Public PhD Defence
Title: Measuring IPv6 Resilience and Security
When: On Friday the 18th January 2019 at 14:45.
Where: In Waaier, room 4.
The defence will be proceeded by a short introduction at 14:30.
The Internet Protocol (IP) is the most used protocol on the planet. Whether browsing the Web, sending a message from a smartphone, playing an online computer game, or doing anything that needs some kind of connection to the Internet, IP is involved. The specific version of IP that we have used already for decades, is version 4 (IPv4 for short). To counter some of its shortcomings, like the small address space, the successor to IPv4 was defined already 20 years ago.
With attacks on the Internet becoming a common item on the evening news, naturally the question rises, where are we with IPv6 in terms of security? As the adoption of IPv6 is finally taking off, and is actually being used in the Internet — Google sees 25% of their users connecting via IPv6— we can now measure which problems IPv6 has in reality. Many possible IPv6-specific threats have been described over the years, but measurements to find out which of these threats are real problems in the Internet have not been conducted. In this thesis, we focus on measuring the actual state and severeness of these problems, and propose solutions on how to prevent and avoid them.
First, a fraction of IPv6 network traffic goes unnoticed in measurement systems. This gives network operators an incomplete and incorrect view on what is going over their networks. Moreover, detection systems that rely upon such measurement data might fail to detect attacks inside the traffic. This problem comes forth from a novel concept in IPv6, so-called Extension Headers. These headers were intended for flexibility in the protocol. In reality, they complicate both the processing and the measurement of packets. We show what traffic is hidden behind these Extension Headers, and make recommendations for operators on how to deal with traffic containing Extension Headers.
A second problem are firewalls, which are needed to protect networks from unwanted traffic. On IPv6, firewalls can be evaded, rendering the hosts behind the firewall reachable from the Internet. This evasion is again enabled by Extension Headers. Similarly to measurement and detection systems, firewalls need to take into account the possible presence of these headers in IPv6 traffic. This complicates proper firewall configuration. We show misconfigured or omitted firewall rules are common, stressing evasion is a real problem in the IPv6 Internet. We found more than 44 000 hosts reachable through evasion and contacted network operators, confirming incorrect or incomplete firewall configurations. To help operators troubleshoot their problems and verify their configurations, we created an online service to perform one-off measurements, indicating whether their firewalls are indeed prone to evasion or not.
Third, we found a vast number of IPv6-specific misconfigurations in the DNS, the Domain Name System. The DNS is often described as the phone-book of the Internet, mapping easy-to-remember names to IP addresses. But for IPv6, many of these names point to addresses that are incorrect, rendering the service behind the name unreachable over IPv6. The presentation of IPv6 addresses is hard: addresses are longer, they are represented in hexadecimals, and they come in multiple different types. This causes confusion, leading to many different types of misconfigurations in the DNS. Because the Internet is currently based on both IPv6 and IPv4 operating in conjunction, these problems might go unnoticed as services may still be reachable via IPv4. In other words, operators might have no clue something is wrong, while at the same time, users experience problems trying to connect to the services via IPv6. To understand the severity of this problem, we assessed two years of DNS data from major zones and classified the IPv6-specific misconfigurations operators make. With that, we present actionable ways to find and prevent such mistakes.
Last, we show that we can find abusable hosts without scanning. The longer addresses are a natural result of one of the features of IPv6: the larger address space. Because of this (very, very) large address space, finding vulnerable hosts to misuse is often thought to be infeasible.
However, in this thesis we show that one can still find enough of these hosts to create a potent attack over IPv6, specifically a DNS-based Distributed Denial of Service (DDoS) attack. Again, we observe that operators seem to forget or misconfigure IPv6-specific configurations in software and services, making such an attack possible.
Summarising, we found that misconfigurations and unawareness are the significant problem in IPv6 deployments. In this thesis, we show what traffic goes unnoticed, present actionable solutions for operators to prevent misconfigurations, and provide tools to verify their network setups. With these, we aim to improve the overall resilience and security in our IPv6 Internet.