Broadband

How new research aims to protect our privacy on IPv6 networks

IPv6: It's new, and because of that, likely to have security issues. Find out why lack of privacy doesn't have to be one of them.

Are you ready? IPv6 Day is just around the corner on June 8, 2011:

"Google, Facebook, Yahoo!, Akamai, and Limelight Networks will be some of the organizations offering their content over IPv6 for a 24-hour ‘test flight'."

The website explains:

"The goal is to motivate organizations-Internet-service providers, hardware makers, operating-system vendors and web companies-to prepare their services for IPv6, ensuring a successful transition as IPv4 addresses run out."

I use Gmail as an aggregator, so I'm more than a little interested in how June 8th turns out. Why? Once you get past the rhetoric, IPv6 Day is all about finding out what breaks.

IPv6 can't shake security issues

During the past four years, I have written a lot about IPv6. I even gathered up enough courage to record several podcasts with Joe Klein, a noted authority on IPv6. That effort cemented something for me. IPv6 is more complex than I imagined -- something security geeks do not like to hear.

IPv6 addresses many security lapses that surfaced using IPv4. But, IPv6 also introduces new security concerns. One that comes up often is how all networked devices will have routable IP address using IPv6, thus exposing them to the vagaries of the Internet.

Visibility lessens privacy

With every device accessible via the Internet, it becomes easier to track individuals by their address. This is not lost on a group of Virginia Tech researchers, who in an earlier paper determined:

"Autoconfigured addresses, the default addressing system in IPv6, provide a third party a means to track and monitor targeted users globally using simple tools such as ping and trace route. Signed messages also expose the identities of both the sender and receiver to a third party."

The research team didn't care much for that, particularly when the default addressing scheme used by IPv6 exposes the device's MAC address to the Internet world. So they devised a deterrent called Moving Target IPv6 Defense (MT6D), which provides:

"A means for hosts to communicate with each other over the public Internet while maintaining complete anonymity from targeting, tracking and traffic correlation."

This is a big deal. The research team of Stephen Groat, Matthew Dunlop, William Urbanski, Randolph Marchany, and Joseph Tront has a patent pending for their work, and took third-place honors at the 2011 National Security Innovation Competition.

It seems to me the team has overcome the privacy issue. But, knowing just enough about IPv4 and IPv6 to be dangerous, I felt it best to ask the researchers to explain what they accomplished.

Kassner: The research paper mentions privacy implications arise when using stateless address auto-configuration in IPv6. Could you explain what stateless address auto-configuration is and why it impacts privacy? Research team: Stateless Address Autoconfiguration (SLAAC) is a method IPv6 hosts use to self-configure addresses. Having hosts configure their own addresses reduces the management burden placed on network administrators. This is a change from IPv4 where hosts were issued addresses from a DHCP server.

The problem with SLAAC is that host addresses or interface identifiers (IIDs) stay the same regardless of the subnet they connect to. The default addressing scheme, referred to as the 64-bit extended unique identifier (EUI-64), uses the MAC address as the IID. The result is that an attacker, armed with a list of subnets and a host's MAC address, can track and attack the host from anywhere in the world.

Kassner: I have read that newer versions of Microsoft operating systems use privacy extensions to conceal the MAC address portion. Isn't that sufficient? Research team: Privacy extensions are an improvement, but they only protect the client from attack and leave the server vulnerable. Since privacy extensions do not change often enough to prevent network attacks, they are not effective for globally available systems that require static addressing to ensure connectivity, like web servers or VPN endpoints.

These systems are still easy to target for attack. Also, privacy extensions are primarily implemented for web traffic communications. Other technologies, such as VoIP and VPNs, cannot function with privacy extensions.

The privacy extensions used by the Windows OS also rely on another IPv6 address that is used in neighbor discovery, local DNS, and other functions. This address is static and is reachable by other hosts. An attacker that observes this address can use it to attack a target machine.

Kassner: The research team's answer for increased privacy and security is MT6D, a system whereby the sender's address and the receiver's address are dynamically changed. What does this accomplish? Research team: Dynamically rotating addresses preserves the privacy, anonymity, and security of communicating hosts. Our technique is analogous to frequency hopping. An attacker observing network traffic sees multiple unique host pairs communicating on the network when really the same two hosts are communicating.

The attacker has no information as to the actual identities of either communicating host nor can the attacker easily target a specific address for attack.

Kassner: MT6D also encrypts the message traffic. Does that mean IPsec would no longer be required? Research team: MT6D can be seen as an enhancement to IPsec. IPsec is able to encrypt network traffic but requires static addresses. If IPsec is deployed at a host or gateway, an attacker can prevent communication by launching a denial of service attack against the host or gateway.

MT6D provides network-layer encryption and also dynamically obscures addresses. An attacker cannot eavesdrop on MT6D-encapsulated network traffic, just as in IPsec, and the attacker cannot find a static target to launch a denial of service attack against.

Kassner: Your report points out:

"A key feature of MT6D is that address changes can be made mid-session between two hosts without causing connection reestablishment or breakdown."

This is unique, isn't it? Are you altering the 3-way TCP handshake? Research team: MT6D creates a tunnel that encapsulates all traffic and does not modify the TCP 3-way handshake. Tunneling limits the overhead of TCP sessions by treating all layer-4 protocols equally. Address rotation occurs mid-session without disturbing existing sessions or causing additional 3-way handshakes. Kassner: The paper made mention that MT6D is designed to thwart certain network attacks. Which ones? Is that because dynamic addresses are used? Research team: MT6D can prevent many targeted network attacks (e.g. denial of service) and application-layer exploits as well. It does this by dynamically obscuring the target host's address. Since the size of the IPv6 network is so vast, it is statistically infeasible for an attacker to locate a host by scanning.

Even if an attacker attacks a host address learned through sniffing, the duration of the attack is at most the time between address rotations.

Kassner: The paper also mentions that Virginia Tech is the perfect place to test IPv6 applications. Why is that? Research team: Virginia Tech is one of the few places in the country that has a full-production IPv6 network. In fact, it is the largest campus IPv6 deployment in the US, supporting over 30,000 nodes. The production network allows us to test MT6D in a production environment. Kassner: I read that MT6D could be applied to IPv4 networks. Does it make sense to do that? Or would it make more sense to convert the networks to IPv6 first? Research team: Although the MT6D concept would work on an IPv4 network, there are two issues. First, IPv4 subnets are so small that an attacker can exhaustively scan a typical subnet in a matter of minutes. This makes locating targets much easier. Second, IPv4 does not have enough available addresses for addresses to rotate without having address collisions.

IPv6 subnets are 64 bits, meaning that the entire IPv4 address space can fit into a single IPv6 subnet over 4 billion times. Exhaustively scanning a network of this size is currently infeasible.

Also, due to the large IPv6 address space, the probability of address collisions is extremely small. Therefore, it makes the most sense to apply MT6D to IPv6 deployments.

Final thoughts

It appears that MT6D is well positioned to protect user privacy and eliminate several attack vectors despite our computers being directly connected to the Internet.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

21 comments
VT-Matt
VT-Matt

Recently we received some feedback on MT6D that suggested that MT6D ???looks like what Mobile IPv6 / NEMO does.??? For what it is worth, here was my response to the feedback: Mobile IPv6 tunnels everything through the home agent (HA). Even though tracking the actual host location may be more difficult, an attacker can still attack the HA or capture packets from and to the HA. It is also probably worth mentioning that captured packets can be analyzed to determine the location of the mobile node (MN). Our technique, MT6D, is quite different from those protocols used for Mobile IPv6, like NEMO. In NEMO, the HA is assigned a static address. Even if the IID of the HA is randomized, it is still static. This means that an attacker can target the HA for attack or traffic correlation. Since the HA receives all traffic destined to or sent from the MN, the HA becomes a valuable attack vector. Additionally, NEMO requires that IPv6 signaling messages be authenticated. The use of authentication may actually reveal the location of the MN. The address of the MN does change in NEMO, but only when the MN moves. A stationary MN can still be targeted. MT6D works by dynamically obscuring both the sender and receiver addresses. MT6D does not rely on a targetable intermediary to accomplish this, such as a HA. Therefore, there is no single point of failure. Also, MT6D rotates addresses dynamically, as often as the security posture dictates. Address rotations can even occur mid-TCP session without disrupting the session or causing additional handshakes. It is likely that a single session will appear to occur between multiple address pairs. An attacker running a packet sniffer will have difficulty correlating all the packets from the same session. If optional encryption is used, traffic correlation is not possible. Attacking or tracking a target is statistically infeasible in MT6D, since addresses are constantly moving and the address space of IPv6 is too large to search. NEMO is a good addition to Mobile IP to keep roaming nodes seamlessly connected to the Internet. MT6D could easily be integrated into NEMO to provide security for HAs and even MNs.

pgit
pgit

A couple of points made in the interview really wrapped up some concepts about IPv6 for me, I;m starting to wrap my mind around some of this stuff. Thanks for digging into this for us, Michael. I would have more questions around this statement: Tunneling limits the overhead of TCP sessions by treating all layer-4 protocols equally. Address rotation occurs mid-session without disturbing existing sessions or causing additional 3-way handshakes. ...a lot more questions, but I;m rather limited for time at the moment. =( I'd like to see that tunneling (and what feature relegates the L4 protocols to an equal status) mapped out, visually demonstrated somehow. Maybe someone on the team could shoot a video in front of a white board explaining all this.. ?

seanferd
seanferd

with mitigation. I actually can't think of another instance. RFC 2460 was published in 1998.

ohiomike12
ohiomike12

I think what this means is the group that put together IPv6 failed. So now we have to come up with a 3rd party solution. The same thing had to be done with IPv4 but I don't think the people who put that together had any idea on what would become of the internet. I wish people who knew about the internet and technology would have been involved in the creation of IPv6. I think we are going to miss NAT.

Michael Kassner
Michael Kassner

Learn how a Virginia Tech research team plans to fix that.

pgit
pgit

Everything's ok. The corn is up, peppers blooming, just the right amount of rain. :) But my ISP blocks IPv6 out to their gateway as well. I use opendns and they aren't ready either, or at least they don't respond to v6 requests coming from the ISPs subnets... because in fact there are no requests originating on these sub nets. I have been aware of this for a while, a few years since I first enables IPv6 on my computer, poked around and got isolation and silence. I've talked with a number of their techs, most don't know much about the network layer and TCP/IP in general. But the ones that do have told me (on the qt) that they plan on allowing IPv6 tunneling over IPv4 some day, and I suppose their gateway is going to serve as some kind of proxy. But right there is where I fall down. The VT team's video will (hint-hint) help me understand what's going on there. I have read that there's no such thing as NAT in v6, but it's ludicrous to think that same functionality will not be available. Whatever they call it, this scheme the ISP techs have alluded to will require some proxy to keep track of IPv6 on the outside and destinations of packets in the IPv4 realm in the subnet. I can't get a word on when they'll go full v6. Well, the word I get is it's too expensive to be doing anything now. This is a huge ISP btw, not a mom and pop operation. My house sits a bit out of town on a country road, but we were in one of three regions where this ISP first tested internet over cable. (broadband) I had broadband over cable a year or two before just about the rest of the planet. And this ISP doesn't want to think about full IPv6 compliance, apparently. Doesn't bode well for the protocol, at least in the short run.

JCitizen
JCitizen

Thanks for that Michael! I always suspected my ISP wasn't ready yet, and apparently they aren't - by the results I got. So far my gateway is blocking the IPv6 protocol, and that is the way I set it.

Michael Kassner
Michael Kassner

I am at fault once again for providing bleeding-edge information. The research team does not have an official paper yet. I think they want to get the patent secured first.

Michael Kassner
Michael Kassner

It is somewhat disturbing. I am wondering if they assume it will auto-magically be as good as IPv4. It is one complex protocol and we know what that means. I just read a paper mentioning the bad guys are excited about IPv6 Day. They get to try out all sorts of new weapons. I also read that many IDS/IPS sensors will allow IPv6 traffic right through.

Michael Kassner
Michael Kassner

Joe Klein is a friend of mine and a trusted SME about IPv6, and he say s it is okay. But I'm still nervous about every node hanging on the Internet.

Michael Kassner
Michael Kassner

I'm thinking things would have been a whole lot different if it was only IPv6.

seanferd
seanferd

there are IPv6 brokers out there to which you can tunnel. I don't know who they are, but I'm sure a search or two will turn them up.

pgit
pgit

Starting with an issue of Scientific American back in 1973, that I was drawn to by a photograph of a newfangled thing called a "CPU" on the cover, I read the magazine cover to cover until approximately 2005. (whenever it was they got bought out by some commercial op with a political agenda) A good chunk of it all was so far over my head it looked like a foreign language. But I would force my eyes over it, and let things settle in the dark recesses of my mind. Many years later something would come along, and I'd have an easy time understanding it. I had a foundational bit of knowledge from years earlier, that no doubt "improved with age," as I experienced more the odd stuff I'd read "in the dark" started to make sense. I firmly believe in the value of stashing as much diverse, cutting edge stuff in your head for it to ferment and eventually reveal itself, often when a new datum arrives. You don't have to consciously know all the things you read, but you are money ahead having read it. You are about the only source of IPv6 knowledge I am following at the moment. I always read all the links you provide, and your interviews are concise and informative. Some of the stuff you've written about is in that class of "oh well, maybe this'll make sense later." But some of it I am starting to get now, this article in particular. Like I said in the other post I'd love to see this visualized somehow. I think that might nail the fundamentals of the beast to where I'd feel comfortable actually using v6. Here's hoping the VT crew gets that patent and then gets handsomely rewarded. :) BTW my brother and his wife were both professors at VT until last fall, when bro became a dean elsewhere. (he was head of the biology dept and taught forestry) They still have their house in Eggleston and plan on retiring there. It's about my favorite place on the planet, geologically (and climatically) speaking. Lucky stiffs...

seanferd
seanferd

I should have suspected that IPv6 Day would be used as a testing ground by the criminal element as well. I hadn't consciously thought about it, but I suppose that if someone were to make some comment on how IPv6 would make users safer from the bad guys, I'd have said, "yeah, right". As to IDS/IPS, firewalls, etc., I, and others, still are mocked for telling folks with IPv6 turned on, but un-configured and unused, to turn it off. Because since XP SP3 and Vista, MS has made sure you are perfectly safe by default. (This could even be true, but does not account for other network hardware, especially the large installed base of old stuff.) We're "just anti-MS", never mind that we don't address this as being any sort of MS-specific issue. What I can say is that there are a whole lot of clueless people exited about IPv6 day and wanting to take part. Good luck to them - I'm sure they will help make an effective test-bed of average users. Data-out from from these folks may not be readily had, on the other hand.

JCitizen
JCitizen

I doubt I'll notice the lack of connectivity for a while. I also doubt my IDS could handle it either.

pgit
pgit

I've always seen that option (allow tunneling) in the various Linux distros I frequent, never thought much about it before. Maybe I should poke around to get my feet wet with some IPv6.

Michael Kassner
Michael Kassner

Matthew Dunlop, one of the researchers emailed me today. He would love to share the inner-workings. But he affirmed my earlier guess. They have to be careful with the project IP right now.

Michael Kassner
Michael Kassner

I try to osmose as much as I can. My problem is that when my articles get posted, I am already knee deep in another one, trying to figure out what these brilliant academics are talking about. Virginia Tech is always cutting edge. And, as you say, the area is not to shabby.

Editor's Picks