Broadband

IPv6 early adopters cautioned


Early adopters of IPv6 have been warned that an oversight in the IPv6 specifications could leave networks vulnerable to DDoS attacks. The issue is caused by Type 0 Routing Headers. These headers allow the source of a data packet to specify addresses via which that packet should be routed.

Type 0 Routing Headers have presented a major security issue and are disabled by default in almost all IPv4 routing engines. The Type 0 Routing Header feature enables something often described as loose source routing; this can be exploited by attackers to create a loopback style denial of service attack. Packets can be sent to node A with a routing path directing it via node B, then back to node A, and so on. The packets will bounce backwards and forwards quickly increasing traffic. In IPv4 up to nine additional routing addresses can be added to the headers; this has increased to 88 under IPv6 specifications, which obviously increases the potential for trouble by the same factor. The Register reports one network engineer saying, “It is exactly that: The reintroduction of the IPv4 loose source routing mechanism in the IPv6 world and on steroids.”

There are two solutions to the problem: get rid of the feature completely or ensure that everyone turns it off unless it’s really needed. Many routers as well as BSD-based operating systems have already disabled Type 0 Routing Headers, automatically dropping any packets that contain them.

Surprisingly, Cisco did not seem to pick up on this. Although IPv6 is disabled as default on most Cisco routers, the Type 0 Routing Headers are not always filtered once IPv6 is enabled. Cisco has released an advisory and accompanying fix. The advisory cautions users that if exploited, this vulnerability could cause memory corruption which creates the opportunity for remote code execution. This ultimately opens up the potential for full compromise of the route. If code execution fails, then the attempt will likely crash the device causing a denial of service.

So far exploitation of this hasn’t been observed in the wild. While migration to IPv6 is seen as unavoidable in the longer term, there are very few adopting the technology at this time. As adoption of IPv6 slowly increases, we will likely see a few more oversights and glitches such as this one being ironed out.

The adoption of IPv6 is being driven primarily by the exhaustion of IPv4 address space. While some time ago the issue of address consumption made the deployment of IPv6 look quite urgent, the introduction of classless inter-domain routing (CIDR) and network address translation (NAT) has alleviated much of this concern in the short term. Reports from organisations such as Cisco and APNIC estimate that IPv4 address space could be consumed entirely anytime from 2011 – 2023, depending on whether or not unused addresses can be reclaimed. The White House’s Office of Management has mandated that all federal agencies must have moved their backbones to IPv6 by June 2008 -- the US Department of Defence also aims to complete its transition by 2008.

This blip is a reminder to organisations that while a transition to IPv6 may not be essential in the short term, it is slowly creeping up on us and will eventually be unavoidable.

I would be interested to hear about your thoughts on IPv6. Has anyone deployed it yet?

4 comments
Regulus
Regulus

Related to IPv6 is Toredo Tunneling. (Google this) Hit your unit with an ipconfig /all to reveal it's presence. Why is it there? What is it related to? How do I get rid of it? No, there is no reason for it to be there. Does not dump with ipconfig /release. Not listed in IP Properties. Yes, i'm very, very paranoid about this.

PhilippeV
PhilippeV

It's high time to consider IPv6 seriously, because we'll need it for true Plug-n-Play appliances and for true interoperability between multiple operators from a single personal network spanning multiple Internet providers (allowing freedom of choice of the operator, or the selection of multiple operators, depending on the access technology). We'll also need it for mobile Internet (including on the road, i.e. in cars or in mobile phone). It issignificant that most IPv6 early adopters are found in Japan, due to the more advanced development of mobile Internet and the multiplication of home appliances with internet connectivity. For now, the solutions deployed are focusing too much on routers provided by asingle operator which are expected to connect all home appliances through that single operators, but this strategy is not what consumers are expecting: they want freedom of choice for their operator, and no complex configuration for their appliances so that they work through their home routers. The industry would like to be able to sell various kinds of devices that have Internet connectivity (remember the huge number of electronic devices we already have: why can't they interoperate through a single unified technology based on IP networks, instead of too many incompatible plugs and cables?) Now if you think about the future: you'll want thesedevices to remain usable separately without being boundto a single home router. Of course most of these devices won't allow you to browse the web (why would they always need a screen, keyboard or mouse?), but other interesting features would be wishable such as control from remote, autodiscovery, extension of their features through other neightbour devices implementing some missing features, firmware upgrades, customer services. So rethink about whatyou have now, you'll want to be able to connect to a unified network not just a handlful of devices but possibly several dozens of them; if everyone must get an IP address bock large enough for connecting so many devices, without having to solve complex configuration systems, we need IPv6. It's also high time to break the barrier that Internet providers have made, trying to catch all the Internet uses through their single router, with limited capabilities, and lack of standard configuration (because in IPv4, it only works through NAT/PAT, something that is really not Plug'n'Play and too complex to configure correctly and securely). What users want: an private IP network for life, that they configure only once, where ever they are, andcanconnect to any number of ISP (from the Internet it may be seen as multiple separate networks, but from the user's private network, it will be viewed as a single permanent network, with transparent connectivity to the Internet, using for each device the best Internet connection that is just enough to complete the service in a cost effective way.) This is currently not possible with IPv4 or really a nightmare to configure (and to reconfigure if one changes of ISP, using another router configured differently). What are hardware manufacturers doing to allow such explosion of Internet-enabled devices, breaking the dependency about a single ISP for the interoperability of their products? Let's adopt IPv6 sooner, and stop the nightmare of NAT routing! ---- The discussed problem of "loose IP routing" should not have been extended from IPv4 to IPv6, this wasreally not needed, not even for early deployment. What was needed instead is more work on the Plug-n-Play autoconfiguration features of IPv6 which are the most promizing and really justifying the move to IPv6; this "loose IP routing" feature is just made for internal management of the Internet provider infrastructure, it is not made for home users and should not cross gateway bounderies and so should be disabled by default, except on internal routers within a network with the same management authority (or within a private virtual network transported through VPNs or isolated links like fibers). This warning is not about a new feature, IPv6 is not suddenly more dangerous than IPv4 which already has that feature for the same purpose.

pveijk
pveijk

I was commissioned to write a report on practical implementations of IPv6. It is in dutch, but an english abstract will be available soon. If you send any mail to ipv6@getresponse.com (you will need to opt-in), I will send you the english abstract now, as well as the full english report when it becomes available. The bottom line: you will need to be aware of IPv6 and it might save you money.

Editor's Picks