In a December 2009 report, The Future of Threats and Threat Technologies: How the Landscape Is Changing, anti-malware vendor Trend Micro, predicts that IPv6 changes to the Internet infrastructure will widen the playing field for cyber-criminals.
One of the changes Trend Micro predicts is the IPv6 Malware Experimentation Stage. The anti-virus firm points out that many weaknesses were discovered in IPv4 during the mid-to-late-1990s as the Internet came into its own. The vendor predicts IPv6 will have a similar pattern of growth.
As the IPv6 user base expands, weaknesses will be discovered in the IPv6 protocol and its implementation. The anti-virus firm believes that the current low IPv6 adoption rate and the increased awareness of IPv4 exhaustion will delay any wide-scale IPv6 malware beyond 2010. However, as users start to explore IPv6, so will the cyber-criminals. The vendor says that users can expect to find some proof-of-concept elements in IPv6 during 2010. Possible IPv6 abuse includes new covert channels or Command and Control (C&C) for botnets.
IPv6 tunneling protocols pose threats
One attack vector that will open up as users start experimenting with IPv6, are tunneling protocols according to Ben April an Advanced Threat Researcher at Trend Micro. Mr. April points out on the Trend Micro Malware Blog that the 6to4 (RFC 3056) and Teredo (RFC 4380) tunneling protocols pose threats to networks as they transition to IPv6.
Trend’s April says that neither protocol claims to offer any significant security protection. According to the blog, 6to4 tunneling requires that the user endpoint exist in a publicly routable IP space and be directly reachable by any 6to4 serving device with the risk of having to trust traffic coming from any address claiming to support the protocol for full functionality. 6to4 can also support routes to networks behind the endpoint. Endpoints have an IPv6 address which includes the IPv4 address of the endpoint converted to hex. According to April, a server on the IPv6 Internet should also be fortified against both IPv4 and IPv6 threats. 6to4 comes with an entire RFC (RFC 396) devoted to security considerations.
The Teredo RFC goes so far as to call itself the IPv6 Provider of Last Resort. The blog says this label comes primarily from the crazy stunts required to successfully traverse multiple NAT gateways. Unlike 6to4, however, only one host can exist behind the endpoint. April points out the risks that Teredo creates by tunneling from the public Internet to a host inside a NATed environment. This creates the need for a well-protected host. This protocol also allows endpoint address leakage which would aid an attacker. Teredo encodes the IPv4 exit point of the NAT gateway, the UDP port used by the external NAT session, and the IPv4 address of the tunnel endpoint used by the client in a well-known slightly obfuscated way.
One answer to the IPv6 security issues could come from network security and unified threat management (UTM) provider Fortinet. In December 2009, the vendor announced that it had achieved 56 Gbps of IPv6 throughput on its FortiGate’-5140 multi-threat chassis-based system. The 56 Gbps for IPv6 throughput is based on its proprietary FortiASIC technologies that accelerate security processing of the FortiGate-5000 Series blades and modules. The FortiASIC processors are security processors that accelerate the processing of network traffic focusing on security enforcement including firewall policies and other content inspection requirements.
The IPv6 performance of the equipment was benchmarked and validated with a BreakingPoint Elite resiliency testing chassis with multiple 10 GbE interfaces. Fortinet’s FortiOS firmware has fulfilled all requirements for IPv6 Phase-2 Core Support as a router product. This certification, awarded by the IPv6 Ready Logo Program.
As Trend Micro’s April says, “IPv4 firewall rules don’t do anything to IPv6 traffic.”
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.