back to article Defcon speaker calls IPv6 a 'security nightmare'

The internet's next-generation addressing scheme is so radically different from the current one that its adoption is likely to cause severe security headaches for those who adopt it, a researcher said last week. With reserves of older addresses almost exhausted, the roll-out of the new scheme — known as IPv6 or Internet Protocol …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Badgers

Hmm. Broken

Seems they need to skip IPV6 and design IPV7 properly.

I'll stay with IP4 then thanks.

4
8
Silver badge

Read the article again

In many respects, IPv6 is significantly more secure than IPv4. The problem (as ever) will be with people implementing it before they're ready and when they don't fully understand the implications of what they're doing.

4
3

Complexity Of Implementation Is A Problem

Given the complexity of RFC mash-ups like IPv4 or v6 and it's bloody difficult to "fully understand the implications" of turning it on. RFC 791 was issued nearly 30 years ago and most sysadmins still configure by rote, fingers crossed and praying powerfully. Much less Harry The Homeowner and his Open Zombie Wireless network. You can't fire-proof a paper house. If you want to have a secure network, you need a protocol that is secure by design, not by implementation. Produce a product for general use by the public, and it needs to default to safe settings and not require years of experience to configure safely. Especially when acquiring years of experience could be very painful and expensive. This is just more wanker-ware designed by people with too much time on their hands and no ability to take off those Unix/IP blinders. It would be insanely funny if it weren't so important.

7
3
FAIL

@Chris Miller

Having setup and configured IPv6 test labs, I don't believe the hype around IPv6.

Yes it gives a greater number of addresses, but I fail to see how it make the network any more secure than IPv4. On a private network it may be harder to spoof a source address, but it's not going to be any harder to spoof a source address across the internet. And any network service that is vulnerable under IPv4 will still be vulnerable under IPv6.

In addition, as these researchers say, given that nobody's IPv6 implementation has seen extensive vulnerability testing, there is likely to be scores of bugs that will make everyone less secure.

As for running out of addresses.... that's what NAT is for... every network device doesn't need a globally accessible IP address, in fact it makes it them harder to attack directly if they are not globally accessible (ok so there is still the problem of how to secure the application layer, but that's a different problem).

3
0
Silver badge

@Nathan

It's true there are nearly 6,000 RFCs for IPv4 - that in itself might be a pretty good argument for moving to IPv6 - but 99% of them are either obsolete or relate to subprotocols that are so obscure that you're unlikely to have heard of them, let alone seen them in operation (I certainly haven't). It sounds like your beef is with the selection of defaults by manufacturers - which I agree is woeful, particularly in the domestic market where end users can't be expected to have much security awareness.

I'd love to see a "secure by design" set of protocols, can I get a "secure by design" operating system on which to run them, as well? I am reminded of the wise words of St Bruce of Schneier: "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology."

4
1

not just NAT.

One of the big culprits of IP exhaustion is SSL. There's no real reason for SSL to require a unique IP address for every host name. You've been able to run thousands of small sites on a single server for years, whether they have the same IP address or multiple ones. Having the RIGHT address and the private key should be plenty, and requiring the IP to be unique adds nothing to security ever since virtual hosting became possible.

1
0
Pint

But ...

SSL doesn't require a unique IP address for each hostname.

1
0

@ Chris

A secure OS would be nice. Certainly neither Unix nor Windows can qualify. Guardian and System 360(latest version) would be ok; except everybody runs a Unix partition on them now for web services. It's pretty bleak out there. All that said, I would argue that the more immediate problem is the great open door of web services and IP. Close that aperture and it becomes less critical to fix the rest. It would be nice to return to the days when our biggest fear was a disgruntled Assembler programmer bypassing internal controls.

0
0
Grenade

They keep saying...

They keep saying they are nearing the end of IPV4 address, which I believe, but I question whether they are taking into account all the NAT (private) addresses out there. Our entire company is based on private IP addresses. That's a lot of computers. And with IPV6 they will all need public IP addresses for every machine as it doesn't support NAT.

2
5
Silver badge

Relax. IPv6 has got plenty of room.

IPv6 takes your concerns into consideration. Consider this. IPv4 has a total of 2^32 possible addresses (a little over 4 billion). IPv6 has an absolute total of 2^128 addresses. That is perhaps 4 whole orders of magnitude more addresses available (about 10^38), so many that every man, woman, and child on Earth could have a handful and it still wouldn't even be halfway. IPv6 thus applies the space in a structured manner. In your hypothetical case, an entire class B (IPv4) subnet only requires 2^16 unique addresses. An IPv6 address is usually addressed in hex for simplicity; your unique addresses would comprise the rightmost word of an eight-word IPv6 address. Let's just say there's plenty of room to go around.

0
2

Re: They keep saying...

"I question whether they are taking into account all the NAT (private) addresses out there."

We really do need more ip addresses.

Though it's been adopted out of necessity, NAT really does cause numerous headaches, breaks protocols, causes inefficiency. It was a stop gap measure while waiting for a real fix. Also, NAT should not be a replacement for a genuine firewall.

IP6 addresses the primary 32bit addressing issue, however it also introduces numerous other features whether or not we want them.

Article quotes:

"It means that everything you send or receive is labeled with your real MAC address and therefore if you were to do something naughty, like download copyrighted material, they would know"

I have wondered why the spec calls for such a personal identifier in every packet, especially as it's not necessary to make ip6 work. It lends a lot of weight behind the conspiracy theory that it was designed to track people. Given how easy it is to forge in practice, I would hope that it could never pass as "evidence".

4
1

IPv6 doesn't support what?

IPv6 supports NAT just fine and has for years.

4
0
Gold badge
FAIL

@Charles 9

Plenty of IPs to go around...

...but your ISP wills till give you two (dynamic) and charge you $5 for each additional you use.

I will believe in IPV6 when I see IPV6 NAPT/NAPT-PT in home routers or legislation /requiring/ handing out proper subnets to home users. Not before. (Spoken as someone with 27 IP-enabled devices in his home for 3 people. Phones, routers, computers, consoles, etc.)

Also, it’ll be lovely when I’m forced to use auto-configuring addresses for my own internal network. I’LL LOVE THAT. None of this simple being able to remember your addresses easily; who ever wanted to do silly things like that? Great technology in theory. Complete failure on behalf of everyone involved to think for 0.00005 seconds about how it would be implemented in the real worl.

Yeah. IPV6. I remain distinctly unimpressed.

3
2
Go

Autoconfigure

I do use it and do appreciate it.

But that doesn't mean you can't set your own addresses for servers and whatnot. While my clients are unmemorable numbers and letters, I've set my gateway to 2001:470:xxxx::1. Easy peasey.

3
1
Gold badge

@Justin Thomas

Your statement assumes that your ISP will let you use anything except auto configure, or DHCP6 or some such. With no private IP space, you don't get to decide what your IPs look like, your ISP does. Perhaps you have a useful ISP who plays ball and gives you a real amount of address space. Bully for you. Many others aren't so lucky.

2
2
Thumb Up

Don't worry...

Really, IPv6 gives us a truly crazy number of IP addresses to play with, 2^95 for each person on the planet, 39614081257132168796771975168, each.

I don't think your company has anything to worry about, unless you're the Director of IT...

2
1
Silver badge
Pint

640k ought to be enough for anyone

"IPv6 gives us a truly crazy number of IP addresses to play with"

I bet someone said that about IPv4 too :)

2
0

640K

I remember 16K, then 32K, then 64K being impressive. I still have 2 meg in my Apple ][e.

Where's the Woz icon?

0
1
Welcome

Sheesh kids

Was always in the design... Host based firewalls and whitelisting... Its a dependency shift, move along.... All of a sudden, those AV companies look good again <buystock>

thats all for now...

0
1
Grenade

The company where I'm working now uses

a whole class B IP4 public network address internally and of course, they're NATing it into the ISP assigned public range in order to go to Internet. They say it would cost them too much to change, it's too complex and so on, so they'll never bother with it. I wonder how many others do the same.

2
1

IPv4 will be around

A company has an Internet connection running IPv4. It will continue to run IPv4 and te ISP's will be turning on IPv6 on them. When the ISP is out of IPv4 addresses, new customers will be getting IPv6 only.

IPv6 gets rid of DHCP servers as the computer asks the router for the IPv6 network and then the MAC is used to generate the host portion. The big issue though, DNS. How does the computer get DNS servers? It doesn't because there are no DNS servers. You also run into an issue if the entire path is not IPv6 capable and the computer gets an IPv6 address during a DNS query.

1
3
Anonymous Coward

Reply to post: IPv4 will be around

IPv6 doesn't get rid of DHCP servers, though you do have the option not to use one. DHCPv6 works fine and actually allows you a way around using your MAC address as part of the IP address.

If you do use the routing approach you can use a multicast DNS server, since the routing server doesn't broadcast that information.

It is also possible to run IPv6 over IPv4, though it requires a tunnel be created between two points.

1
0

@Lance 3

"IPv6 gets rid of DHCP servers"

"there are no DNS servers."

Hmm, I suppose that neither of these are strictly necessary if you configure everything via static ip addresses. However these can both continue to play a role on ipv6 networks.

"It will continue to run IPv4 and te ISP's will be turning on IPv6 on them. When the ISP is out of IPv4 addresses, new customers will be getting IPv6 only."

The main problem (the reason we haven't upgraded sooner), is that ipv4 and ipv6 addresses cannot communicate directly with each other, period.

An ipv4 client cannot address an ipv6 server, and an ipv4 server cannot reply to an ipv6 client. This necessitates rather undesirable ipv4/6 proxy servers.

The loss of direct connectivity is a major stumbling block. Once major portions of the internet are version 6 only, then people will want ipv6 addresses, until then people will want/need ipv4 ones. Catch-22.

1
2

Stateless

Most ISP's are going to use stateless. There is no reason for them to use DHCPv6 as they are going to give you an address block. By doing so, you have a DNS issue. No DHPC = no DNS servers assigned automatically. If companies do the same thing, how does one use the Internet at home using a company PC? The company would set the DNS servers and they wouldn't be reachable at home.

That poses an issue.

The ISP and carriers are starting to plan for IPv6. Once the address space is out, it is hard to attract new customers. So it is not a Catch-22. The major issue, the majority of the population is not technical enough to actually understand it and thus be able to make any changes necessary for IPv6 to work.

The carriers are not going to do a proxy. They will be using CGN and issuing new customers a private IP.

The major issues the ISP's have, how do you market IPv6? You can't charge extra for it; the majority won't pay for it. So it is a necessary expense item to continue to provide service to new customers. Internally many companies are trying to find what budget it should come out of.

2
1

Re: Stateless

Firstly, DHCP is still used on ipv6 networks.

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-dhcp.html

Secondly, DNS is still needed to resolve names on ipv6 networks, regardless of how it gets configured in the first place (stateless or stateful dhcp mode).

"The ISP and carriers are starting to plan for IPv6. Once the address space is out, it is hard to attract new customers. So it is not a Catch-22."

Of course once the numbers are out, they'll have no choice put to stop issuing publicly addressable ipv4s, but I'm still right that an IPv4 endpoint cannot send a packet *directly* to a IPv6 one.

Despite your remarks, I don't think we actually disagree on this point, since you acknowledge the need for NAT.

"They will be using CGN and issuing new customers a private IP"

This of course comes with all the shortcomings of not being able to connect directly to people/devices behind the NAT or Proxy. People get around these shortcomings today on their own routers with port forwarding and UPNP. It is likely that ISPs are going to be reluctant to do this on their NAT routers. Therefor clients behind NAT will inevitably loose connectivity, particularly P2P (such as games, voip, bittorrent, etc).

Anyone solely on IPv6 will be at a loss until everyone else joins them. No reason to deny a catch 22 here.

2
0
Badgers

Wouldn't..

..a properly configured private network - such as a business or gov't - have only a handful of public addresses?

And wouldn't a properly configured home network, have only one public address?

Gaming consoles? Don't need a public address.

Phones? Maybe, maybe not, depending on the service provider. But not everyone has or - gasp - wants a smartphone.

I really think it doesn't have to be as dire as they're saying it is. And even so, the proper way to do it is not to force everyone onto an unfinished standard that LOWERS security. Finish the standard, finish the compliance, make it as least AS secure as IPv4 is with all its current add-ons, make it something that people without photographic memory can read the addresses. Then deploy it. Is it nice to make people wait? No... but it's evil to make internet security actively worse because of hysteria and projection trends.

2
4
Silver badge

Internet connection requires an address

Thus, if a gaming console has Internet connectivity, it must have an IP.

IPv6 has squintillions of available addresses, and that is a good thing. Unfortunately, humanity has a track record of occupying available resources until their exhaustion. That trend is already well underway for IPv6 as well.

Just think about it : smartphones, consoles, even some BluRay players have Internet connectivity already. There is talk about connecting fridges, televisions and freezers as well. Cars will end up connected one day.

So, let us imagine a future where a 4-person household has the following elements connected to the Internet :

- 2 cars

- 3 televisions

- 4 media players

- 3 consoles

- 7 smartphones

- 2 fridges

- 1 freezer

- 1 dog

Yes, the dog. Don't tell me that they won't end up with GPS-tracking collars you can follow on your PC, because they will. Add as many dogs as you want.

So that makes a total of 23 IP addresses required for 1 house of 4 people.

Today ? We have 1 IP connection per household, with NAT inside the house.

The ration is then 1 to 23.

Yep, that IPv6 is well on its way to becoming saturated as well.

3
1
Silver badge

Re: Internet connection requires an address

Indeed, is there any reason that a single device couldn't find a use for 10, or 100, or more ip addresses? I think you're right, once this gets going we'll be using them up in no time.

0
1
Bronze badge

Good point

If nothing else it means no more name-based virtual hosting for Apache. Got a couple of dozen domains? Assign each one an IP address, but continue to run them all off the same box. Will certainly make setting up HTTPS a lot easier.

1
0
Silver badge

That was taken into consideration.

Even if every man, woman, and child on earth were given a ridiculous number of IPv6 addresses, it would hardly scratch the proverbial roll. The number given was mentioned previously in the comments, but basically, with 10^38 addresses to distribute among about 10^10 people, address exhaustion is not likely to be an issue in the foreseeable future.

1
0
Go

"...taken into consideration" taken as a challenge

I appreciate the unwitting irony in that statement, which wholly ignores all past IT history.

Just so you know, Charles "640K ought to be good enough for anybody" 9, I have my doubts that the millions of monkeys with typewriters generating content/crapplications on the internet will stop being what they are. Call it a hunch.

0
1
Silver badge

But there comes a point...

...when you have to step back and realize that, eventually, you encounter a number so high that you have to realize, "That's BIG.". That's the thing with exponents: they get BIG and FAST. And giving my above example (10^38 addresses among 10^10 people), that means each person can have 10^28 IPv6 addresses and you still wouldn't run out. Based on my chemistry knowledge, that's greater than the Avogadro constant (~6.02x10^26). When the numbers get THAT high, you're likely to run afoul of physical limitations (either the sum energy capacity of the planet or the capacity to install addressable units) before you threaten exhaustion. Now, I'll grant you that this will likely only apply in a terrestrial situation, but given current limitations on communication of an extraterrestrial nature, I seriously don't think address exhaustion will become a problem unless we find a way to get around c, first.

0
0
Go

right in current applications, wrong in future assumptions.

Just because we don't have that many people doesn't mean that we can't cook up a way to use that many addresses. It is possible to write an application that uses 64,000 UDP ports. Why would anybody do that? I dunno -- I'd say that half the new application developers needed their heads examined, but that's not because they're crazy -- just that I don't understand what they're doing.

Just because it doesn't seem like a good idea at the time to you doesn't mean that a future application (or host of them) won't. It just means that You Don't See A Way To Use Them. I'm just saying that type of phrase has been used before, and the pattern so far is 1. make utterance in public. 2. Be proven wrong. 3. repeat. I would hedge my bets on this, rather than go down in history with another silly quote to my name to the effect of "If man were supposed to fly, the Almighty would have given him wings".

0
1
Silver badge

Only 64,000?

What happened to the other 1,536 (JOKE)?

But, back to serious stuff, I still stand firm on the idea that IPv6 was designed so that physical limitations hit before logical ones (unless, like I said, someone finds a way around the speed of light--c--first).

It's the same way of thinking that determined the logical limits of the ZFS filesystem. They were set so high that the entire physical capacity of the planet Earth would be insufficient to create a drive system bigger than ZFS can accommodate. Sure, the human mind has infinite imagination, but he only has finite resources to exploit.

0
0

Close to accurate ...

... but not quite. At the very least, two of the attacks mentioned are already resolved.

(Type 0 RHs have been deprecated, and appropriate guidance developed ... and P2P links now recommend /127s, and most vendors have removed this vuln anyway).

Yes, IPv6 poses several different types of risks. However, you are much better off deploying IPv6 and managing it properly than trying to pretend it doesn't exist.

@Mage - Not an option for several reasons, and FWIW IPv6 is "properly designed" - and largely ready to deploy. Also, "v7" wouldn't be the next version ... (Oh, and "staying with IPv4" - without also doing IPv6 - won't really be an option for most of us for much longer ... )

@Anony - You can either take it on faith, or do the math, or ... ask? ... but yes, IPv6 has more than enough addresses for every company out there to get their public IPs and to not require NAT. (And there are some 'flavors' of NAT that do apply, in some scenarios, to IPv6 networks ...)

/TJ

3
0

IPV6

There is already a IPV6 to IPV6 nat, but it is unneccesary.

Currently, there are IPv4 address space available. By this time next year all of it will be allocated and there will be no new addresses available. Once this occurs, you will start seeing a market around IPv4 addresses. Those companies that have large ipv4 ranges assigned to them will find themselves restructuring because those adresses will be worth some $$.

Companies not willing to pay for IP space, will go to ipv6. The next big 'thing' on the net, will likely be on ipv6 only. You heard it here first. :)

2
0
Silver badge

Won't be enough

It will never be worth enough to restructure to IPv6.

And if it does become worth big bucks, then the buying company will, at one point, have to decide to go IPv6 anyway.

0
1
Pint

Spec's Wrong

Was looking at IPv6 back in the 90s, concluded that its main flaw is also its main strength; global routable addresses. In an idealistic world it sounds like a great idea to have all interconnected devices, but in reality why does a client device need to be access directly by another internet connected device? Surely this peals back the small, yet helpful layer of security that NAT provides us with.

IPv6 SOCKS hell yeah!

Sod routing that junk.

1
4

Firewall

That is what a firewall is for. There is plenty of security.

Want to remain anonymous and make it so someone can't see the MAC address (host portion of the IPv6 address) then use a USB dongle or change the MAC on the NIC.

0
1

don't need to do the host portion

The host portion is just one way to set the ipv6 address. You can still set static ips or use DHCP. I have done both on my test networks with no trouble.

1
1
Silver badge
Boffin

So, basically the same complaint I have with IPv6.

I've always thought that having a /64 'host' block is a huge waste of space; hardwiring this host ID to a MAC address is infinitely stupid as well. Now it seems that the same giant block opens up a world of abuse? O RLY? It shows how that idea was so shortsighted. I'd add that wasting a full /64 block for a router-to-router link is also an enormous waste of space. In practice, we're really squaring the IP address space, as the other 64 bits are pretty useless.

Fortunately, I've seen that not all IPv6 implementations add the MAC addy into the Host ID, but still, it is kinda lousy to set that kind of behavior as the default. Maybe they should make IPv7, but disregard the dedicated /64 Host ID block and just let us subnet all the way down to /127?

5
2
Anonymous Coward

Reply to post: So, basically the same complaint I have with IPv6.

The /64 is just the default.if you use routing advertisement to dole out IPs. If you use a DHCPv6 server, you can choose any size subnet(s) you want. And really, the security issues behind using your MAC address are no different than having a static IP address.

1
1

@Daniel B.

"I've always thought that having a /64 'host' block is a huge waste of space; hardwiring this host ID to a MAC address is infinitely stupid as well."

I'm glad that people upvoted your post, since it gives me a slight bit more confidence that in practice we will disregard the publicly routable mac address.

1
1
Gold badge

startling

"There is already a IPV6 to IPV6 nat, but it is unneccesary."

It is in the sense that some people do not want their machines to be fully publicly accessible, and a NAT allows this.

Anyway, I was rather startled about some of the features included in IPV6, and I think there are a number of ...ahem.. interesting security vulnerabilities that "may" pop up with it. I say "may" because it takes a bit of a kitchen sink approach and it's entirely possible some of the ill-planned functionality will simply not be implemented in practice.

1
3

This post has been deleted by its author

Gates Halo

No problem

Let's have a hundred trillion planets with a trillion people each, then every person can still have a trillion IPv6 Adresses. If we ever reach that point, changing to IPvx is going to get tricky, though...

1
0
FAIL

@Daniel B.

HUH?!

You do realize that in REAL WORLD environments you'll have subnets much smaller than a /64. Just like you have subnets as small as 2 usable IPs now.

The whole /64 thing is actually the smallest amount that IANA/ARIN will hand out. That doesn't mean that we will all be getting our own /64. And, for right now most anyone can get a /64. But, that won't be a permanent thing either.

0
2

ISP's

Some ISP's will be issuing a /61 to DSL/cable customers.

0
0

Try /48

I have a /48 from Hurricane Electric (as do many of their customers). That allows for the deployment of many /64s to accommodate the automatic addressing based on MAC address.

If you use that auto-addressing, then /64 really is as small as you want to go.

0
0
Bronze badge
Megaphone

Stop the myths!

Well, we've heard the myth that IPv6 is super-secure, from the IPv6 Forum. And we've heard the myth that it's super-insecure, from this and other professional security scaremongers. The fact is: the design of IPv6 is so similar to IPv4, apart from bigger addresses and a few fancy auto-configuration features, that is has *exactly* the same security issues. The problem is that not all security products are fully IPv6-ready yet. Well, if your firewall vendor doesn't support IPv6 properly, get a new vendor.

Oh, and there's a myth right there in the story:

"Some operating systems, including Windows Vista and Windows 7, have privacy settings turned on by default that cause the string to be randomly generated. While this setting helps preserve anonymity, it also has the potential to break many end-to-end communications, so it may not always be available, Bowne warned." Er, BS. IPv6 privacy addresses in no way break e2e communications. Your computer might switch to a new IPv6 address for a *new* e2e communication (that's a TCP connection in plain English) but it won't switch in the middle of an existing one. Anyway, you only need to use those privacy addresses if you're paranoid about your MAC address. If you're that paranoid, there are much worse traceability problems to worry about.

Oh, and for those who believe that IPv4 exhaustion is a myth, see http://www.potaroo.net/tools/ipv4/

6
0

Page:

This topic is closed for new posts.

Forums