Although he acknowledges businesses have yet to embrace IPv6, security guru, Scott Hogg, says that doesn’t mean IT executives can ignore the security problems that the next generation Internet protocol can present. After all, he notes, operating systems such as Microsoft Vista and Linux are already IPv6 capable and thus any networks that use them might be handling IPv6 traffic without their operators’ knowledge. Hogg, who is also the coauthor of the Ciscoapproved IPv6 Security guidebook, talks to BRAD REED about steps network operators can take to ensure that they don’t inadvertently let the network get compromised by stealth IPv6 packets.
You say a lot of organisations may already have IPv6 running over their networks and not realise it. Can you give me an example of how this happens?
Scott Hogg (SH): Well it might happen if they have IPv6-capable hosts, meaning that maybe their own network doesn’t run IPv6 per se but that traffic can be tunnelled over IPv4 systems. If you have machines on your network that run Vista, then that would run both protocols at the same time. And even if your network isn’t using the IPv6 stack, there are ways to awaken the IPv6 stack. For instance, Windows XP systems can be configured to run IPv6, so a hacker can turn it on by infecting your machine with some worm that changes your settings.
Can you explain in greater detail what you mean by IPv6 traffic being “tunnelled” through IPv4 systems?
SH: Sure. Right now there aren’t nearly as many IPv6 addresses as there are IPv4 addresses. And the problem comes in when you need to get two IPv6 islands to talk to each other in an ocean of IPv4 networks. So the solution is that we encapsulate the IPv6 traffic inside what looks on the outside
like IPv4 traffic so it can be sent over IPv4 networks. The security implications of this come in if I have a simple firewall that just sees an IPv4 box and doesn’t parse it enough to see that there’s something else in there. The firewalls don’t look closely enough at encapsulated packets because the typical firewall today has nothing capable of opening up the capsule. Some vendors are starting to work together on this problem but they aren’t there yet.
What are some of the unique challenges in securing a dual-stack network that supports both IPv4 and IPv6?
SH: You’re twice as vulnerable because if you had a certain application that had security issues, then hackers could attack it with either IPv4 or IPv6. So if a hacker went after a system that was running two protocols they could get to either one. For instance, they could leverage one protocol for another by finding hosts that run IPv4 and then using IPv6 as a covert channel.
How do the security challenges of IPv6 networks differ from those of IPv4 networks?
SH: One key difference I’ve already mentioned is in the way IPv6 requires that we use migration techniques that can create tunnels hackers can exploit. The other area where IPv6 is different from IPv4 is that IPv6 packets use extension headers that were developed to improve performance by simplifying the packet header structure. Essentially IPv6 extension headers are optional headers that let you specify certain ways you want the packet to behave. You may want to route the packet through a certain path on the network, for example, or you might have a fragmentation header that breaks up the packet and then reassembles it. In IPv4 we had to have all those headers included in one single header but they’re optional in IPv6. And because they’re optional, security protocols need to parse a variable set of headers.
Finally, if a company came to you and asked you to help them make a checklist of things they would need to do before changing over to IPv6, what would you tell them?
SH: In a lot of ways it’s very similar to what they did to secure their IPv4 networks. They’ll want to secure the perimeter first. Then they’ll need to harden their network devices and make sure their routers and switches running IPv6 are hardened before turning on specific areas of their network. In general, their migration strategy should be going from the core on out. Use that same practice as securing IPv4 networks where you go from the core to the edges