The description about what is IPSec and why it is important along with description of why IPv6 is considered to be better than IPv4 in terms of security and brief description of other features and discuss why it should be considered at the same level with IPv4 when it comes to security. Also paper will give some new threats presented on IPv6 apart from the common threats like DoS attacks, Flooding, Man In Middle Attack (MIMA), Application layer attacks, Rogue Attacks which are prevalent in IP network using IPSec protocol
1) What is IPSec?
IPSec is an Internet security protocol integrated into Layer 2 that is network layer to secure the network from the unauthorized users. It uses following services to authenticate user at the senders and receivers end.
Origin Authentication (AH) – The sender is authenticated by the receiver to check for the validity of the sender.
Data confidentiality (ESP) – Data is encrypted before being sent to the receiver
Data Integrity (SPI) – Data is authenticated to check for errors before the receiver can actually process it.
Data confidentiality (ESP) – Data is encrypted before being sent to the receiver
Data Integrity (SPI) – Data is authenticated to check for errors before the receiver can actually process it.
Diagram below shows fields in IPSec architecture
IPSec is the effort in providing security to Internet, by using the above shown mechanism. Being a common layer to all the upper layer protocol, Internet layer is most likely to be attacked by the attacker in order to gain control over the network or to sniff into the upper layer protocol. The layout of the TCP/IP protocol makes IP layer more important and hence the security of the IP layer (Network layer) the first priority for the network of any organization.
2) Why do we need IPv6?
For many years IPv4 has been in use and website which we see nowadays are based on the IPv4 address allocation scheme, but as the time went by number of website on the internet went on to increase, and the address for this websites were not being fulfilled by IPv4 address allocation scheme as expected, so there was a need for the Internet Address allocation scheme that could render many addresses and yet not get exhausted.
For many years IPv4 has been in use and website which we see nowadays are based on the IPv4 address allocation scheme, but as the time went by number of website on the internet went on to increase, and the address for this websites were not being fulfilled by IPv4 address allocation scheme as expected, so there was a need for the Internet Address allocation scheme that could render many addresses and yet not get exhausted.
The original IPv4 is a 32-bit address which is divided into four octets of Eight bits each and consisting of 4 classes to give suitable address allocation scheme. The figure below shows IPv4 structure
A.B.C.D -> where A, B, C, D each has 8-bits and each bit having value of either 0 or 1
This gives us the maximum address space of 2^32.
However in IPv6 address allocation scheme there are 128 bits and each having value of either 0 or 1 which gives around 2^128 addresses which makes it possible to address every single individual on the earth with more than 10-address for each person.
Of course, this was necessary looking at the IPv4 public addresses nearly coming to an end.
3) Is IPv6 more secure than IPv4?
Other features about the IPv6 addressing scheme as drafted in IETF paper on IPv6 is that it has better security than its ancestor, lets take a look at some of the remarks of what experts have to say about IPv6 in terms of security.
“IPv6 mandates the inclusion of IP Security (IPSec), it has often been stated that IPv6 is more secure than IPv4”
The contradictory statement as mentioned below totally neglects the possibility of mandatory inclusion of IPSec in IPv6, which is as follows
“IPSec was a required element in 1995 draft of IPv6 which was then dropped during revised draft in 1998”
The reason for dropping IPSec during revised draft in 1998 was that if implemented mandatory it wouldn’t have supported real-time application like VoIP and video conferencing. However this does puts the IPv6 in the same category as IPv4 in terms of security.
Above two statements remains the point of argument yet, it cannot be concluded that is it compulsory to include IPSec in IPv6 or not. But, the reason mentioned in above paragraph can limit the mandatory inclusion of IPSec in IPv6 and which I think is the real case and the most practical thing a network administrator will like to do to get real and efficient network.
This paper presents the description about why IPv6 is considered to be better than IPv4 in terms of security along with brief description of other features and discuss why it should be considered at the same level with IPv4 when it comes to security. Also paper will give some new threats presented on IPv6 apart from the common threats like DoS attacks, Flooding, Man In Middle Attack (MIMA), Application layer attacks, Rogue Attacks which are prevalent in IP network using IPSec protocol.
(The above terms are derived from)
4) Why IPv6 is considered to be better than IPv4?
IPv4 has been a bit of nightmare when it comes to number of addresses available and management of the address. The newer IP protocol addresses this limit very nicely, which has very large number of networks host address available.
IPv6 is a 128 bit address with 64bit reserved for the subnet, which means in all there are more than 10 addresses for each person on the earth. The numerical value of this address ranges up to around 3×10^38 addresses. Whereas, number of IPv4 address in public domain has nearly come to an end.
IPv6 is a 128 bit address with 64bit reserved for the subnet, which means in all there are more than 10 addresses for each person on the earth. The numerical value of this address ranges up to around 3×10^38 addresses. Whereas, number of IPv4 address in public domain has nearly come to an end.
Also, the implementation of IPv6 will reduce the burden of managing the addresses on administrator since it has the capability to automatically configure the address based on the type of connectivity. Apart from these there are number of more advantages like IPv6 provides better Quality of Service (QoS), it helps in Multicasting, and it does significantly reduce number of fields in IP header and simplify IP protocol. However the basic need for today’s IP infrastructure is security wherein lots of transactions are taking place online. It is because of security concerns that most of user hesitate to buy online or carry out business online. Whereas one of the advantages listed in IPv6 and rolling out the idea of IPv6 address format was that it has got better security than its predecessor IPv4.
4.1) In terms of Security
NAT also known as Network Address Translator is an end device used in an organization in order to connect to the internet. It converts private address of an organization into public domain as shown in figure-3 below. NAT is widely used in IPv4 environment where there is a need to conserve addresses due to shortage of address in public domain. However presence of NAT device makes organization vulnerable to many attacks as Denial of Service, since end-to-end security mechanism such as encryption cannot be employed effectively as packet traveling to and fro from private network has to be tunneled into IP packets with address of NAT device and even if security mechanism using IPSec protocol is employed it will be ineffective as the IP packets has to be tunneled into other packet with address of NAT device.
As DeNardis in her paper stated that Absence of NAT, facilitates the use of end-to-end security mechanism like encryption
The above statement reflects the way how the IPv6 header is configured to automatically acquire IP address and also the never ending pool of addresses available in public domain that facilitates a real end-to-end communication. The advantage of this method of communication is that a real end-to-end security mechanism like encryption can be employed, and implementation of IPSec in such an environment will give the benefit of services like authentication, confidentiality and integrity. This is unlike in IPv4 wherein NAT devices play a vital role in organizations networks and also to conserve the number of IP address available in public domain.
The above statement reflects the way how the IPv6 header is configured to automatically acquire IP address and also the never ending pool of addresses available in public domain that facilitates a real end-to-end communication. The advantage of this method of communication is that a real end-to-end security mechanism like encryption can be employed, and implementation of IPSec in such an environment will give the benefit of services like authentication, confidentiality and integrity. This is unlike in IPv4 wherein NAT devices play a vital role in organizations networks and also to conserve the number of IP address available in public domain.
Well NAT is fine when it comes to management of IP address, but the problem is compromising security to the end users. Since packets intended for the Public network from the Private network has to pass through NAT device, which alters the source IP address in the IP header, makes the implementation of IPSec protocol virtually unimportant. The device at the receiver end on detecting the changed IP address will discard the packet. However there are ways like NAT-T and NAT-D which helps in protecting the IP packets in presence of NAT.
When looking at IPv4 and IPv6 addressing protocol from this point IPv6 seems to have an edge over IPv4 if it has compulsory inclusion of IPSec, but a bit deep insight into today’s modern day application needs like VoIP and Video Conferencing wouldn’t be as much a success as it is for today’s network which doesn’t use IPSec protocol as it gives delays in transmitting packets over IP. The true point worth noting is that real-time applications like VOIP and Video conferencing is not possible in such an environment along with security of the network, either of security or real-time solutions for the above mentioned applications have to be sacrificed. Since, end-to-end communication becomes possible in IPv6 environment security mechanism along with real time applications will become possible but this doesn’t guarantee that it has better security. This argument supports DeNardis statement that IPSec protocol is an optional field in IPv6. (Term real-time application means application which requires no-delay)
IPSec protocol which was developed during the draft of IPv6 is embedded in the IPv6 header which makes it possible to avail the services like Authentication and Encapsulation. The Extension header field in IPv6 can contain Authentication Header (AH) and Encapsulation Security Payload (ESP), which can provide security to upper layer protocols. During the initial draft of IPv6, Authentication Header and Encapsulation Security Payload where considered to be mandatory, but during revised draft in 1998 [8], inclusion of AH and ESP fields were made optional. However the best practice of incorporating security into networks makes IPv6 more secure. Although there are few disadvantages of incorporating security in end-to-end communication when it comes to applications requiring real time delivery, it still stands out better when compared to using NAT device which makes security mechanism ineffective.
4.2) Why IPv4 and IPv6 are equivalent when it comes to security?
The security mechanism which was designed for IPv6 is and more often induced in IPv4 protocols optional fields. Since neither of them mandatory implements IPSec protocol in their basic infrastructure, none of them can be considered to be superior to each other. Mandatory inclusion of IPSec in IPv6 would have made it better than IPv4 but this is not the case and IPSec implementation remains optional depending on the security policy of the organization.
As DeNardis in her paper on Exposing IPv6 Security stated that if IPSec is the element which improves the security of IPv6 than IPv4 has the same security mechanism which uses IPSec and hence both should be treated as equivalent.
With reference to and , implementation of IPSec remains same in both the protocols. Authentication Header (AH) and Encapsulation Security Payload (ESP) are the basic parameters in IPSec which can be easily incorporated in IPv4 and IPv6 protocols. There are various ways to implement IPSec in IPv4 and IPv6 like Transport Mode and Tunnel Mode. For details on how to implement is not in the scope of this topic, please refer to RFC2406 and RFC2408 on implementation of IPSec in Transport Mode and Tunnel Mode.
With reference to and , implementation of IPSec remains same in both the protocols. Authentication Header (AH) and Encapsulation Security Payload (ESP) are the basic parameters in IPSec which can be easily incorporated in IPv4 and IPv6 protocols. There are various ways to implement IPSec in IPv4 and IPv6 like Transport Mode and Tunnel Mode. For details on how to implement is not in the scope of this topic, please refer to RFC2406 and RFC2408 on implementation of IPSec in Transport Mode and Tunnel Mode.
Until, now what has been discussed it can be concluded that IPv6 is not more secure than IPv4, but in fact it carries the risk of some newer threats which makes it much less secure than IPv4. Internet Security protocol has been prone to many attacks like Denial of Service, Spoofing, Flooding, Man In Middle Attack (MIMA) in past, while IPv6 with its new architecture can invite some new attacks apart from previously mentioned threats.
Sean Convery and Darrin Miller , on their paper on IPv4 and IPv6 Threat Comparison and Best Practice Evaluation (v1.0), identified few of the new threat in IPv6 which are as follows
· Reconnaissance
· Unauthorized access
· Header manipulation and fragmentation
· Layer 3 and Layer 4 spoofing
· ARP and DHCP attacks
· Broadcast amplification attacks
· Routing attacks
· Viruses and worms
· Unauthorized access
· Header manipulation and fragmentation
· Layer 3 and Layer 4 spoofing
· ARP and DHCP attacks
· Broadcast amplification attacks
· Routing attacks
· Viruses and worms
Discussing every threat will exceed the limitation of these paper hence remaining part will discuss some of the important threats like Reconnaissance and Routing Attacks and what impact the technology differences could have on these sort of attacks.
5) Reconnaissance
Literally reconnaissance means gaining as much as information about someone and in terms of networking it means passive mode of attack to gain information about the network infrastructure of organization. It is a first step of attack used in any of the active attacks like DoS, MIMA etc. wherein the attacker searches for any active host and port in network.
With respect to IPv4 there are only 255 addresses to scan when Class-C address is used and it takes around 30 seconds to identify the active host and port whereby the attacker exploits the ARP cache of that host to gain information about the network. There are many ping sweep tools like NMAP which can easily identify active host in the network and flood the victim with ping echo requests.
With respect to IPv6, this mode of attack becomes almost impossible as there is numerous numbers of hosts in a subnet. According to the address format of IPv6, there are about 2^64 which varies as per subnet giving value of around 1.8×10^19 addresses which when scanned at modern processing speed will take around 28 years to reach identify active host. Also there no known ping sweep tools like NMAP which facilitates active scanning of device and port for IPv6.
However attacker on other side are smart enough to overcome this difficulties, and due to the technology used in IPv6 active host can be easily identified based on the following criteria.
1) Auto configuration mode for IPv6 discourages administrators to use DHCP and DNS server which mean that every host on the network should be given a valid DNS name in order for an administrator to help manage network. Since remembering host names such as FE80:0:0:0:202:B3FF:FE1E:8329 would require lot of effort administrator will use easy to remember names such as FE80:0:0:0:202:B3FF:FE1E:0BAD, attacker can easily launch dictionary attack and identify the active host addresses.
2) Most of the network that will exist for the years to come will be based on dual mode using both IPv4 and IPv6 addresses whereby administrator will tend to use single address for IPv4 and IPv6 network which will be like mapping 32 bits of IPv4 address into last 32 bit of IPv6 hex mode addresses this will make address scanning more easier.
3) Most importantly as stated in which tend to make use of new multicast addresses for key devices like Routers (FF05::2) and DHCP (FF05::3) servers, gives attacker an idea about the key devices in network. Attacker can then use ping sweeps attack to choke the network and other methods to hack the key devices to employ attacks such as Route Redirection.
Attacker would like to take advantages of the above three vulnerabilities in IPv6 addressing technology to gain information about victims network by exploiting NS-ND (Neighbor Solicitation and Neighbor Discovery) cache of the host to gain knowledge about the victim network. And if the router is badly configured for security there will risk of other mode of attacks like Denial of Service (DoS) once the attacker knows about the victims network
However this mode of attack will be quite difficult to implement in IPv6 environment than in IPv4 environment but what is important that this mode of attack is still possible in IPv6 no matter how much big the address space is and if IPv6 is used in dual mode with IPv4 it will be more open and I think this will be scenario for years to come.
6) Viruses and Worms
Viruses are not at all impacted by the implementation of IPv6, whereas worm finds it difficult to find active users and ports thus IPv6 make out better when it comes to threats from viruses and worms. Traditional viruses are not at all concerned about what protocol is being used at layer-3 since virus can be packed in email and send to anywhere with valid host address.
Viruses are not at all impacted by the implementation of IPv6, whereas worm finds it difficult to find active users and ports thus IPv6 make out better when it comes to threats from viruses and worms. Traditional viruses are not at all concerned about what protocol is being used at layer-3 since virus can be packed in email and send to anywhere with valid host address.
However these sort of threat is same when it comes to IPv4 but what is worth noting is that since most of the administrator will hesitate to employ NAT devices and other devices like DHCP servers it will be more difficult to implement security covers for organization as whole and this will be concern for users who don’t have virus protection software on their laptop or personal computers. However advantage of using IPv6 will be that worm will find it difficult to propagate but downside will be that since key device in the network like routers will be easily identifiable from the IPv6 address, attackers will make every effort to target such devices with worms which will cause significant network downtime.
7) Conclusion
Now that from what I have discussed, what is exactly IPSec and on what makes vendors say that IPv6 is better in IPv4 in terms of security, having identified various loopholes in the implementation of IPv6 and threat from implementation of new technology what impact will it have on the most networks remains a question to be answered. However from what I have discussed in this paper I would say that IPv6 is not as good a technology as it is popularize when the term security is associated with it. Some key threats are presented in this paper which were also threat in IPv4 but only the technology difference have made some of the threats easier to propagate while some threats find it difficult to enter network.
However this is just beginning of implementation of IPv6 networks but there are remarkable number of fears that needs consideration which were not given importance when IPv6 was drafted as IPng (which was later known as IPv6) during 1995 draft specification. IPSec does satisfy the security mechanism employed in both Internet protocols, however IPSec cannot be considered as the only driving point in implementation of IPv6 as it is also used in IPv4. however the only known advantage of using IPSec in IPv6 is that it will make scanning of active host more difficult but not impossible. Remaining part of destroying victim will remain almost same and hence both protocols should be given equal respect when security is questions.
The security implementation in IPv6 network remains at the hand of administrator and experience of configuring secure network. For time being and few years to come implementation of IPv4 and IPv6 in dual mode for network will be a better option. The real advantage of IPv6 will actually be seen when it will be implemented globally with hope that no new software comes up that could defeat IPv6 networks. Much will rest on the end user how he/she wants to implement security.
No comments:
Post a Comment