* Large network segments are both good and bad. IPv6 introduces network segments that are significantly larger than those we see today. The current recommended prefix length for an IPv6 subnet is /64 (264), which can accommodate some 18 quintillion hosts on a single segment! While this enables virtually unlimited LAN growth, its size also presents challenges. For instance, it would take years to scan a single IPv6 /64 block for vulnerabilities, while a single /24 IPv4 subnet 28 would only take seconds. Since a comprehensive scan is impossible, a better approach may be to utilize only the first /118 (the same number of hosts as a /22 in IPv4) of addresses to narrow the range of IPs to scan, or perhaps allocate all addresses explicitly and deny all others implicitly. This will make careful IP management and monitoring even more crucial than it is today. One might also expect passive domain name system (DNS) analysis and other reconnaissance techniques to be employed by attackers in place of traditional scanning.
* Neighbor discovery and solicitation can expose networks to problems. Neighbor discovery (ND) in IPv6 utilizes five different types of Internet Control Message Protocol version 6 (ICMPv6) messages for several purposes, including to determine the link layer addresses of neighbors on the attached links, to purge cached values that become invalid, and to discover neighbors willing to forward packets on their behalf. While ND offers many useful functions -- including duplicate address detection (DAD) -- it can also present opportunities to attackers. ND attacks in IPv6 will quite likely replace their IPv4 counterparts such as ARP spoofing. In general, it's a good idea to keep ports disabled unless explicitly provisioned, implement link layer access control and security mechanisms, and be sure to disable IPv6 completely where it's not in use.
* Choking on large extension headers, firewalls and security gateways could fall prey to DDoS attacks. In IPv6, the IP options function has been removed from the main header and is instead implemented via a set of additional headers called extension headers (EH) that specify destination options, hop-by-hop options, authentication and an array of other options. These extension headers follow the IPv6 main header, which is fixed at 40 bytes, and are linked together to create an IPv6 packet (fixed header + extension headers + payload). IPv6 traffic with large numbers of extension headers could overwhelm firewalls and security gateways, or perhaps even introduce router forwarding performance degradation, and thus serve as a potential vector for DDoS and other attacks. Disabling "IPv6 source routing" on routers may be necessary to protect against DDoS threats, and explicitly codifying which extension headers are supported and checking network equipment for proper implementation is critical. In general, IPv6 adds many more components to be filtered or require scoped propagation, to include some extension headers, multicast addressing, and increased uses for ICMP.
No comments:
Post a Comment