IPv6 Security Testing
In the previous installment of our series of IPv6 security posts, we covered some of the basic things you need to consider when securing your IPv6 network. In this post, we’ll talk about some of the things to consider when performing security testing on your IPv6 product or network. This testing is useful whether you are developing an IPv6 application or simply deploying IPv6 on your network.
Increased Setup Time
Start with an IPv6 environment in which most people do not have a lot of experience. Next throw in the typical dual stack configurations, and it is almost guaranteed that any IPv6 security testing that you perform is likely to take longer than it took you in your IPv4 environment. With dual stack configurations, both IPv4 and IPv6 are viable traffic paths. Therefore, just making sure that your test traffic is actually using IPv6 is one of the first hurdles you will face. So when developing your schedules for performing IPv6 security testing, always allow a little extra time to account for those problems that will almost certainly appear.
Next, you need to inventory the existing security tools that you run against your IPv4 network and applications. Since you already use these tools on your IPv4 network, you need to determine if each of these tools are also supported when running over IPv6. If not, it is important to identify when that support will be available or identify other tools that can provide that functionality on your IPv6 network. Besides supporting IPv6, it is also important to verify the functionality provided by the tools that you run. Many tools and application claim IPv6 support but do not provide all of the same functionality that they provided in an IPv4 environment. Nmap, for instance, has supported IPv6 addresses for a long time, but you can’t use it in the same way as you do in an IPv4 network (since scanning the large number of addresses provided by IPv6 introduces new challenges).
Just like your IPv4 network, you will want to check your IPv6 network and applications for security vulnerabilities. Hopefully your tool inventory indicated that your current IPv4 network vulnerability scanners also support IPv6. More and more security scanners are supporting IPv6, as the number of available IPv4 addresses have continued to diminish, but there are still some scanners that do not support IPv6. A word of caution is also in order. Just because a vulnerability scanner supports IPv6 does not mean that it will also check for IPv6 vulnerabilities. In many cases it can simply utilize IPv6 addressing but still only checks for IPv4-related vulnerabilities. Be sure that you check what “IPv6 support” means on a given scanner or other test software.
Running fuzz testing against IPv6 devices and applications is just as important as running the same testing against IPv4 devices and applications. Fuzz testing identifies weaknesses in the code’s ability to handle errors and unexpected conditions. Most commercial fuzzing suites, such as Codenomicon and Mu Dynamics, have existing tools to fuzz specific fields in the various IPv6 extension headers. More complicated fuzzing, however, such as manipulating the order and number of extension headers is not as common. Until these areas are thoroughly covered, it will be difficult to get comprehensive coverage when performing fuzzing against IPv6. Identifying weaknesses in the current tools is important in order to identify areas which may need custom tools to gain more comprehensive coverage. Besides the commercial fuzzing tools, there are even some simple fuzzing tools such as Internet Stack Integrity Checker (ISIC) that are freely available to check the robustness of the IPv6 stack on your devices.
Just like with IPv4, various IPv6 attacker tools are publicly available. Understanding these tools and running them against your network will give you a better understanding as to how your IPv6 network will withstand some of the exploit techniques that attackers may leverage against your network. One of the most comprehensive IPv6 exploit toolkits is The Attacker’s Toolkit, available from The Hacker’s Choice. This tool provides various ways in which to test the IPv6 protocol, especially related to the Neighbor Discovery functionality.
This has been a quick look at some of the things to consider when testing the security of your IPv6 network. Hopefully this overview has provided you with some techniques and tools that you may not have initially thought about. Remember to keep an eye out for the next IPv6 security blog post in which we’ll be talking about securing the various transition mechanisms that will help us migrate from IPv4 to IPv6, since both of these protocols will coexist for a long time to come.