IPv6 will change network attack surface, albeit slowly: Huston

Changes in security profiles and vulnerabilities, "truly awesome" failure rates and still-evolving administrative techniques mean companies are right to hold off on embracing IPv6 for now, a senior technologist has advised after airing the results of a detailed global study evaluating IPv6 preparedness.

Speaking at this week's IPv6 Summit in Melbourne, Geoff Huston, chief scientist with the Asia Pacific Network Information Centre (APNIC), said that despite the depletion of the IPv4 address space earlier this year, widespread discussion about the need to shift to IPv6 has still failed to translate into widespread support for the protocol, which offers easier management and a massively increased range of possible addresses.

The sheer size of IPv6, which eliminates the need for network address translation (NAT) that has helped stave off the extinction of the IPv4 domain space, makes traditional 'plus-one scanning' – in which attackers progressively poll one IP address within a subnet after another until they find a vulnerability – impossible.

"The vector of infection and attack in IPv6 will be different," Huston explained. "It would take approximately six times the life of the universe to scan a single /48 name space even if you could scan 1 million addresses per second. So, the way in which viruses and malware will rendezvous with the victims in IPv6 will not happen in the same way they do in IPv4. Because plus-one scanning in 4 is easy; plus-one scanning in 6 is impossible."

That said, he added, network administrators should take advantage of IPv6's large address space and introduce randomness into their address assignments rather than using IPv4-like sequential numbering.

This would make even large numbers of Internet-connected clients less obvious targets for attack – although Huston suspects many administrators will struggle to break their old habits. "There will be an endless parade of morons who insist on preparing their v6 with ::1, ::2, and so on," he explained. "Those morons will get infected and there's nothing you or I can do about it."

"But if you actually do the privacy addressing fields and leave it on, and as long as you build in decent randomness in the bottom 64 bits, you won't be discovered by accident. You will only be discovered because of something on the other side, and that makes the entire environment of accidental infection totally different in IPv6. I don't mean it will be totally virus free, but the vector of infection will change – and that's the bit that will make that whole profile of IPv6 radically different than what we know."

It will be some time before the new architecture of IPv6 has any real impact, however: Huston shared research statistics that found IPv6 is still barely registering a blip on the Internet at large.

By setting up a purpose-built Flash ad and distributing it through Google's advertising networks, APNIC was able to query and track end-user computers' ability to resolve IPv6 addresses, which consist of four sets of four-digit hexadecimal numbers rather than the four-number IPv4 addresses that are ubiquitous now. The centre gets around 300,000 impressions per day and has used the data to generate a detailed picture of which systems are most prepared to support the new technology.

That picture offered some surprising findings – most notably that IPv6 is still barely even a blip on the global Internet. The protocol is widely supported in operating systems like Windows 7 and Windows Vista as well as associated applications, but still only managed to increase from 0.2% of installed systems to 0.4% of installed systems since 2008, Huston said.

This was because when IPv6 was enabled by default, clients trying to connect to other, IPv4-connected systems waited an average of 22 seconds – per page element – before giving up and reverting to IPv4. This introduced unacceptable delays in performance that drove Microsoft to revert to IPv4 as the default.

"The theory was that operating systems, if they could use v6, they would use it in preference to v4," Huston said. "That was the rule – so that when you turned on v6 in XP, all of the sudden you'd get a shift – but when IPv6 didn't work, it took 22 seconds to figure out what was happening."

Interestingly, Apple's Mac OS X 'Lion' operating system had resolved the issue, Huston said, by attempting simultaneous IPv4 and IPv6 network requests, then terminating whichever request took longer to resolve. This had driven a rise in direct 'unicast' IPv6 traffic from Macs since July, when Lion was released.

When APNIC restricted the embedded test set to only support IPv6 devices, usage increased to around 4% of connected clients; these were systems that had no opportunity to fall back onto IPv4, giving a better picture of the penetration of IPv6-capable systems. Yet trying another approach gave a surprising result, with more than 30 percent of clients responding when actually fed an IPv6 address to resolve.

This finding led Huston and his team to an interesting conclusion: around one in three Internet-connected computers are actually capable of using IPv6, but most of them are still choosing to work using native IPv4 connections. Even attempts to facilitate IPv6 usage by encapsulating IPv6 addresses inside universally-supported IPv4 packets – a technique known as 6to4, or 'Teredo' tunneling – was failing miserably, showing what Huston called a "truly amazing failure rate" of around 45 percent.

"Laziness about IPv6 is the best possible business decision they could make," Huston said. "If you want control of the relationship between users and services, and if you wish to erect a toll gate, and spread that toll across the network, there's no better way of doing it."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful cybersecurity companies