6Sense: Generating New Possibilities in the New Internet.
Produced by: IPv6 Summit, Inc.

Are you ready for your 18 quintillion new IPv6 neighbors?
By David Goodrum
Federal Sales Manager, NFR Security

nfr security

One of the great benefits of IPv6 is also one of the biggest security problems. In IPv4, the total number of addresses was around 4 billion addresses or so. Most people in the industry already understand that there is a terrible shortfall of IP address space in the world, and have been told that IPv6 solves this problem. But, they may not understand how completely this problem has been solved, and the ramifications of this solution on security.

Bigger is Better
In IPv6, the total number of addresses is 340 billion billion billion billion addresses. Or more specifically, 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses. That means, we don’t have to worry about running out of IP addresses ever again… at least, not for a long time…. maybe when we populate another solar system (there are plenty of addresses for every planet in our solar system). What we specifically want to discuss is how this affects subnetting. With IPv6, the smallest address space you can have is almost four billion times larger than the entire IPv4 address space (a little over 18 quintillion addresses just for a home user)! It is calculated as 264.

But, most people truly have almost no concept of how big 18 quintillion is. So, let me give you a few examples. Let’s say that a single IP address is represented by one inch (about 2.5mm) on my ruler. How many IP addresses do I need to get to the moon and back?

Answer: 15 billion (15,124,792,320) addresses. Seems like a lot right? That’s about three times more addresses than we have in the entire IPv4 address space.
Let’s subtract that from my pool of addresses available in the network in my basement. How many do I have left?
18,446,744,073,709,551,616
-15,124,792,320
18,446,744,058,583,759,296

Wow I still have over 18 quintillion left… I didn’t even make a dent. Well, how about if I take that ruler, and stretch it from the Sun to Pluto? Surely that will make a dent.
18,446,744,073,709,500,000
-232,534,368,000,000
18,446,511,539,341,500,000

Still 18 quintillion left.

Get the picture yet? It’s bigger than most people can imagine. The closest star (besides the Sun) is about four light years away. If we convert that to inches, it’s only about 1.5 quintillion inches, still leaving us plenty remaining…. and that’s just a single subnet. So, for most people this simply means we won’t run out of addresses again. But, what is the impact on security?

The Good
A great security side effect of this is that it will be much more difficult for hackers and worms to spread through the network. Today, the first thing a hacker, or worm, will do is scan your network for “up” hosts to attack. That’s fine when people have their networks divided into address spaces that are usually around 255 hosts. I can scan 255 hosts in a few seconds. But, with IPv6, it will take a LOOOONG time to scan the potential range of addresses on a given network. It will be hard for hackers and worms to find their next victim. And, they will be easy to spot when they do start to look. Can you imagine NMap in sneaky (or even paranoid!) mode trying to scan your local area network? Hackers could map a network relatively undetected by just doing things slow and low in the world of IPv4. About 255 hosts in sneaky mode would take just over an hour. But, in the world of IPv6, it would take over almost nine trillion years in sneaky mode (scanning one host every 15 seconds). NMap in insane mode (every .3 seconds) would still take 175 billion years to complete. Let’s say we could scan 1,000 addresses every second. That’s still about 58 million years to scan every possible address on your network. It’s a completely different world.

There are, however, a number of papers on IPv6 worm propagation that outline how worms can successfully map a network through tools such as neighbor discovery tables (similar to ARP), querying routing tables, and other techniques. This makes “The Good,” not as good as most hope it to be.

The Bad
This same security advantage is also a disadvantage. It will be hard for security engineers to find vulnerable/rogue hosts on their network. Often, security engineers sit back in a remote part of the network with a scanning box that scans the address space for hosts. This scan can tell them when they’ve got rogue machines on the network, and what vulnerabilities they might have. There are companies today that scan their network on an hourly basis looking for vulnerabilities. In IPv6 world, this scan is basically impossible. Repeated scanning of known hosts for new vulnerabilities will work to some degree, but new hosts and rogues on the network can hide from active scanners virtually forever. The window of opportunity for the rogue/vulnerable host becomes a very big window.

And this has an impact on more than just security. Just network discovery and management in general goes out the window. There are many products today that whose modus operandi will simply not work in IPv6. Actively scanning will have to be replaced by active listening, and dynamic response.

The Ugly
The ugly is actually not that ugly. It’s painful, but the end result will be a more dynamic vulnerable assessment system that will result in more secure networks. One solution is to deploy passive listeners across the network, looking for new IPv6 addresses to popup (via passive listening), and then either passively assess the host, or trigger an IPv6 scan from an active scanning system. Passive scanning is a much more dynamic technique than active scanning (there is no wait time between scans when a rogue/vulnerable system is discovered). The hard part is that, for most tools, the integration needs to be done to trigger the scan. Gone are the days of installing Nessus on a box in the corner of your network, and letting it scan all your subnets. You must have these “probes” deployed across your entire network, listening to every nook and cranny. Unfortunately, there are very few IPv6 passive scanners on the market today.

Fortunately, many people have IDS deployed across their networks, or are thinking about deploying IDS/IPS across their networks. If that IDS/IPS system is capable of monitoring IPv6, then you may already have the solution in place. These IDS/IPS boxes can be the “probes” for your IPv6 scanning system, triggering the active scan from the Nessus box which still sits in the corner of your network. It is possible to configure NFR’s Sentivist IDS/IPS devices to alert when new IPv6 hosts are found on the network, reducing the need to scan the entire network range to find new/vulnerable hosts. It is also possible to kick off a third party product to scan the new host.

Unfortunately, most scanning tools (other than basic port scanners), do not have support for IPv6 yet. NMap now supports IPv6, and other vulnerability scanning tools capable of supporting IPv6 are soon to follow. The scary thing is, most people don’t think they need to worry about IPv6 security, because they don’t think they have IPv6 on their network. But, if you don’t scan for it, how do you know it’s not there?

.