This article provides an introduction to the concept of first-hop security and discusses the challenge of trying to apply the techniques currently enforced in IPv4 networks to emerging IPv6 deployments.
Introduction to first-hop security
The term "first-hop security" is generally used to refer to the security policies and mechanisms that can be locally employed on a network segment to protect it from attack. There are different points in an enterprise network (local or wide area network) where first-hop security can be enforced:
- the end nodes
- the first-hop switch
- the first-hop router
Enforcing first-hop security at the end-nodes leads to a distributed security model in which each node protects itself. The upside of this model is that it does not result in single points of failure, where the failure of a single network element affects a large portion of the network. This security model also does not increase network complexity because security is enforced by the hosts rather than network elements like the first-hop switches or routers. The downsides are that this distributed security model makes the network generally harder to manage than one based on a centralized model, and vulnerabilities are nearly impossible to mitigate at the end nodes.
Enforcing first-hop security at the first-hop switch leads to a centralized security model that puts the first-hop switch in charge of protecting the end nodes. The upside of this centralized model is that it tends to be easier to manage. Also, the first-hop switch becomes a natural point at which to mitigate a number of common network attacks. The downsides are that it requires increased intelligence/complexity in the first-hop switch and it clearly introduces a single point of failure; if the first-hop switch is compromised, all protection is gone.
Finally, first-hop security can be enforced at the first-hop router. The upside of this model is that it leads to a more protected centralized model that is simple to manage and can protect all subnet elements from external attack. On the other hand, this model cannot protect against attacks originated from local nodes.
Enforcing first-hop security usually mitigates a number of attacks. They include -- but are not limited to -- the following:
- Address spoofing attacks
- Layer 2/Layer 3 interface attacks, like address-resolution
- Denial of Service (DoS) attacks, based on either Layer 2 or Layer 3
The rest of this article will provide an overview of the different mechanisms that can be employed in IPv4 and IPv6 to enforce security, focusing on the substantive differences between IPv4 security and IPv6 security that must be considered when migrating from IPv4 to IPv6.
First-hop security in IPv4
To understand the context in which first-hop security is applied in IPv4 networks, it is best to briefly characterize IPv4 networks. Firstly, IPv4 subnets are typically limited to a few hundred nodes. Secondly, each node is typically assigned only one IPv4 address. These constraints limit the scale of the problem, as we'll see in the rest of this section.
In IPv4, the Address Resolution Protocol (ARP) is used to map IPv4 addresses into link-layer addresses. ARP runs directly on top of Ethernet and is a very simple protocol with fixed-length packets and no options or extensions. As a result, ARP traffic can be easily monitored to detect ARP spoofing attacks. Tools such as arpwatch have been readily available for a long time to monitor ARP traffic on enterprise networks. Additionally, IPv4 switches can reliably block spoofed ARP traffic.
In IPv4 networks, automatic network configuration typically employs the Dynamic Host Configuration Protocol (DHCP), which can be exploited to perform man in the middle or DoS attacks. In order to mitigate such attacks, some IPv4 switches implement a "DHCP snooping" functionality, so that outgoing DHCP-server packets are only allowed on specific ports. This type of functionality effectively and simply mitigates DHCP-based attacks by blocking the attack packets at the local switch before hackers reach the victim hosts.
IPv4 networks may also be subject to address-spoofing attacks, where a host may try to impersonate either another host on the same network segment or a host on a remote network. Since each IPv4 host is typically assigned a single address, the scale of the spoofing problem is very limited; a first-hop switch can mitigate this problem by allowing only a few addresses per port.
Finally, it is generally desirable to track address usage in a network -- that is, to keep a log of which node used which address(es) at which point in time. This is useful for correlating node activities, such as identifying malware-infected systems in a network. It takes fewer resources to track IPv4 addresses than IPv6 addresses; since addresses are typically assigned by a DHCP server, the aforementioned server is an obvious and straightforward choice for logging such information.
First-hop security in IPv6
In this section, we'll briefly discuss some differences between IPv4 and IPv6 networks, and analyze how those differences affect first-hop security in IPv6.
A key difference between IPv6 and IPv4 subnets is that IPv6 subnets are typically assigned a much larger address space (usually a /64). Because IPv6 can accommodate a larger number of nodes, all relevant network elements must also be prepared to handle such a large number of nodes/addresses. Additionally, IPv6 nodes are typically assigned more than one IPv6 address. At the very least, they are assigned a link-local unicast address (which may look something like this: fe80::/10) and one global unicast address.
Finally, a number of operating systems (notably Windows Vista and Windows 7) support and enable by default some flavor of "temporary addresses" (usually referred to as "privacy addresses"), which are configured in addition to the traditional auto-configured addresses. These privacy addresses are short-lived and recycled over time, which means that not only do IPv6 hosts employ more than one address, but the set of employed addresses varies over time.
In the IPv6 world, ARP has been replaced by the "Neighbor Discovery" (ND) protocol. ND employs Internet Control Message Protocol version 6 (ICMPv6) messages, so it runs on top of IPv6. When compared with IPv4's ARP, ND provides increased flexibility. However, it also results in increased complexity: In particular, since it runs on top of IPv6, ND messages can potentially include IPv6 extension headers and may be fragmented into multiple IPv6 fragments.
A number of tools exist in the IPv6 world to provide feature parity with IPv4. However, the aforementioned differences between IPv6 and IPv4 can lead to some unexpected implications. Let's analyze some of them in detail.
First, a number of tools, such as NDPMon, aim to provide in IPv6 similar features to those provided in IPv4 by tools like arpwatch, to help mitigate ND-based attacks. However, since ND traffic can be fragmented, an attacker can leverage IPv6 fragmentation to make monitoring a difficult task.
Similarly, many IPv6 switches implement a mechanism known as "Router Advertisement (RA) Guard," which parallels the DHCP-snooping functionality in IPv4 networks. However, recent security research indicates all these mechanisms can be easily circumvented. By employing IPv6 extension headers and IPv6 fragmentation, an attacker can make it virtually impossible for a Layer 2 device to detect and police ND traffic.
IPv6 address usage monitoring tends to be more difficult for a number of reasons. First, the mandatory auto-configuration mechanism (SLAAC) results in hosts assigning their own addresses, which means that address assignment is not centralized in any network device. While DHCPv6 has been standardized for use with IPv6, support of DHCPv6 is optional, and a number of popular operating systems do not implement it, which is why most networks cannot rely on DHCPv6 for address assignment. Secondly, since a number of operating systems employ the so-called "privacy addresses," any network monitoring device used for tracking IPv6 address usage must be prepared to keep track of multiple addresses per node, which typically change over time.
Improving first-hop security in IPv6
There is ongoing work at the Internet Engineering Task Force (IETF) and in the vendor community to improve the current state of affairs with respect to IPv6 first-hop security. For example, an existing proposal aims to simplify Neighbor Discovery traffic so that it can be subject to network monitoring similar to what is enforced in IPv4 for ARP and DHCP traffic. This proposal basically bans the use of IPv6 fragmentation for ND traffic, thereby avoiding the complexity of monitoring fragmented traffic. Another proposal, a recommendation for RA-Guard implementations, has been submitted to the IETF, in hopes of eliminating the RA-Guard's aforementioned evasion vulnerabilities.
Other areas still require further work by the vendor and user community. For example, there are not yet any freely available tools that implement IPv6 address usage monitoring, functionality.
Concluding first-hop security in IPv6
First-hop security aims at improving the security of a local network by employing a number of mitigation techniques. While feature parity between IPv6 and IPv4 is highly desirable, some of the differences between these two protocols can make achieving it difficult. The standards and vendor communities are working to overcome these issues and bring the well-known IPv4 mitigations to the IPv6 world. Aside from the ongoing research and development work, IPv6 awareness needs to be raised among network and security administrators, so that differences between old and new Internet protocols do not negatively impact existing and emerging IPv6 deployments.