Atomic fragments running amok: time to take IPv6 security seriously?

News by Davey Winder

The danger of atomic fragments in the 20-year-old IPv6 protocol have been known for a long time, so why are sys admins still failing to harden their networks against this vulnerability?

The Internet Engineering Task Force (IETF) has published RFC 8021 entitled 'Generation of IPv6 Atomic Fragments Considered Harmful.' The vast majority of folk will have fallen asleep by the third word in, namely IPv6.

However, read further and you will discover that atomic fragmentation is a DoS attack vector that can hit routers in the largest scale core networks and that OpenBSD and Linux stacks are patched, but some server and router implementations remain at risk as do Linux servers not using a patched kernel.

You will also discover that atomic fragments are serious enough to have now been added to the IETF 'considered harmful' list.

Here comes the technical bit: according to RFC 6946, the IPv6 spec allows packets to contain a fragment header, without the packet actually being fragmented into multiple pieces. These are the atomic fragments referred to in RFC 8021.

By forging ICMPv6 'Packet Too Big' error messages, an attacker could trick hosts to employ these atomic fragments and launch a fragmentation-based attack against that traffic.

"In cyber-security circles, it's been well known for years that excessive fragmentation attacks can cause denial of service conditions on systems that are sensitive to this category of attack," says Stephen Gates, chief research intelligence analyst at NSFOCUS. For IPv4 these attacks are no longer an issue as most all the relevant technologies have been patched to prevent the possibility. "It appears IPv6 will be no different," Stephen concludes, "once this issue is resolved."

But it does open up a bigger can of worms, in as far as the wider IPv6 threatscape is concerned, according to Geoff Jones, director of pen testing specialists Cyberis Limited. "Even security conscious organisations are failing when it comes to IPv6," Geoff told SC Media UK, adding that his organisation consistently sees "system administrators failing to firewall hosts correctly from IPv6 traffic".

They configure iptables on a Linux box but forget to configure ip6tables. Yet the autoconfiguration of hosts, and existence of the 'all-nodes' address, allows an adversary with physical access to a network an extremely quick and efficient way of finding potential targets.

So isn't it time everyone started taking IPv6 security seriously?

Marco Hogewoning, the RIPE NCC's external relations officer and technical advisor, admits that "as people start using IPv6, some of the workarounds which people thought would expedite IPv6 implementation have had to adjust to the reality of deployments on a range of different network infrastructures".

Mat Ford, the technology programme manager at the Internet Society, who specialises in IPv6, told SC that "enterprises need to take IPv6 security as seriously as they take other aspects of Internet security for their organisation".

This applies even when enterprises do not consider themselves to be using IPv6 in their network or to be offering public facing IPv6 services. "Modern operating systems ship with an IPv6 stack that is enabled by default," Mat explains, "and that can lead to vulnerabilities, whether IPv6 connectivity is enabled or not."

John Bambenek, threat intelligence manager at Fidelis Cybersecurity, insists that while IPv6 isn't as mature a protocol as IPv4, any enterprise in the IPv6 space "should be concerned that some problems we have long solved in IPv4 come up in different ways with IPv6". For example, by and large, not much attention need be paid to protocol attacks at the IPv4 layer, but caution should be taken not to have the same complacency with IPv6.

As Tom Coffeen, IPv6 evangelist at Infoblox, puts it, "Enterprises shouldn't let any security weaknesses currently inherent to the IPv6 protocol distract them from the larger challenge of developing an IPv6 security practice."

But Geoff Jones reminds us that this isn't just an enterprise problem and that he sees "security vendors failing when it comes to IPv6". Cyberis has conducted product evaluations of various next-generation firewalls, Intrusion Detection Systems, web proxies and other content inspection devices and several vendors still have poor or incomplete support for IPv6.

"Many controls failed 'open' rather than blocking application layer traffic," Geoff says, failing to block traffic that has been correctly identified as malicious when transmitted over IPv4.

So while atomic fragments could be "considered an unnecessary feature of the protocol with knock-on consequences for security," according to Geoff, "many businesses are yet to get a grasp on even the basics of the now nearly 20-year-old protocol which is IPv6."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews