Semantic differences of IPv6

Francesco Prelz

INFN, sezione di Milano

(and members of the HEPix IPv6 group)

Summary

  1. There are semantic differences between IPv4 and IPv6.
    • That prevent applications from being transport-layer agnostic
    • even once all syntactic differences are taken into account (e.g. different address length, looking for a port number after the first colon in an address string, parsing 'defa(ult)' as a hex number, etc.)
  2. Some of these have implications on security.
  3. Knowledge of these differences allows to gauge the complexity of certain IPv6 porting issues outlined in subsequent talks.

Main semantic differences of IPv6 (1)

1. Every network end-point is always associated to multiple active network addresses.

Main semantic differences of IPv6 (2)

2. IP route assignment.

Main semantic differences of IPv6 (3)

3. IP address and DNS server assignment.

IPv6 differences with an impact on security (1)

Implementations are required by the protocol specs to process extension headers for functions that used to be optional under IPv4 (IPsec, QOS, mobile IP support). Other functions are re-implemented anew (DHCP, neighbor discovery, anycast, multicast).
  • New code in network stacks is a wonderful chance for anyone looking for exploitable vulnerabilities. Only time and adoption will tell how many are there.
The address space is notoriously larger (128 bit - 340 undecilion addresses, 2120 possible unicast addresses, where 2112 public addresses in class 2001:: can be allocated already).
  • A brute force scan is impractical. However, while it may be wise to allocate non-contiguous addresses, there are plenty of other methods to find possible attack targets in a given network.
  • Address collision becomes a much more unlikely indicator of unauthorised address.

IPv6 differences with an impact on security (2)

Much functionality needed by the protocol (Neighbor Discovery, MTU discovery, Mobility) is now part of ICMPv6 at level 3. Level 3 communication must therefore automatically work at least for hosts on the same network link.
  • There are many new messages in ICMPv6, and there is a RFC (4890) just to specify minimal firewall rules for IPv6 accesses.
  • Neighbor Discovery operates on local multicast.
  • ICMPv6 on the other hand explicitely prohibits to respond to/amplify requests that are sent to multicast addresses (e.g: FF02::1, all-link-local-nodes, FF05::2, all-routers, see RFC2373).
Intermediate equipment is not allowed to fragment packets.
The minimal MTU is 1280 bytes.
  • Stack implementations could still harm themselves by creating smaller intermediate fragments.

IPv6 differences with an impact on security (3)

The large number of optional protocol headers may mean that upper-layer payload (with port numbers, and other information of potential use to filters and firewalls) is not found in the first fragment so that packet reassembly is required.

To conclude, and partially justify this (worrisome?) list of differences, it may be worth reminding that the IPv6 design was indeed pulled in all directions. Mainly towards:
  1. restoring the internal transparency of the transport layer (by removing intermediate stateful elements such as NATs, Firewalls, etc.);
  2. enabling an easier, and possibly automatic, configuration of the transport layer;
  3. allowing IP mobile applications.

References