Don't Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy

There is growing operational awareness of the challenges in securely operating IPv6 networks. Through a measurement study of 520,000 dual-stack servers and 25,000 dual-stack routers, we examine the extent to which security policy codified in IPv4 has also been deployed in IPv6. We find several high-value target applications with a comparatively open security policy in IPv6 including: (i) SSH, Telnet, SNMP, are more than twice as open on routers in IPv6 as they are in IPv4; (ii) nearly half of routers with BGP open were only open in IPv6; and (iii) in the server dataset, SNMP was twice as open in IPv6 as in IPv4. We conduct a detailed study of where port blocking policy is being applied and find that protocol openness discrepancies are consistent within network boundaries, suggesting a systemic failure in organizations to deploy consistent security policy. We successfully communicate our findings with twelve network operators and all twelve confirm that the relative openness was unintentional. Ten of the twelve immediately moved to deploy a congruent IPv6 security policy, reflecting real operational concern. Finally, we revisit the belief that the security impact of this comparative openness in IPv6 is mitigated by the infeasibility of IPv6 network-wide scanning—we find that, for both of our datasets, host addressing practices make discovering these high-value hosts feasible by scanning alone. To help operators accurately measure their own IPv6 security posture, we make our probing system publicly available.

[1]  David Barr,et al.  Common DNS Operational and Configuration Errors , 1996, RFC.

[2]  Gunnar Lindberg,et al.  Anti-Spam Recommendations for SMTP MTAs , 1999, RFC.

[3]  Bill Cheswick,et al.  Worm Propagation Strategies in an IPv6 Internet , 2006, login Usenix Mag..

[4]  George Neville-Neil,et al.  Deprecation of Type 0 Routing Headers in IPv6 , 2007, RFC.

[5]  Tim Chown,et al.  IPv6 Implications for Network Scanning , 2008, RFC.

[6]  David Malone,et al.  Observations of IPv6 Addresses , 2008, PAM.

[7]  Boris Nechaev,et al.  Netalyzr: illuminating the edge network , 2010, IMC '10.

[8]  Matthew J. Luckie,et al.  Scamper: a scalable and extensible packet prober for active measurement of the internet , 2010, IMC '10.

[9]  Sheila E. Frankel,et al.  Guidelines for the secure deployment of IPv6 , 2010 .

[10]  Ole Tange,et al.  GNU Parallel: The Command-Line Power Tool , 2011, login Usenix Mag..

[11]  W. Douglas Maughan,et al.  The Menlo Report , 2012, IEEE Security & Privacy.

[12]  Kimberly C. Claffy,et al.  Measuring the deployment of IPv6: topology, routing and performance , 2012, IMC '12.

[13]  Measuring IPv6 Adoption , 2014 .

[14]  Fernando Gont Processing of IPv6 "Atomic" Fragments , 2013, RFC.

[15]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[16]  Vern Paxson,et al.  Detecting stealthy, distributed SSH brute-forcing , 2013, CCS.

[17]  Christoph Meinel,et al.  A flexible framework for detecting IPv6 vulnerabilities , 2013, SIN.

[18]  J. Alex Halderman,et al.  An Internet-Wide View of Internet-Wide Scanning , 2014, USENIX Security Symposium.

[19]  Michael Bailey,et al.  Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks , 2014, Internet Measurement Conference.

[20]  Fernando Gont,et al.  Security Implications of IPv6 on IPv4 Networks , 2014, RFC.

[21]  Tim Chown,et al.  RFC 7381: Enterprise IPv6 Deployment Guidelines , 2014 .

[22]  Mark Allman,et al.  Assessing DNS Vulnerability to Record Injection , 2014, PAM.

[23]  Curtis M. Keliiaa,et al.  Cyberspace modernization. An interest protocol planning advisory , 2014 .

[24]  Fernando Gont,et al.  Implications of Oversized IPv6 Header Chains , 2014, RFC.

[25]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[26]  Edgar R. Weippl,et al.  IPv6 Security: Attacks and Countermeasures in a Nutshell , 2014, WOOT.

[27]  Mark Allman,et al.  On the Power and Limitations of Detecting Network Filtering via Passive Observation , 2015, PAM.

[28]  Robert Beverly,et al.  Server Siblings: Identifying Shared IPv4/IPv6 Infrastructure Via Active Fingerprinting , 2015, PAM.

[29]  Mark Allman,et al.  Resilience of Deployed TCP to Blind Attacks , 2015, Internet Measurement Conference.

[30]  Craig A. Shue,et al.  Characterizing Optimal DNS Amplification Attacks and Effective Mitigation , 2015, PAM.

[31]  Fernando Gont,et al.  Network Reconnaissance in IPv6 Networks , 2016, RFC.