NSA Seeks Feedback on IPv6 Security Recommendations
4/28/2008 -- The National Security Agency's Central Security Service has released a pair of IPv6-related documents titled "Firewall Design Considerations for IPv6" and "A Filtering Strategy for Mobile IPv6" for industry review and feedback.
One of the most frequently cited impediments to IPv6 deployment is the lack of IPv6 features in security products. Network administrators are nervous about implementing the new protocol and opening up security holes without having the tools to mitigate them. The NSA documents by Casimir Potyraj call for firewall vendors and other security experts to comment on what is practical to implement in security products.
Potyraj called attention to the "unconstrained flexibility allowed by IPv6 specifications" that must be considered when designing security products. For example, a major improvement in IPv6 is the replacement of seldom-used IPv4 header fields with optional extension headers that can be used to provide additional services and packet handling. Potyraj expressed concern that the flexibility allowed in the IPv6 specifications on extension headers, including the order in which the headers appear in the packet, may facilitate attacks or impair security product vendors' ability to implement techniques to thwart them.
Potyraj addressed the firewall processing issues that may arise because the location of the field identifying the Layer 4 protocol is not consistent. Its placement varies depending on the presence of extension headers. Firewalls need to look beyond the main protocol header to the last extension header to determine the Layer 4 protocol and apply the security policy accordingly.
The author devoted substantial time to packet fragmentation, something used frequently in attacks on IPv4 networks. Unlike in IPv4, IPv6 routers are not permitted to fragment packets. The source and destination hosts must exchange Internet Control Message Protocol (ICMP) messages to understand if fragmentation is required and perform it themselves. Although this is intended to remove the processing burden from network routers, it raises security concerns elsewhere.
Potyraj cautioned that network security policy must change so that ICMP messages are not indiscriminately filtered out. IPv4 security policies often drop ICMP messages because they are used in attacks or in reconnaissance that leads to attacks. Although this impairs diagnostic capabilities, it is otherwise generally harmless. ICMP in IPv6 takes on a much more important role; some ICMP messages, such as those used in fragmentation, are critical to the success of communication transactions and must be allowed through firewalls. New ICMPv6 messages, such as Neighbor Discovery, must be considered in the firewall policy and treated appropriately.
Potyraj addressed security issues that will be present during the long transition to IPv6, which will involve various tunneling or protocol translation mechanisms and require most enterprises to run a hybrid IPv4/IPv6 dual-stack network indefinitely. Tunneling presents security issues because upper-layer information on which security policy is based may be hidden from the view of security tools.
The second document focuses on filtering strategies for Mobile IPv6 (MIPv6). MIPv6 may be one of the most promising IPv6 features in light of the ever-increasing number of handheld mobile devices. Securing the transmission to and from mobile nodes without disrupting the MIPv6 process is critical. Additionally, earlier security concerns related to tunneling reappear in MIPv6 because the protocol relies on tunneling when mobile nodes change locations. --Dan Campbell, courtesy of GCN.com
|