Resources:

IPV6 DEMYSTIFIED

  • LinkedIn

There seems to be a lot of misconceptions or lack of accurate information when people talk about IPv6 (RFC-2460) information in the Network Security environment. In this post I am going to provide a brief overview of IPv6 as well as answer common questions I routinely come across.

IPv6 is the successor to IPv4 (RFC-791 Drafted in 1981) which is the common mainstay of networks across the world. Mathematically, IPv4 provides 4,294,967,296 addresses. This includes non-destination routable addresses (RFC-1918), the loopback subnet (127.0.0.0/8), multicast ranges (224.0.0.0 ~ 239.255.255.255) and network/broadcast combinations so, in reality, there are fewer addresses available on the public address space. The following is a list of Regional Internet Registrar (RIR) IPv4 exhaustion:

  • APNIC: Exhausted April 19th, 2011. 0.8% remaining to be assigned.
  • RIPE NCC: Exhausted September 14th, 2012. 0.8% remaining to be assigned.
  • ARIN: Projected exhaustion April, 2014. 2.1% remaining to be assigned.
  • LACNIC: Projected exhaustion August, 2014. 2.2% remaining to be assigned.
  • AFRINIC: Projected exhaustion September, 2020. 3.7% remaining to be assigned.
[data taken from http://www.potaroo.net/tools/ipv4/index.html]

As you can see, there are very few IPv4 addresses available across the world for public use. Initially, to combat IPv4 exhaustion, Network Address Translation (RFC-1631) was created. Combining NAT with non-destination routable addresses is what most companies use in their environment. By using 10.20.30.0/24 and applying a Hide NAT, networks don’t need to use a large IPv4 block which saves money as well as address space. NAT was originally designed in 1994 as a temporary (non-permanent) solution to running out of address space in the IPv4 world. The authors of NAT explicitly stated:

“…this solution can serve to provide temporary relief while other, more complex and far-reaching solutions are worked out.”

[source taken from http://www.ietf.org/rfc/rfc1631.txt]

So where do we go from here? IPv6 was created in 1998 by Bob Hinden (Nokia) and Steven Deering (Cisco) to replace IPv4. By moving from a 32-bit addressing schema to a 128-bit addressing schema, we drastically increase the amount of IP addresses we have, from around four billion to roughly three hundred forty undecillion (a number followed by 1 and 36 zeros). We also restore the end-to-end model originally designed with IPv4, but more on that later.

When it comes to designing and implementing IPv6 in your environment, the concepts are almost exactly the same as IPv4 networks: You will still need firewalling, VPN, packet inspection, accessible services, routing instrumentation and the like. Thankfully, most vendors support IPv6 for their specific products and support is only getting better. Taking a few examples of vendor support, Check Point R76 is now fully configurable and manageable over an IPv6-only network. FortiGate devices can be managed over IPv6 and have IPv6 policy enforcement as well.

There are some major differences in how IPv6 works versus IPv4 at a low level. Here are a few examples:

  • There is no more Address Resolution Protocol (ARP RFC-1027). Instead we have Neighbour Discovery (RFC-4861) which performs the same type of function but works over ICMPv6. It can also be secured with ESP (IP/50) or AH (IP/51) for Secure Neighbour Discover.
  • There are no more broadcast addresses or traffic; instead we use multicast for multi-host traffic.
  • Packet fragmentation does not happen in-path anymore, as it could pose a security risk. If fragmentation is required, an ICMPv6 error message is sent back to the originator of the packet who is in charge of fragmentation.
  • Every interface will have a Link-Local address which is a special address used in sending traffic between hosts on the same Layer-2 domain. These addresses must not, and will never be, routed outside a Layer-2 network and are in addition to any other type of address on the interface. These can also be used for setting up Ad-Hoc networks without the need of a DHCP service.

These are just a few changes added to IPv6 which Network Engineers need to be aware of when designing, implementing and troubleshooting network issues. On the other hand, IPv6 supports protocols people are used to using such as: OSPFv3 (RFC-2740), RIPng (RFC-2080), BGP4 (RFC-4721), VRRPv3 (RFC-5798) and many more. A lot of operating systems (both current and legacy) for laptops, workstations and servers support IPv6 natively, most of the time out of the box: Microsoft Windows, MacOS, various Linux distributions, Contiki for the Commodore-64, Solaris, AIX, HP-UX and various BSD flavours.

As I mentioned at the start of this post, I am going to address some frequently asked questions I come across about IPv6.

Q. Do I have to remove my current IPv4 infrastructure to use IPv6?

A. This is the most asked question I receive when talking about IPv6. The answer is an emphatic: “No, you don’t.”. IPv6 can (and probably for a long time, will) co-exist with your IPv4 network. To help visualize the perspective, think of your network as sheets of paper: The first sheet is a logical topographic of your physical infrastructure (switches, servers, cables). The next sheet, laid on top of the first, has your IPv4 addresses and subnets corresponding to your physical infrastructure. With IPv6, we’re just adding another layer to your network.

Q. Do I have to use live, destination routable addresses on my internal network?

A. No, you don’t have to, although IPv6 was designed with this in mind. Remember that IPv4 was meant to be an end-to-end communication which eventually was broken with the advent of NAT. Due to NAT being so widely used for such a long time, people are used to this network architecture and believe NAT to be a security feature. With IPv6, you can use NAT-66 which will let you perform NAT from an IPv6 address to another IPv6 address much like Hide and Static NAT we are used to with IPv4.

Q. You say that the Internet should be end-to-end. How do I stop people from accessing my public IPv6 network if I don’t use NAT?

A. Simple: Good security practices. Using NAT has made us (in general) rather pedantic when it comes to network design. Does this sound familiar? Create a non-destination routable network on the inside, Hide NAT it behind the firewall and call it a day. Everyone (myself included) that I’ve come across has (at least once) been guilty of this. Unfortunately, people believe that NAT is a security mechanism protecting them from the outside but fail to realize that the security landscape has changed drastically and attacks originating from the inside are just as (if not more) prevalent than ones from the outside. By eliminating NAT and following strict security principles you increase the visibility from the inside out (for auditing purposes) and create easier to manage rules for your inbound traffic.

Q. I want to create an IPv6 lab to test with. Do I need a subnet from my ISP if I only want to test?

A. Your ISP should offer you IPv6 (if they don’t, start asking for it) but you don’t need to use your ISP. Instead, you can use a tunnel broker (Hurricane Electric, gogo6, etc.) who will offer you a point-to-point connection and, usually, a /64 subnet to use. You create your point-to-point tunnel over IPv4 and all IPv6 traffic gets routed through this tunnel. The IP protocol number IP/41 so make sure you open this up on your firewall and/or packet filtering devices.

Q. Are there other mechanisms for tunneling traffic with different protocols?

A. Yes, there are. You can create tunnels which will put IPv6 into IPv4 or even the other way around. If you are interested in testing IPv6, you will probably create the aforementioned IPv6-in-IPv4 point-to-point tunnel. If you have an IPv6 network and need to send IPv4 traffic, you can create an IPv4-in-IPv6 point-to-point tunnel.

Q. I’m interested in IPv6. How can Access2Networks help me?

A. We are approaching IPv6 in three phases with our customers:

The first phase is high-level information presented at a “Lunch ‘n Learn” style seminar. It is aimed at engineers looking for a good overview of IPv6 as well as management teams to understand what IPv6 actually is. We can do this specifically for your company or, if we gain enough interest, do a larger seminar with multiple customers.

The second phase is a two-day training course for IPv6. The training is vendor agnostic and will cover: Addressing, routing, DHCP, network services, packet filtering and basic security penetration.

The third phase is helping you, the customer, with design, architecture and implementation with your network security devices.

About Access 2 Networks, Inc. (A2N)

A2N, the leading provider of cyber security solutions in Toronto, Ontario, Canada since 1997, has built a reputation for expert consulting, strong partnerships and customer-centric services.  A2N offers end-to-end solutions that combine technology, services, support, and training; this unified approach enables organizations to enhance their IT security posture and remediate with confidence.

A2N is located in Mississauga, Ontario with offices in Ottawa and London, Ontario and serves customers across North America.  To learn more, visit A2N at https://www.a2n.net. For real-time updates follow A2N on Linked-In or visit our website for the latest technical discussions on security for your businesses IT environment.

Frank Rondinone, President
Access 2 Networks Inc. (A2N)
+1-905-795-1711
frondinone@a2n.net