Re: IPv6 and IPSec

["Michael H. Warfield" <mhw () wittsend com>]

Hey all,

On Sat, Aug 28, 2004 at 09:43:33AM -0400, Paul D. Robertson wrote:
> On Thu, 26 Aug 2004, suren wrote:

> > Hi,
> >    IPSec based security is MUST for IPv6. Due to this, I would
> >    assume that end systems would use IPSec to secure the traffic
> >    going out.

> Why?  It's not a must for IPv4, why would adding address space suddenly
> require IPSec?  Heck, the cascading headers for V6 offer the chance for
> pseudo-out-of-band control and encapsulation, why again would you use
> IPSec?

        It's a missinterpretation of the specs and the requirements.

        SUPPORT for IPSec is required (MUST) for implimentations to be IPv6
compliant.  It does NOT require that YOU (or any other node) use it.  It
only requires that it be supported.  And "support" can be a nebulus thing.

        There's is already more IPv6 space allocated (just in terms of
networks, forgeting about the insane number of addresses per network) than
all of IPv4 in toto (allocated, unallocated, and unallocatable).  Something
like over 1 billion networks of capacity have been handed down from IANA
to the RIR's and most of that has been allocated by the RIR's to LIR's and
ISP's.  And something like 40 million IPv6 networks are routable in the
BGP tables now (at least routable to the ISP level, I don't know about end
customers)...  The majority of that (including all of my stuff) is not
using IPSec (well, I have some IPSec for some internal VPN stuff).  My
nameservers and mail servers communicate with other IPv6 servers all over
the world and none of them are using IPSec.  Hell, I turned off my
"keep-alives" to my tunnel broker because the chatty DNS servers were
talking on IPv6 with more traffic than my keep-alives were generating.
ARIN is on IPv6.  They've added IPv6 addresses for root name servers.
IPv6 is real and active and alive.  And it's not all running IPSec.
Implimentations MUST support IPSec.  It does NOT mean you have to use it
or are even expected to use it.  All of mine SUPPORT IPSec, if I chose to
enable it and utilize it.  It's available.  As needed.  Geee...  Just like
IPv4.  Funny thing, that.

> >    Quite a number of times, organizations would like to filter out
> >    the connection(Firewall) run the data through centralized virus
> >    scanning/spam scanning engines. This requires clear traffic.

> Not quite, it requires the ability to inspect the traffic, which is a
> different thing entirely.  There was, at one point, a major push to do
> alternate decryption keys for such purposes.

        IPv6 tunnels should terminate at security perimeters.  So
you should be able to break the tunnel traffic down into native protocols.
By the same token, your VPN traffic should terminate somewhere.  IPSec
on IPv6 does not mean that every machine has its own key and it encrypted
end to end.  You can VPN IPv6 gateway to gateway just as you to IPv4.
Nothing requires IPv6 to be encrypted out to the individual nodes.

> >    With respect to these, I have questions on how the deployments
> >    going to be. One type of depolyments I can think of is:

> >          Central gateway implementing Firewall/Virus Scanning
> >          engine and also terminting IPSec tunnels from local PCs and
> >          creating tunnels from the gateway to ultimate destination.
> >          By doing this, the gateway gets hold of clear packets, can
> >          apply firewall rules, scan and any other operations.

> >     What other types of deployments would be required/considered by
> >     organizations having IPv6 networks?

> The same as today- where we have those (application layer firewalls, for
> instance) as well as NAT and straight through and trust the host security
> and bunches of others.  The only thing v6 brings that might be
> "interesting" from a security perspective[1] is encapsulated or cascading
> headers, that'll allow some socks-like stuff to happen if enough people
> get momentum (likely though it'll be QoS that first tries it.)

        Agreed on "same as today".

        But...

        IPv6 is VASTLY more interesting that this...  There are lots
of things that are interesting (both in the good sense and the bad
sense) about IPv6 and security.  Consider "privacy enhanced addresses".
Now, as a system administrator, how are you going to track down a virus
infected system that changes it's address every half hour with no audit
trail?

        I restrict ssh to IPv6 only (hell, it's virtually unscannable and
has no broadcast address and is reachable from anywhere I am on IPv4, why
not...).  Some of my external servers, the ssh listens only on certain
IPv6 addresses.  And those addresses change every 15 minutes.  A new address
is added every 15 minutes and the dns is updated (w/ TSIG).  Each address
is valid for 2 hours (to allow for DNS TTL).  After that time, it's
deprecated.  When a deprecated address no longer has a resource (socket)
attached to it, it ceases to exist on the machine.  Every IPv4 address
has an entire IPv6 NETWORK (65,536 subnets each containing 16 billion
billion host addresses).  I have yet to find anywhere on the entire
internet where IPv6 does not work (private address space or global address
space), and it works well.  I can reach all my IPv6 stuff from anywhere
on IPv4.  Why leave it expose and vulnerable (to scanning and probes) on
IPv4?  Even my virtual web server farm has web services on IPv4 but all
the security stuff is tightly marshalled over IPv6.

        How do you scan for backdoors, when the intruder adds his own
unique address (hell, you can add IPv6 to XP without even rebooting the
damn thing and you have to reboot Linux to disable it) amongst
16 billion-billion possible addresses on that wire?  How do you deal
with bot-nets, were every bot is given a unique contact addresses and
the server has has thousands of addresses added without having to ask
anyone?

        Want to check out something really NASTY, check out Teredo.
That's IPv6 over UDP.  A buddy at MS refers to this as the "Evil
Firewall Destroying Deamon from Hell".  Do you worry about UDP traffic
over port 3544?  Should you be?  Some people have already found out,
to their regret, that they should be.

        IPv6 has LOTS of security implications.  They're just not obvious.
And a lot of people (particulary in North America) have their heads in the
sands vis-a-vis IPv6.  At many of my talks, I've had people walk up to
me later and tell me that they've been seeing this strange traffic on
their network for ages, they just didn't know what it was.  And now they
know, and now they need to figure all this out...  IPv6 arrived several
years ago and anyone who thinks they don't have IPv6 just doesn't know
that they have it already, and that they don't control it, and that it's
uniformly routable, and that it's globally addressible (whether their IPv4
addresses are globally addressible or not).

        But...  Back on the original topic...  IPSec is not required
to use IPv6.  It's only required by implimentations to be supported in
order to be "IPv6 compliant".  Use it if you wish, or don't use it if
you wish.  You don't have to support IPSec to be IPv4 compliant, but you
do have to support it for IPv6.  Outside of just supporting it, it's
the same as it ever was.

        OTOH...  IPSec CAN be REALLY usefull in supporting IPv6!  My
laptop has over a dozen different ways of connecting to IPv6 no matter
where I am in the world.  If I can pull a native prefix, great.  If not,
I can go 6to4 or 6over4, no problem.  If that doesn't work, my next fall
back is IPSec on IPv4 (to tunnel my IPv6 stuff over a VPN) and IPSec NAT-T
(IPSec over UDP port 4500) next.  If those fail, then I start resorting
to things like PPP over stunnel or PPP over ssh (both of which have been
tested).  Beyond that, there are even more access methods that I've never
tested because I've never run into a circumstance where none of the above
didn't work.  In most corporate environment with really strict rules,
IPSec NAT-T (forcing NAT-T even when not cross a NAT) works like a champ.
Have never been force to resort to things like CCTT, even though they
are there and ready if I ever find anything that gets in the way of what
I normally use.  IPSec (particulary NAT-T) is a great firewall bypass tool.
Ya don't need to run IPSec on IPv6 when you are already tunnelling IPv6
over IPSec.  :-)

> Paul
> [1] Admittedly, I haven't looked at v6 in a good number of years, so
> something may have changed since I looked at the drafts way back when.

        Nope.  You got it right on most of it other than seeing some
of the non-obvious implications IPv6 has for security.  The biggest
threat (both from IPv6 and to IPv6) is bringing IPv4 mind think to
IPv6.  IPv6 is not IPv4 with fat addresses.  Even if it was (which it
isn't) it couldn't be because the entire paradigm changed from one of
address scarcity to addresses a plenty.  And that changes a LOT more than
what's obvious.  It really changes everything.

> -----------------------------------------------------------------------------
> Paul D. Robertson      "My statements in this message are personal opinions
> paul () compuwar net       which may have no basis whatsoever in fact."
> probertson () trusecure com Director of Risk Assessment TruSecure Corporation
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Attachment: _bin
Description: