Problems caused by the hottest IPv6 firewall secur

  • Detail

IPv6 firewall security: problems brought by the new protocol

enterprises deploy IPv6 in the middle of the wide area (WAN), and then deploy IPv6 firewall. This paper introduces some security problems caused by IPv6 and the problems that it professionals should consider when deploying and operating IPv6 firewalls

introduce IPv6 firewall

the first line of defense of most enterprise networks is firewall, which is used to defend against public Internet attacks and restrict local users' public Internet access. After deploying IPV in the enterprise network, the refrigerator manufacturer will also deploy IPv6 firewall, so that the security strategy currently implemented in IPv4 will also be implemented in IPv6

although the services provided by IPv6 and IPv4 (the best data packet service) are very similar, there are some subtle differences between the two protocols, which will have a great impact on firewall equipment and operation. This article will introduce the differences between them and how they affect the design and operation of IPv6 firewall. Then it will explain how these differences may be maliciously exploited, which is the global development trend of the automotive industry, in order to reduce and eliminate the security vulnerabilities of IPv6 firewalls

IPv6 header structure

a major change in IPv6 is the use of fixed length protocol headers, unlike IPv4, which uses variable length protocol headers. Any necessary choice must be added to the subsequent extension header, which is located between the fixed IPv6 header and the encapsulated IPv6 upper layer protocol. It will adopt different extension headers according to different systems of processing options. For example, the options that need to be processed in the target host will be included in a "target options" header, while the options processed by the router will be included in a "hop options" header. Theoretically, this at least allows routers and hosts to parse and process their options - unlike IPv4, all nodes that process packets must parse all options

this header structure determines the IPv6 header information chain: multiple header information will be linked together in turn, first the IPv6 header, and finally the upper layer protocol. Each extension header contains a specific header length and the header information type of the next header link. Therefore, any IPv6 flow will adopt a complete IPv6 header chain, and then process the header information it needs. The following figure is the schematic diagram of IPv6 header information chain

Figure 1: example of IPv6 header information chain

fragment header is one of the special types of extension headers, which includes the mechanism required to implement IPv6 fragment. Unlike IPv4 headers, IPv6 does not save all fragment related information in a fixed IPv6 header, but in an optional fragment header. Therefore, the host executing fragmentation only needs to insert a fragment header information into the IPv6 header information chain, and then add the original packets that need fragmentation

impact of IPv6 firewall on security

the above IPv6 header information chain structure is more flexible than IPv4, because it does not limit the number of packets that can be contained. However, this flexibility comes at a cost

any system that needs to obtain upper level information (such as TCP port number) needs to process the entire IPv6 header information chain. Moreover, since the current protocol standard supports any number of extension headers, including multiple instances of the same extension header, it will have a variety of impacts on devices such as firewalls:

firewalls need to parse multiple extension headers before they can perform deep packet inspection (DPI). It may reduce Wan performance, cause denial of service (DOS) attacks, or the firewall is bypassed

combining expansion headers and fragmentation may hinder packet detection

as mentioned earlier, since the current protocol specification supports any number of extension headers, including multiple instances of the same extension header type, the firewall must be able to handle packets including abnormal multi IPv6 extension header information in detail. This may be exploited by some attackers, who may deliberately add a large number of extension headers to the packets, making the firewall waste too much resources when processing the above packets. Finally, this may cause the performance of the firewall to decline, or cause DOS problems in the firewall itself. In addition, some firewalls with poor performance may not be able to handle the entire IPv6 header information chain when applying filtering strategies, which may allow some attackers to use extended headers to threaten the corresponding fire protection, but prices seem to have appeared a retaliatory rebound wall

ipv6 fragmentation may also be maliciously used, similar to IPv4. For example, in order to break the filtering policy of the firewall, the attacker may send some overlapping fragments, thereby affecting the fragment reorganization process of the target host. In IPv6, this problem is more serious, because the combination of multiple IPv6 extension headers and shards may produce some wrong Shards. Although their packet size is "normal", they lose some basic information usually needed to implement filtering strategies, such as TCP port number. That is, the first partition of the packet may contain many IPv6 options, so that the upper layer protocol header may belong to another partition rather than the first partition

IPv6 conversion/coexistence technology

IPv6 conversion/coexistence technology also brings another problem to IPv6 firewall. Most conversion technologies use some kind of channel mechanism, which encapsulates another network layer protocol (usually IPv6) in one network protocol (usually IPv4). This will have a lot of impact on the security of the firewall

first of all, the firewall may not recognize specific conversion technologies, and may not be able to apply some filtering strategies supported by native IPv6 traffic. For example, when using native IPv4 or native IPv6, a station can block packets leading to TCP port 25, but after deploying conversion mechanisms such as Teredo, it may not be able to block these packets

secondly, the conversion technology may aggravate the above problems, because not only the encapsulated traffic may use the combined IPv6 extension header and fragmentation, but also other outward sent packets (usually IPv4) may be fragmented, so this will greatly increase the complexity of the final traffic. This complexity will not only reduce the technology, but also the key to low network traffic transmission speed. More seriously, it may also affect the filtering strategy of the firewall. For example, the firewall may not be able to process the entire header chain, so it cannot find the TCP fragment (see the figure below). The following example shows the syntax of tcp/ipv6 packets using Teredo, and illustrates the complexity of the final traffic

Figure 2: an example of tcp/ipv6 packets using Teredo

the structure of this packet may become more complex, for example, if both internal and external packets are fragmented

possible IPv6 Security Issues

obviously, in order to apply IPv6 packet filtering strategy, the firewall must at least support the processing of the entire IPv6 header information chain. Ideally, these firewalls should also support IPv6 conversion technology, so that the filtering strategy applied to native IPv6 traffic can also be applied to converted traffic. In other words, the firewall should have a "default reject" policy, so that the firewall can block the traffic you don't need, such as conversion traffic

for resource exhaustion attacks that may utilize multiple expansion headers, limiting the maximum number of expansion headers supported by an IPv6 packet on the firewall can solve this problem. A reasonable limitation is to allow only one instance of each currently defined extension header. However, other limits such as "16" can also be used -- for example, OpenBSD uses this limit. This restriction allows legitimate traffic, but does not allow an abnormally large number of extension headers. Packets exceeding the limit must be discarded. Although this may affect performance, it can prevent DOS

finally, it is stipulated that the first fragment of IPv6 message contains the complete packet header information required for the application of packet filtering strategy, which can cope with the firewall bypass technology using fragments. In other words, if the first segment of the message received by the firewall does not contain the complete upper layer protocol header information, such as TCP header, then this packet will be discarded. Firewall bypass technology can also be solved by recombining fragmented packets in the firewall before applying the filtering strategy. However, for the network-based firewall, at least this is not a recommended method, because it may leave DOS vulnerabilities

solve the problem of IPv6 firewall

as introduced in this article, IPv6 firewall faces many problems, but they can be solved through reasonable firewall design and operation. When purchasing firewall equipment, you must carefully evaluate IPv6 Firewall support, because the support of different products varies greatly, and poorly supported firewalls may have a negative impact on enterprise network security

Copyright © 2011 JIN SHI