and where the scanner is located.
If the network’s IPv6 addresses have a known structure, then scanning them becomes much easier. For example, some organizations number their hosts sequentially: for example, 1, 2, 3. This is the first sequence a scanner is likely to try.
Some base their IPv6 address structure on IPv4 addresses. This is not considered to be a good idea. From a security perspective, it makes address scanning as trivial as it is in an IPv4 network. Even networks that use modified EUI-64 addresses that are based on MAC addresses can be scanned if an attacker has enough prior information.
Today, the use of opaque static and privacy addresses can make remote IPv6 address scanning impractical. However, discovering addresses by other means may still be possible.
Estimating the time required to scan an IPv6 subnet: Length of Neighbour Solicitation frame (including the preamble and interframe gap) = 840 bits
Time to send Neighbour Solicitation on gigabit ethernet = 0.00000084 seconds
Time to transmit all 264 Neighbour Solicitation = 1.54953 x 1013 seconds
= 1.54953 x 1013/31536000 = 491351.6306 years
(Assumes that there is no other traffic on the subnet!)
No NAT makes IPv6 insecure
One of the most common misconceptions regarding IPv6 security is that the lack of NAT makes IPv6 less secure. NAT44 is often seen as a security feature in IPv4 networks. The use of public addresses in IPv6 and the restoration of end-to-end connectivity is of great concern to many IPv4 network administrators.
Confusing brokenness with security is a mistake. Firewalls can easily provide equivalent and better protection than NAT without breaking end-to-end connectivity. Ironically, NAT44 and its associated myriad of NAT-traversal techniques have many security issues of their own.
These are just a few of the most common misconceptions about IPv6 security. There are many more.
The key lessons are:
- Don’t underestimate the scale of the differences between IPv6 and IPv4.
- Your IPv4 networks need to be secured against IPv6 vulnerabilities.
- Your network and security staff need to be competent in IPv6 and in IPv6 security features.
- How IPv6 is deployed will influence how secure it is in practice.
For a longer introduction to IPv6 security threats and security features, watch my presentation at the UK IPv6 Council on IPv6 Security Fundamentals.
Dr David Holder is CEO and chief consultant at Erion Ltd. He has over twenty years’ experience providing IPv6 consultancy and training to enterprises and organizations around the world.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.