1
Security Implications of IPv6
@En
no_
Insi
nuat
orEn
no R
ey
Secu
rity
Impl
icat
ions
of I
Pv6
2
– Old-school networking guy, with focus on operations & security
– IPv6 since 1999.
– This slide deck is based on obser- vations from IPv6 projects in a few complex EU-based organizations. – See also similar contribution on
NIST framework to Troopers 2019.
#whoami
Secu
rity
Impl
icat
ions
of I
Pv6
3
AgendaDimensions of IP(v6)
Security Implications
Conclusions
3
4
Dimensions of IP(v6) AddressesSe
curit
y Im
plic
atio
ns o
f IPv
6
3rd dimension System processes or applications digest IP addresses to perform higher-level functions, e.g. write them to/read them from log files or databases, analyze them etc.
2001:db8:85a3:08d3:1319:8a2e:0370:7347::/64
→ The latter two might be closely interrelated, namely when automation kicks in.
2nd dimension Specific systems, e.g. routers or firewalls, perform decisions based on IP addresses of other systems.
‘Core dimension’ IP addresses identify entities (e.g. interfaces of systems) in the course of communication acts.
Secu
rity
Impl
icat
ions
of I
Pv6
5
System Lifecycle
Helpers DNS, NTP, LDAP and the like
Protect it.
What do we have? Inventory
Which state is it in? Monitoring / Vuln Mgmt
Do it! Function
Bring it on. Provisioning
System
Secu
rity
Impl
icat
ions
of I
Pv6
6
A Metaphor (Screenshot from Twitter)
Secu
rity
Impl
icat
ions
of I
Pv6
7
– IPv6 addresses have a different format
The 3rd Dimension is Particularly Hard (I)
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 ether 38:f9:d3:51:a1:e5 inet6 fe80::14d2:d904:3d1b:c4f9%en0 prefixlen 64 secured scopeid 0xa inet6 2001:db8:7:e0a0:8ba:711d:1c29:aa9c prefixlen 64 detached autoconf secured inet6 2001:db8:7:e0a0:55ce:81b6:3f05:689 prefixlen 64 detached autoconf temporary inet6 2001:db8:7:3cd0:480:599d:f249:192 prefixlen 64 autoconf secured inet6 2001:db8:7:3cd0:35c1:e4b2:9de:7e08 prefixlen 64 autoconf temporary inet 10.136.58.42 netmask 0xfffffc00 broadcast 10.136.58.255 nd6 options=201<PERFORMNUD,DAD> media: autoselect status: active
Secu
rity
Impl
icat
ions
of I
Pv6
8
– On one system (interface) there's multiple of them at the same time. – Those are usually created in different ways,
and they may serve different purposes.
– By design IPv6 addresses are considered somewhat ephemeral.
The 3rd Dimension is Particularly Hard (II)
Secu
rity
Impl
icat
ions
of I
Pv6
9
The 3rd Dimension is Particularly Hard (III)
Secu
rity
Impl
icat
ions
of I
Pv6
10
Security Implications
IPv6
Secu
rity
Impl
icat
ions
of I
Pv6
11
Analysis Approach
Framework
Recover
Respond
Detect
Protect
Identify
https://www.nist.gov/cyberframework
– NIST Cybersecurity framework as a basis – Analyse all (sub-) categories wrt to impact of IPv6 – Observe / generalize
Secu
rity
Impl
icat
ions
of I
Pv6
12
– In many functions/categories of the NIST Cybersecurity framework IP addresses are processed in one way or another.
– In databases
– For network-based security functions
– In processes performed by humans → training & education needed.
General Observations
13
Adaption of databases or datamodels – Wherever IP addresses are used
to contribute to a function. – In order to account for the different
format of IPv6 addresses. – Usually multiple IPv6 addresses
co-exist on individual interfaces. → More information
Vulnerability management – Will be heavily affected in most
organizations. – Sequential scanning of subnets
doesn’t work anymore, systems might expose different vulnera-bilities over IPv6 than over IPv4.
– Link-local connectivity might play a role, too.
→ More information
Threats & risk management – Some sub-categories in the
Identify function covering threats & risk management.
– Those have to consider IPv6, both wrt to IPv6-specific threats & risks and as for suppliers/the supply chain where IPv6 might also kick in.
→ More information
A Closer Look | IdentifyFramework
IdentifySe
curit
y Im
plic
atio
ns o
f IPv
6
14
Is this an ‘IPv6 security issue’?Se
curit
y Im
plic
atio
ns o
f IPv
6
15
FrameworkProtect
A Closer Look | ProtectSe
curit
y Im
plic
atio
ns o
f IPv
6
Technical controls – Many technical controls used to protect
assets will have to be reviewed as for their IPv6 capabilities.
– Their configuration (and maybe even the underlying architecture) might have to adapted for IPv6.
Audit & logging – Audit & logging is one of the sub-
categories in Protect (see PR.PT-1) and this is a classic example of the above 3rd dimension of IP addresses (‘being processed by a system process or an application’) which might require (potentially complex) adaptions for IPv6.
Secu
rity
Impl
icat
ions
of I
Pv6
Global IPv6
Internet
Yes
No
Private IPv4
Scope Within organization / unit
Security / Network Borders Filtering
performed?No
Security / Functions Special treatment
needed?Yes
16
IPv4->IPv6, Implications (I)v6-only
17
FrameworkRespond
DetectA Closer Look | Detect & Respond
RIPE
80Se
curit
y Im
plic
atio
ns o
f IPv
6
Detection, analysis & correlation – Detection, analysis and correlation
methods might have to be modified/enhanced for IPv6.
IPv6-specific training – IPv6-specific training of
personnel performing tasks in the context of these functions will be needed.
Incident response & digital forensics – Processes in the incident response and
digital forensics context have to take different types of addresses, their intricacies (interfaces with multiple addresses of varying lifetimes) and the co-existence of different address families into account.
Secu
rity
Impl
icat
ions
of I
Pv6
18
IPv6 Conclusions
Secu
rity
Impl
icat
ions
of I
Pv6
19
– In complex environments IP addresses are used in many ways.
– Which has to be considered in an operations context, namely in the space of security functions.
– Keep this in mind during your IPv6 deployment, and your decision process re: architecture and transition model.
Conclusions