6Sense: Generating New Possibilities in the New Internet.
Produced by: IPv6 Summit, Inc.

Security Analysis of IPv6 Networks
By Adam Stein
Mu Security, Vice President of Marketing

Adam Stein
Mu Security

Many manufacturers, government bureaus, Department of Defense critical assets and infrastructure agencies are converting proprietary systems to IP-based networks. This transition from homogenous IPv4 networks or SCADA networks to mixed IPv4 and IPv6 networks exposes much larger possible attack surfaces. The attack surface becomes more complex with diverse IT Systems, SCADA Control Systems, weapon platforms, or combat systems. Additionally, previous software bugs once isolated in proprietary networks expand to become exploitable vulnerabilities once exposed to an open IP network. This problem requires a methodical and repeatable analysis, including a Security Analyzer system to document and isolate vulnerabilities before they are exploited.

As a new protocol stack, IPv6 leverages vulnerabilities similar to those in IPv4 as well as others unique to IPv6. Being first to market with a Security Analysis system capable of evaluating IPv4 and/or IPv6 is a significant advantage for any vulnerability assessment, penetration testing and fuzzing products. As IPv6 becomes a requirement for government infrastructure in 2008 and a core part of Microsoft's Vista operating system, the market opportunities for Security Analyzers grows exponentially. Security Analyzers offer three immediate benefits to IPv6 systems and applications:

  • Problem: Structural issues with many type-length-value extension headers may be exploitable in IPv6.
  • Using Security Analyzers: Rapid identification and detailed auditing of IPv6 weaknesses prior to malicious exploits.
  • Problem: Fragmentation support in IPv6 opens up potential attack vectors.
  • Using Security Analyzers: Identification of both IPv4 and IPv6 fragment attacks.
  • Problem: IPv6 addresses contain many more semantics and a wider range of accepted variations than those of IPv4.
  • Using Security Analyzers: Automates parsing structurally valid addressing in proper context through either multicast or unicast transport.

The shift to IPv6 will be gradual, so the bulk of new deployments will simultaneously support both versions of IP, using several migration schemes, each of which carries its own potential vulnerabilities. Since IPv6 is new, both product developers and end users have not had time to learn best practices in programming and deployment in native and transitional environments. Also, defining and then minimizing IPv6’s attack surface is a formal method for quantifying the exposure of a connected system. Examining such a surface is simply a measure of exposure and not one of vulnerabilities. However, two aspects of attack surface, channels and protocols, are key in figuring out how to attack a system and where the failure points lie. Fortunately, Security Analyzers automate the examination of IPv6 product attack surfaces by identifying security and robustness exposures created by the lack of best practices and “vulnerability creep,” and help organizations find and expunge weaknesses in new IPv6 deployments. Analyzer Systems can also dynamically mutate all fields of the IPv6 header, all defined extension headers, ICMPv6, and different classes of addresses.

What’s behind IPv6’s Growth?
The primary goal of IPv6 was to vastly expand the number of addressable devices on the Internet. It became clear later that the growth driver behind increasing consumption of IP addresses was a global proliferation of mobile devices and expanded use of embedded systems. Current trends project exhaustion of the primary IANA IPv4 address pool in the 2009 to 2011 timeframe, causing many organizations to accelerate plans for IPv6 deployment. The U.S. Government, for example, has mandated that federal agencies deploy IPv6 in all federal backbones by 2008 – less than 12 months from today.

As the compliance deadline looms, deploying a Security Analyzer helps expedite a critical infrastructure operator’s ability to assess the potential impact to military and support operations that would result from the loss or compromise of IPv6-based infrastructure services. Infrastructure Analysis and Assessment, Remediation, Indications and Warning, Mitigation, Response, and Reconstitution are categories of activities that occur before, during, and after events that result in infrastructure compromise or disruption. Government end users also benefit from using Security Analyzers to embrace prudent business and operational planning practices to mitigate the potential impact of the loss or compromise of infrastructure services. As a result, they now provide Department Indications and Warning (I&W) to support national critical infrastructure protection.

Defining and Reducing the IPv6 Attack Surface
There are significant implications for securing IPv6 implementations. One issue is the alleged mandate for IPsec support. From a practical perspective, requiring IPsec will not ensure security because there is no scalable identity management infrastructure on which to deploy IPsec. The larger address space of IPv6 makes scanning certain IP prefixes more difficult than it is for IPv4. This capability makes IPv6 more resistant to malicious traffic – but it also makes it more difficult to identify unlisted rogue malware machines using distributed attack and new spoofing techniques over IPv6.

Transition mechanisms for simultaneous support of IPv6 and IPv4 include dual stack, automatic tunneling, configured tunneling, proxying and translation. Each presents its own potential vulnerabilities, and devices that support multiple schemes may be exposed even if the end user has not configured all of them. Limited experience in programming for IPv6 could create incorrect protocol implementations, and since mobile and embedded devices implement these protocols in hardware or firmware, flawed IPv6 implementations will enable attacks against services comprising millions of new network endpoints. Instead, the use of Security Analyzers in IPv6 deployments offers users a systematic and repeatable process to identify unknown and published vulnerabilities in any IP-based system, application, or network device, without requiring access to source
code.

Adam Stein, Vice President of Marketing
Adam Stein is the Vice President of Marketing at Mu Security. Adam has over 20 years of marketing and category creation expertise focused primarily within the networking and security hardware, software and silicon markets. Adam has also led external marketing for Cisco Systems, Juniper Networks, Broadcom and Foundry Networks.