7

Though IPv6 is not here yet it one day we will all lose our familiar IPv4 addresses and be communicating over the internet solely with IPv6 addresses.

What interests me is the implications this has for those who scan the internet hunting for common vulnerabilities. At the moment a common method for internet worms is to scan the subnet upon which they lie (they infect a machine on 80.7.2.4so they scan all IPs at 80.7.*.*, maybe expanding out to 80.*.*.*). Whilst it's still non-trivial to 'scan the entire internet', scanning 1/255th is completely feasible.

What I would like to know is will this still make sense when we are all running on IPv6 addresses? We will be moving from 4,294,967,296 addresses to 340,000,000,000,000,000,000,000,000,000,000,000,000 addresses. Will it be anywhere near as simple for these worms to scan their 'neighbourhood'? Or will network nodes be so sparsely distributed that an IPv6 address becomes a commodity in itself?

Andy Smith
  • 2,742
  • 18
  • 24

2 Answers2

9

People who scan the internet will have to find a different source of addresses than just sequential enumeration. Search engines provide a great database of in-use hostnames and addresses, as does DNS.

Scanning the neighborhood might be feasible, but that depends on the neighborhood. In a subnet where DHCPv6 is being used, you can still scan other addresses, since DHCP servers typically assign addresses sequentially from a pool. If autoconfiguration (SLAAC) is used, it becomes harder. If you know what hardware to look for, you know 40 of the 64 hostbits (24 bits vendor ID + 16 bits fixed 0xfffe), and you need to brute-force 24 bits. That is doable.

If privacy extensions are in use, you can still look for SLAAC addresses since a host using privacy extensions has both his SLAAC address and his privacy address.

On server networks, most hosts will be numbered sequentially, using funny words (b00b, babe) or based on info like VLAN number or IPv4 address. These are all enumerable.

So, to sum it up, you can't scan the whole internet, but you can partially smart-scan networks.

chris
  • 3,000
  • 14
  • 22
  • Thanks, great answer, so it will be possible to ISPs to at least partially shield home users (who arguably account for the majority of botnet traffic)? – Andy Smith Oct 05 '11 at 12:15
  • Well that depends.. you will have too many addresses at home for normal scanning, but on the other hand, every machine is directly reachable on an address. So it depends on how YOU firewall at your modem (your ISP may install good defaults). Your addresses will not be found by scanning but by stealing webserver logs for instance. – chris Oct 05 '11 at 12:19
  • One thing to note: even though all systems discard broadcast ICMPv4 pings, this doesn't necessarily apply to ICMPv6 -- Linux by default allows and will reply to "all nodes" multicast packets: `ping6 ff02::1%eth0;` This can easily be forgotted by sysadmins. – user1686 Oct 08 '11 at 23:49
1

I agree with Chris - the effect on automated scanning is not changed all that much.

For me the biggest security implication of IPV6 is the support for source routed traffic (an essential part of its mobile device support). So trying to authenticate remote systems based on IP address (which was always a very dubious idea) becomes plain silly.

symcbean
  • 18,278
  • 39
  • 73
  • The RH0 headers (routing headers type 0), which are equivalent to IPv4 source routing, have been deprecated. Afaik, the remaining routing headers aren't as easily abused. – chris Oct 05 '11 at 11:53
  • Without wishing to get bogged down in a discussion trying to defend a very dodgy practice - RFC5095 only addresses RHO source routing - not RFC-3375 c/o addressing. – symcbean Oct 06 '11 at 13:42
  • "_trying to authenticate remote systems based on IP address_" and **not** also checking routing headers at the same time... – curiousguy Dec 30 '11 at 01:36