The next generation of Internet communication networks is about to be deployed. Is IPv6 security protection ready?

Recently, the General Office of the Communist Party of China Central Committee and the General Office of the State Council issued the "Action Plan for Promoting the Large-Scale Deployment of Internet Protocol Version 6 (IPv6)" to accelerate the large-scale deployment of IPv6 and build a high-speed, widely popular, full-coverage, and intelligent next-generation Internet.

1. Introduction

With the implementation of the plan and the vigorous development of mobile Internet and the Internet of Things, my country's entire network environment will undergo earth-shaking changes, and the entire industry chain is ready to go. At present, China has begun to deploy IPv6 root servers, IPv6 metropolitan area networks, IPv6 dual-stack transformation of government websites, IPv6 city public wireless networks, etc. have all begun pilot projects and deployments. Some content of the Internet BAT already supports IPv6 access, and traffic is growing rapidly. The new network environment and emerging fields will face new security challenges.

According to the deployment plan, by the end of 2018, the number of active IPv6 users will reach 200 million, accounting for no less than 20% of Internet users; by the end of 2020, the number of active IPv6 users will exceed 500 million, accounting for more than 50% of Internet users; new network addresses will no longer use private IPv4 addresses; by the end of 2025, my country's IPv6 network scale, user scale, and traffic scale will rank first in the world; networks, applications, and terminals will fully support IPv6, and a smooth evolution and upgrade to the next-generation Internet will be fully completed, forming a world-leading next-generation Internet technology industry system.

Regarding IPv6 security, the plan focuses on upgrading security systems, strengthening IPv6 address management, enhancing IPv6 security protection, and strengthening research on network security technology, management, and mechanisms in IPv6 environments such as industrial Internet, Internet of Things, Internet of Vehicles, cloud computing, big data, and artificial intelligence, and building security assurance capabilities in emerging fields.

This article analyzes IPv6 security threats from the perspective of Internet network security operations, and discusses the security risks and reinforcement suggestions faced by the Internet IPv6 network security assurance system.

2. Introduction to IPv6 Protocol

IPv6 (Internet Protocol version 6) is a network layer protocol for packet-switched internetworks, primarily used for addressing and routing. It was designed by IETF (Internet Engineering Task Force, IETF for short) to replace IPv4. In the early stages of protocol development, IPv6 was also called IPng.

Since 1990, IETF has been planning the next generation protocol of IPv4. In addition to solving the problem of IP address shortage, it also needs to make more expansions. In 1994, the IETF meeting formally proposed the IPv6 development plan, and it became the IETF draft standard in August 1998. Finally, IPv6 was officially released by IETF at the end of 1998 by publishing the Internet standard specification (RFC 2460).

At present, with the vigorous development of mobile Internet and the Internet of Things, computer networks have become closely related to people's lives. Perhaps every electronic device around us needs to be connected to the Internet. The demand for IP addresses has increased dramatically. At the same time, IPv4 addresses are becoming increasingly scarce, and the development of IPv6 is becoming more and more urgent.

1. The main reasons for the development of IPv6 are as follows:

(1) 128-bit address space: IPv6 consists of 128 bits. In terms of order of magnitude, the address capacity of IPv6 is about 8 × 1028 times that of IPv4, reaching a huge address space of 2128. This not only solves the problem of the number of network address resources, but also provides a foundation for the development of the Internet of Things.

(2) Hierarchical routing structure, which is not met by the current IPv4:

• Hierarchical aggregation (Public, Site, Interface)
• Simpler ACL
• Fewer routing entries

(3) Realize true point-to-point communication instead of NAT

(4) Intrinsic support for secure transmission, providing more secure data transmission

(5) Simplify data packets and provide faster data packet processing

(6) Support mobile IPv6 and provide stable mobile network services

(7) Automatic configuration, plug and play

(8) Flow labels provide more service quality control capabilities

As shown in Figure 1 below, the IPv4 and IPv6 message header structures are compared. From the comparison of the message header structures, IPv6 draws on the application experience of IPv4 and greatly simplifies the basic header structure, which only contains 8 fields. All non-core functions in IPv6 are implemented by extended headers.

2. The main differences between IPv4 and IPv6 message headers are as follows:

(1) IPv6 simplifies header and data length calculation: The header length field is no longer used in the IPv6 basic header. Only one field is used to indicate the total length of the data payload.

(2) Better support for DiffServ QoS services: The service type field in the IPv4 header is expanded into two independent fields: service flow type and flow label in IPv6;

(3) Eliminate intermediate fragmentation: The IPv4 header provides three fields for data fragmentation: data packet ID, fragmentation flag, and fragmentation offset value. There are currently many attack methods targeting these three fields. IPv6 adopts the Path MTU discovery mechanism to avoid fragmentation processing by intermediate routers, eliminating some security risks;

(4) Eliminate the checksum field: Many subsequent IPv4 message headers, such as ICMP, UDP, and TCP, contain a checksum field that covers both the basic header and the data part. Therefore, the checksum field in the IPv4 header is redundant. This field has been eliminated in the IPv6 basic header.

(5) Processing of option functions: IPv6 uses an extended header to implement the option function, which solves the problem that data packets with option content in IPv4 cannot be transmitted efficiently. It also makes the adoption of IPsec and new security protocols that may appear in the future more convenient.

From the comparison of the packet header structure, it can be seen that the IPv4 protocol packet header structure is redundant, which affects the forwarding efficiency. At the same time, it lacks effective support for end-to-end security, QoS, and mobile Internet security. The IPv6 protocol focuses on improvements in the above aspects and adopts a more streamlined and effective packet header structure. The IPv6 protocol option fields are all placed in the extension header. The intermediate forwarding equipment does not need to process all the extension headers, which improves the data packet processing speed. In addition, IPsec secure encrypted transmission and support for mobile Internet security are achieved through extended options.

Figure 1 IPv4 and IPv6 header structures

From the perspective of the protocol family, the basic parts of the IPv6 protocol family have also undergone major changes compared to the IPv4 protocol family. For example, the ARP protocol has been replaced by the Neighbor Discovery Protocol (NDP), and ICMPv6 has merged the functions of multiple protocols in IPv4, including ICMP (Control Message Protocol), IGMP (Group Membership Protocol), ARP (Address Resolution Protocol), RARP (Reverse Address Resolution Protocol) and RA (Route Advertisement).

3. Security Considerations in IPv6 Protocol Design

From the perspective of the protocol, the IPv4 protocol was born earlier, and there was almost no security consideration in the early design. Therefore, the forgery and spoofing of message addresses made it impossible to effectively supervise and control the network. At the beginning of the design of the IPv6 protocol, encryption and authentication mechanisms such as AH (Authentication Header), ESP (Encapsulation Security Payload), SA (Security Association), and IKMP (Key Management Protocol) were introduced, and IPsec authentication was enforced. AH (Authentication Header) and ESP (Encapsulation Security Payload) in the IPsec protocol family are embedded in the protocol stack and appear in IP messages as extension headers of IPv6, providing integrity, confidentiality, and source authentication protection, greatly improving security from the perspective of protocol design.

From the perspective of IPv6 protocol security design, compared with IPv4, the following enhancements are made:

• Traceability and attack prevention: IPv6 address resources are abundant, no NAT deployment is required, and scanning is difficult
• IPv6's default IPsec security encryption mechanism: IPsec is integrated into the IPv6 protocol, and encryption and verification functions are implemented through two extension headers: the Authentication Header (AH) and the Encapsulating Security Payload Header (ESP). Intermediate forwarding devices only need to perform normal forwarding on messages with IPsec extension headers, which greatly reduces forwarding pressure.
• Neighbor Discovery Protocol (NDP) and SEND: NDP (neighbor discovery protocol) is used to replace the existing ARP and some ICMP control functions in IPv4, such as router discovery and redirection.
• Real source address check system: The real source IPv6 address verification architecture (SAVA) is divided into three levels: access network (Access Network), intra-area (Intra-AS) and inter-area (Inter-AS) source address verification, and forms a multi-level monitoring and defense system from the three granularities of host IP address, IP address prefix and autonomous domain.

Especially for IPv4 network addresses, the number is very limited, so in many cases one address is shared by multiple hosts through technologies such as NAT. After using IPv6, each address can be assigned to an object, each address is unique, and IPv6 address allocation can adopt a step-by-step, hierarchical structure, which will greatly improve tracking and tracing of attacks. Users, messages and attacks are associated and corresponded, and users are responsible for any of their actions, and they are non-repudiable.

The IPv6 protocol also defines multicast address types, and cancels the broadcast address under IPv4, which can effectively avoid broadcast storm attacks and DDoS attacks launched using broadcast addresses in IPv4 networks. At the same time, the IPv6 protocol stipulates that ICMPv6 error messages are not allowed to be replied to messages using multicast addresses, which can effectively prevent amplification attacks caused by ICMPv6 messages.

In addition, the AH and ESP security extension headers in the IPsec protocol suite provide key encryption and authentication mechanisms for the security mechanism and design of the IPv6 core.

AH is a security extension header for IPv6, defined in RFC4302, with protocol number 51. IPv6 authentication is mainly completed by AH. The authentication header adds a key to all data packet headers, so that the receiver of the data packet can verify whether the data is really sent from its source address, and provide password verification or integrity testing. This authentication is the encoding result of the IP data packet through a certain encryption algorithm, which is equivalent to digitally signing the IP data packet. The "digital signature" known only to the key holder is used to authenticate the user, and the receiver can verify the integrity of the data packet through the signature. The verification scope of AH is different from that of ESP, and includes the entire IPv6 data packet.

AH is located between the IPv6 header and some upper-layer protocol headers. If an extension header exists, AH must be located after the hop-by-hop options header, routing extension header, and fragmentation extension header.

ESP is also a security extension header for IPv6, defined in RFC4303, with protocol number 50. It encrypts the payload portion of the IPv6 data packet, excluding the IPv6 header portion, and can provide security services such as confidentiality, data source verification, anti-replay, and data integrity verification for the IP layer. Data confidentiality is the main function of ESP, and the others are optional. The ESP header is located between the IPv6 header and the upper layer protocol. If an extension header exists, the ESP header must be located after the hop-by-hop option header, routing extension header, fragmentation extension header, and authentication header. Since ESP only encrypts the data after the ESP header, the destination option header is usually placed after the ESP header.

ESP and AH extension headers can be used separately or together.

4. Analysis of IPv6 Network Security Threats

Compared with IPv4, IPv6 faces the same security threats as IPv4, but the new ones mainly come from the protocol family, protocol message format, its own design and implementation, and the new security threats or changes introduced during the evolution from IPv4 to IPv6.

1. Common security threats between IPv6 and IPv4

IPv6 and IPv4 are both network layer protocols and have the following common security threats:

• Not configuring IPsec allows network sniffing, which may lead to information leakage
• Most vulnerabilities caused by application layer attacks cannot be eliminated at the network layer
• Device spoofing to access the network
• Man-in-the-Middle Attacks (MITM) can be carried out if two-way authentication is not implemented
• Flooding attack

2. New security threats in the IPv6 protocol family

IPv6 has undergone significant changes in the protocol family compared to IPv4, and the new security threats are as follows:

• Neighbor Discovery Protocol (ND) attacks: Attacks against ARP, such as ARP spoofing and ARP flooding, still exist in the IPv6 protocol. At the same time, the newly added NS and NA in IPv6 have also become new attack targets, posing security threats such as DoS attacks and man-in-the-middle attacks.
• The newly added ICMPv6 protocol is an important component of IPv6 and has security threats such as DoS attacks and reflection attacks;
• IPv6 supports stateless automatic address allocation, which may make it easier for unauthorized users to access and use the network, posing a security threat of spoofing attacks;
• In an IPv6 network environment, although network scanning is difficult to implement, active host information can still be collected through IPv6 prefix information collection, tunnel address guessing, false routing announcements, and DNS queries. Obtaining IPv6 address ranges and host information through DNS may become the preferred attack path for hackers, and attacks on DNS systems will become more rampant.
• IPv6 multicast addresses are still supported, but there are security threats such as scanning, sniffing, and even impersonation of key DHCP servers and routers.
• IPv6 routing protocol attacks: RIPng/PIM relies on IPsec. The OSPFv3 protocol does not provide authentication functions, but uses the IPv6 security mechanism to ensure the legitimacy of its own messages. If the IPv6 security mechanism is not configured, OSPFv3 routers are subject to counterfeit security threats.
• Mobile IPv6 spoofing attack: Mobile IPv6 nodes can communicate directly with other nodes anywhere they are connected to the network without changing their IP addresses. While providing mobility and convenient communication, the non-fixed nature of mobile nodes also provides opportunities for criminals to attack, and there are security threats such as forged binding update messages.
• MLD spoofing and flooding attacks.

3. New security threats in IPv6 protocol message format

The RFC standards related to the IPv6 protocol are constantly developing and updating. The protocol itself also has vulnerabilities. All devices that follow the IPv6 protocol will be affected by the vulnerability. The new security threats are as follows:

• The protocol itself has vulnerabilities, such as the IPv6 protocol Type 0 routing header denial of service vulnerability, which was patched by RFC 5095 in December 2007, disabling the Type 0 routing header in the IPv6 extension header;
• IPv6 Fragmentation Attack
• IPv6 Extension Header Attack
• ND DAD attack (Duplicate Address Detection)
• ND Router Advertisement spoofing, DoS, and man-in-the-middle attacks

4. IPv6 itself brings new security threats

IPv6 is the same as IPv4 protocol. When devices and applications implement support for IPv6 protocol, different system developers may introduce various possible security vulnerabilities in IPv6 protocol software development and various algorithm implementations due to their different software development capabilities.

According to the 2017 IPv6 Support Report released by the Global IPv6 Testing Center of the Next Generation Internet National Engineering Center in November:

Among the current operating systems, about 75% have the IPv6 protocol stack installed by default, about 65% support DHCPv6, and about 50% support ND RNDSS. Among them, the mobile operating system support for IPv6 protocol has moved from the laboratory to the application stage. Android 4.2, IOS 4.1, Windows Phone 6.5, and Symbian 7.0 all support IPv6 and install IPv6 by default. All new versions released after the above mobile phone system versions support IPv6. In terms of DHCPv6 function, IOS supports stateless DHCPv6 since V4.0, and Stateful DHCPv6 is supported in V4.3.1. Windows Phone supports DHCPv6 Lite, while the Android system does not support DHCPv6. In terms of the neighbor discovery (ND) option RDNSS function, IOS currently supports ND RDNSS, and Android 5.0 and above already support ND RDNSS. If an operating system does not support DHCPv6 and ND RDNSS, it cannot automatically configure the query domain name server in a pure IPv6 network environment.

Various application software are also gradually beginning to support IPv6 to meet the needs of the majority of users. However, it is not common at present, and only some basic application software already supports IPv6.

A small part of basic application software can already support IPv6, including browser software such as IE series, Chrome, Firefox and Opera, download software and mail client software such as FileZilla3, SmartFTP4 and Outlook. However, domestically developed basic application software, except for browsers, other such as download software and instant messaging software cannot be used normally in the IPv6 environment.

Improper security implementation of various software may introduce IPv6 protocol security vulnerabilities, and security coding and quality assurance activities need to be carried out well.

The following are typical vulnerabilities in the implementation of the IPv6 protocol stack.

• Python getaddrinfo() remote IPv6 buffer overflow
• Apache remote IPv6 buffer overflow
• Postfix IPv6 unauthorized mail relay vulnerability
• Openbsd remote code execution in IPv6 stack
• …

5. New security threats during the evolution from IPv4 to IPv6

The transition from IPv4 to IPv6 is a long process. During the period of coexistence of IPv4 and IPv6, various measures taken to solve the intercommunication between the two will bring new security risks, such as denial of service attacks and man-in-the-middle attacks in tunnel mode and denial of service attacks in NAT-PT technology.

The evolution from IPv4 to IPv6 involves dual stack, tunnel, and translation technologies. The main security threats are as follows:

• Dual stack technology: Many operating systems support dual stack, and IPv6 is activated by default. However, the security policy for deploying IPv6 is not strengthened like IPv4, and automatic configuration is not supported. Even in a network where IPv6 is not deployed, such dual stack hosts may be attacked by the IPv6 protocol.
• Tunnel technology: Almost all tunnel mechanisms do not have built-in security features such as authentication, integrity, and encryption. Attackers can intercept tunnel messages at will and inject attack traffic into the tunnel by forging outer and inner addresses to pretend to be legitimate users. This poses a security threat of counterfeit and tampering flood attacks.
• Translation technology: It involves payload conversion and cannot implement end-to-end IPsec. It is subject to DDoS attack security threats such as address pool exhaustion that is common in NAT devices.

5. Discussion on Internet IPv6 Network Security System and Strategy

With the increase in applications, faster speeds and larger scales in next-generation IPv6-based networks, IPv6 networks are facing new security risks.

For Internet networks, security is an important factor in ensuring the healthy development of the network. As an important aspect of IPv6 network construction, the supporting construction of the IPv6 network security assurance system requires comprehensive consideration of network security needs during the IPv6 network design phase to enhance the overall security of the network architecture.

The network security assurance system can be divided into two levels: static security protection system and dynamic security operation system.

According to the ITU-T X.805 standard (end-to-end communication system security framework), the network can be divided into the infrastructure layer, business layer and application layer, and each network layer can be divided into three planes: management, control and data. A variety of technical means are used to isolate and control, and corresponding security protection measures are implemented on each plane, so that each plane has eight attribute protection capabilities in terms of security, including access control, authentication, non-repudiation, data confidentiality, communication security, integrity, availability and privacy.

The dynamic security operation system can realize the dynamic discovery and management of network security risks through the supporting construction of security infrastructure such as security detection and response and related security management organizations, systems and processes.

Compared with IPv4, the same overall network security assurance system can be shared. However, under the premise of IPv4-based network, it is necessary to determine the strategy for upgrading to IPv6. Based on the characteristics of IPv6 and security threat analysis, the current status of missing IPv6 security products should be identified and supplemented, and the transformation rhythm should be determined, including LVS, DNS and other types of servers, network equipment, DDoS equipment, firewalls, etc., upgrading the security system, and making good use of the security enhancement technical means of the IPv6 protocol itself in combination with the actual business to enhance IPv6 security protection. At the same time, strengthen the research on network security technology, management and mechanism in various business areas of IPv6 environment, especially emerging fields such as Internet of Things, cloud computing, big data, artificial intelligence, etc., promote the development of new security services and applications, and form a world-leading next-generation Internet technology industry system.

VI. IPv6 Network Security Hardening Recommendations

Although IPv6 has enhanced its security mechanism compared to IPv4, the introduction of a new protocol will inevitably introduce new security issues and affect the existing network security technology system. Therefore, it is very important to be familiar with existing services and networks, the status quo of IPv6 and its security, and to deploy targeted security reinforcement.

There are different security response technologies, measures and methods for different IPv6 network security risks. It is necessary to adopt appropriate IPv6 security solutions and measures to build IPv6 network security and security assurance capabilities in emerging fields under the IPv6 environment.

The following typical IPv6 network security hardening suggestions are for reference.

• Ensure the isolation and access control of all layers and security domains of the IPv6 network to minimize the security impact;
• Reasonably manage and control the resource access between IPv6 management, control and data planes, and adopt corresponding security protection and control measures in each plane security domain according to the characteristics of each domain. In the case of dual stack implementation, it is recommended to adopt strict network filtering and access control on IPv4/6 dual stack devices to prevent the mutual impact of IPv4 and IPv6 security issues;
• Ensure the authentication and authorization of IPv6 network access in the management and control planes, formulate a comprehensive border protection strategy to prevent access by malicious devices and users, and effectively utilize the IPsec features of the IPv6 protocol and source address filtering technology to strengthen security protection within the plane based on actual business conditions;
• The control plane should provide security protection for the newly added ICMPv6 protocol. It is recommended to select appropriate security measures according to the actual situation, such as configuring an ACL whitelist to allow only necessary ICMPv6 and other messages to pass through, disabling ICMPv6 redirection on the interface, stopping the port from sending RA messages, disabling the sending of ICMP unreachable messages, and disabling source routing to prevent Type 0 Routing Header attacks.
• The control plane uses IPsec, authentication, and whitelist strategies to provide security protection for protocols such as IPv6 network routing;
• The management plane is similar to the IPv4 network, ensuring the minimum attack surface through whitelist policies and disabling unused IPv6 services;
• The data plane is similar to the IPv4 network. Configure ACL whitelist policies, shut down unnecessary services, prohibit source routing, and deploy IPv6 uRPF.
• DNS provides security detection and protection for IPv6 scanning and sniffing;
• It is recommended to strictly limit the number of fragments of the same IPv6 message and set a reasonable fragment buffer timeout;
• It is recommended to configure the maximum number of ND entries learned by the port, limit the number of extension headers and the number of instances of the same type of extension headers;
• IPv6 networks involve various types of servers, terminals, network devices, and application software. Their design and development must comply with mature security engineering methods and specifications to ensure the security quality of the IPv6 protocol stack, and to perform security detection and repair of known vulnerabilities.
• There are already mature open source security tool kits for IPv6 protocol attacks, such as THC-IPv6 and Si6 Networks ipv6-toolkit. When IPv6 networks and protocols are put into operation, it is necessary to conduct robustness tests, security penetration tests, and security quality assessments on the IPv6 protocol stacks of various parts of the network in advance to reduce security risks in a timely manner.
• Based on the characteristics of IPv6 and security threat analysis, determine the strategy for upgrading IPv4 to IPv6, identify the current status of missing IPv6 security products and fill them, determine the transformation rhythm, and upgrade the security system.