লেখক পরিচিতি
লেখকের নাম:
মোহাম্মদ জাবেদ মোর্শেদ চৌধুরী
মোট লেখা:৫১
লেখা সম্পর্কিত
পাবলিশ:
২০১৫ - ফেব্রুয়ারী
Security Features and Challenges of IPv6
A key motivating factor for IPv6 was the shrinking available IPv4 address space. In contrast to IPv4 addresses, which use only 32 bits, IPv6 addresses are 128 bits long. This larger address size allows for the generation of 3.4 × 1038 address values, which should be more than enough for current and future applications, and eliminates the need for address conservation practices such as NAT that IPv4 requires.
IPv6 also supports end-to-end communication, enabling source and destination nodes to interact without intermediate systems such as NAT devices. This feature allows the development of new voice-over-IP, multimedia, and other types of network applications.
Security Features of IPv6 Security framework : IPsec is used in IPV4 to implement Virtual Private Networks (VPNs). IPsec provides network-level security, which means that an application running over an IPv6 network, e.g. a web-server, browsing the Internet, any application sending/receiving data over the Internet, etc., will also have this security, since the application data is encapsulated within the IPv6 packet.
Auto configuration : Auto configuration is an important feature of IPv6. Every device connected to the network must be assigned an IP address. For this task, IPv4 is limited to stateful protocols such as the Dynamic Host Configuration Protocol, which require a server to store a requesting host’s configuration information. In addition to supporting stateful auto configuration through DHCPv6, IPv6 introduces a simplified stateless autoconfiguration procedure where a node can configure its IP address based only on local information that is without contacting a server Stateless auto configuration occurs without the use of DHCP.
Security challenges of IPv6 Reconnaissance attacks : Host probing and port scanning are usually the initial activities an attacker engages in to discover vulnerabilities in a network. In host probing, the attacker tries to identify the hosts connected to a network. Once the hosts are found, the attacker uses port scanning to look for exploitable vulnerabilities.
Administrators can use IPSec’s security services to reduce packet sniffing looking at a packet’s content and port scanning activities. The difficulty in scanning posed by IPv6 addressing also makes it hard for an administrator to identify hosts that are either malicious or possible targets for attackers.
Man-in-the-middle attack : For security IPsec protocol suite is reliable for both IPv4 and IPv6 header because they have no security mechanisms. In this fashion IPv6 falls prey to the same security risks posed by a man in the middle attacking the IPsec protocol suite, specifically IKE. Tools that can attack an IKE aggressive mode negotiation and derive a pre shared key are documented. With this in mind, we recommend using IKE main mode negotiations when requiring the use of pre shared keys. IKEv2 is expected to address this issue in the future.
The sniffing attacks : Sniffing attack is a typical attack for both IPv4 and IPv6. The sniffing attack involves capturing of the data being transmitted through the network. In case that confidential data are transmitted in a plaintext protocol, they can easily be compromised by an attacker running sniffing attack. A sniffing attack type can be avoided by a proper use of the IPsec security architecture, which is used in IPv4 as an option and in IPv6 as an obligation.
Attacks using routing headers : IPv6 packet structure allows for routing headers, which list the addresses of one or more intermediate nodes that the packets will go through. An attacker can generate specific packets with routing headers to reach hosts that normally would not accept the attacker’s traffic. Further, if an end point accepts these headers and follows their routing instructions, trusted nodes could forward malicious packets or the flow of packets could lead to resource exhaustion at the routers, resulting in a DoS attack. Unfortunately, Mobile IPv6 requires routing headers. Networks with MIPv6 functionality should therefore incorporate mechanisms to securely handle packets with these headers; otherwise, they should not allow these packets.
Flooding attacks : Because of the basic principle of flooding attack both IPv4 and IPv6 is under threat. It connotes flooding a network device (e.g. a router) or a host with large amounts of network traffic. A targeted device is unable to process such large amount of network traffic and becomes unavailable or out of service. A flooding attack can be local or a distributed denial of service attack (DoS), when the targeted network device is being flooded by network traffic from many hosts simultaneously. New types of extension headers in IPv6, new types of ICMPv6 messages and dependence on multicast addresses in IPv6 (e.g. all routers must have site-specific multicast addresses) may provide new ways of misuse in flooding attacks.
Rogue devices : Unauthorized devices in the network are called rouge devices. It could be any unauthorized laptop or even it could be a rouge wireless access point, DHCP or DNS server. These types of attacks using wireless signal is quite common in 802.1X standard. IPv6 does not have any protection against these kind of attack rather The 802.1x standard also has the potential to help here, though an undetected rogue device could funnel 802.1x authentication sequences to a compromised node acting as an AAA server while capturing valid credentials.
Proposed solutions : Several solutions and tools are available to deal with IPv6-related security problems.
Cryptographically Generated Address : In IPv6, it is possible to bind a public signature key to an IPv6 address. The resulting IPv6 address is called a Cryptographically Generated Address (CGA). This provides additional security protection for the IPv6 neighborhood router discovery mechanism, and allows the user to provide a “proof of ownership” for a particular IPv6 address. This is a key differentiator from IPv4, as it is impossible to retrofit this functionality to IPv4 with the current 32-bit address space constraint. CGA offers three main advantages:
1. It makes spoofing attacks against, and stealing of, IPv6 addresses much harder.
2. It allows for messages signed with the owner’s private key.
3. It does not require any upgrade or modification to overall network infrastructure.
Packet filtering and firewall design : Packet Filtering could be an effective measure to protect our network from attacks. How-ever, because IPv6 depends heavily on ICMPv6 messages, any filtering of ICMPv6 packets should ensure that network functionality is not affected. Filtering schemes should consider the fact that a host with one network adapter card can have multiple IPv6 addresses.
Applying packet filters in IPv6 firewalls is more complicated than in IPv4 firewalls. In addition, the packet structure makes IPv6 an extensible protocol that can incorporate new functionality with new headers, but attackers could exploit this capability for malicious purposes. This raises the dilemma of whether to allow or drop packets with unknown headers or options.
Conclusion : In a nutshell, although IPv6 was designed with security in mind, security concerns could hinder its success if adequate efforts and resources are not devoted to fully understanding IPv6-related security issues and vulnerabilities in IPv6-based network infrastructures