Topics
6 Sense

IPv6 Security Architectures

By Dr. Myron L. Cramer

This paper was published in the 6Sense, United States IPv6 Summit Newsletter

May, 2005

IPv6 is the next generation Internet protocol and replaces the current IPv4 addressing. The U.S. Department of Defense (DoD) has mandated that all DoD networks transition to IPv6. The DoD IPv6 Memorandum has set the timetable for this transition.


IPv6 is the next generation Internet protocol and replaces the current IPv4 addressing. The U.S. Department of Defense (DoD) has mandated that all DoD networks transition to IPv6. The DoD IPv6 Memorandum has set the timetable for this transition

Security Architectures

The deployment of Internet information systems based upon the IPv6 protocol presents new challenges to system developers. While the IPv6 network protocol includes many security improvements over the current IPv4 protocols, it also presents significant new unsolved problems for information system security engineers. Problems include defining and controlling enclaves, designing boundary security systems, mapping network topology, conducting intrusion detection, and assessing vulnerabilities. Other issues include certification and accreditation, and security testing.

Defining Enclaves

The conventional information system security process begins with a definition of security domains including information systems, users, and security policies. Security requirements are mapped to enclaves of trusted systems and users separated from untrusted users and systems by boundary systems. Network security systems provide security services to the enclaves by defining, defending, and monitoring network traffic.

IPv6 provides new security features for each host including authentication and encryption. It also provides capabilities for auto-configuration and Quality of Service. However, these are based on individual hosts rather than enclaves. Individual hosts can mutually authenticate each other and communicate through IPsec Virtual Private Networks (VPNs). These new features complicate traditional information assurance operations including controlling information flow into or out of the enclave, management of the network topology in the presence of IP mobility and dynamic routing, monitoring network activity, managing host vulnerability, security testing, and certification and accreditation.

Boundary Security

The conventional way to build these boundary systems is with firewalls that implement proxies, filters, network address translation (NAT), and port translation. In conventional security architectures, hosts within enclaves have only private-space addresses that cannot receive incoming connections from outside the enclave, unless there is a firewall rule to proxy connections.

This situation changes with IPv6, which was designed around the principle of end-to-end host connectivity, without NAT and with end-to-end authentication and encryption. One of the motivations for NAT is to provide a way for multiple computers in an infrastructure to share a small number of public IP addresses. The need to share IP addresses is eliminated with the vast number of IPv6 addresses enabled by the 128-bit address space.

Firewalls enforce security policies through proxies and filtering rules. Both of these are complicated by the changes in IPv6. Application firewalls are beginning to support the IPv6 addresses, but there is a dearth of products from which to select, and these still must provide meaningful proxies and filters. The dynamic host addresses and routing further complicate policy enforcement, since boundary systems will not have a consistent, predictable way to associate detected source or destination addresses with specific users.

IPv6 encryption further restricts the useful information content available to firewalls for inspection. Discrimination between normal and harmful activity based on the content of the traffic is not possible, since each source and destination communicates through IPsec VPNs.

Topology Mapping

Network engineers design and monitor their network topology to implement their security domains and enclaves. This topology includes the networks, subnets, hosts, and users, along with the routing structures and boundary security systems. The network topology also shows the logical location and routing connectivity among users and hosts. This topology is useful as a context for defining risks, boundary security policies, assessing vulnerabilities, and interpreting intrusion alarms. The larger IPv6 space, its dynamic nature, and the provisions for mobility complicate developing and maintaining awareness of network topology, since the host addresses and the routing are dynamically determined. The result is that the topology changes over time.

Intrusion Detection

Conventional network intrusion detection systems utilize attack signatures based on network traffic, including values in packet headers and data content. Examples of parameters examined by conventional intrusion detection systems include source and destination addresses, port, packet header values, and packet content.

While a large data base of these signatures has been developed for IPv4, few of these signatures extrapolate to IPv6. The dynamic addressing limits the value of source or destination address information. Additionally, IPsec encryption limits the visibility of content for inspection. In fact, there are currently few intrusion detection products designed to monitor pure IPv6 traffic at all. Even systems that can process IPv6 will need to be given a way to compensate for the encryption of payloads.

Vulnerability Assessment

Vulnerability assessments are developed through the use of automated scanning tools which conduct a series of selected tests against a set of designated hosts. The first problem is that there is only a small number of scanning tools for IPv6. The vast IPv6 space and the dynamic self-configuration features require that a much larger number of addresses be scanned, necessitating significantly longer scan times.

Certification & Accreditation

The certification and accreditation process includes managing risks by designing, documenting, and verifying compliance with security requirements. Given the lack of established models for IPv6 networks, this process is more difficult. The lack of conventional wisdom on architectures, the limited availability of products, and the many uncertainties about the threats create new challenges.

Security Testing

Security testing involves verifying the implementation of solutions for security requirements. Given the difficulty in mapping many of these requirements, there is also a limited knowledge base of test methods and procedures. The security features of IPv6 complicate instrumentation.

Conclusions

Conventionally, enclaves are defined by the physical or network location of hosts and users on a local area network and interconnected metropolitan or wide-area area networks. With IPv6, cleaving to this traditional view may be problematic. One approach might be to consider enclaves at an operational or functional level as communities of interest, rather than in relationship to the physical or logical location of the hosts and users. These would be implemented through strong authentication, encryption, and a public key infrastructure (PKI).

We implemented an IPv6 test bed environment connected to the global IPv6 backbone through NTT Verio. Maintaining a pure IPv6 environment, with a separately registered autonomous system, we are able to examine the issues mentioned above in a practical setting, working with new IPv6 technologies and products unfettered by vestigial IPv4 security methodologies and approaches. Here, we develop concepts to map security requirements into IPv6-based designs, and subsequently implement the designs in solutions where we can test and demonstrate effectiveness with live IPv6 traffic.