Ullrich, J., Krombholz, K., Hobel, H., Dabrowski, A. and Weippl, E.R., 2014, August. IPv6 Security: Attacks and Countermeasures in a Nutshell. In WOOT.
IPv6 was first formalized in 1998, and has evolved over the years as well as it’s growing adoption leaving artefacts on the way. Multiple security assessments can be found in various sources and in different formats such as research papers, blogs, videos and RFCs scattered through time. Getting an overview of the overall picture is not trivial and is a time-consuming task. That’s what the researchers overcame with their paper [1] providing a modern and consistent survey. With that in mind, they were able to summarize and systematize a considerable amount of IPv6 security and privacy vulnerabilities along the associated countermeasures and presented them in a clearly arranged manner [1](p. 6-8). A comparison of the general security of IPv4 is also provided as reasonable arguments are given to do so. The study is completed with three challenges in the area that will be interesting to investigate in a near future by the research community namely the address assignment and structure, the security of the local network discovery, and the address selection for reconnaissance. A considerable amount of searching, reading and filtering has been done by the group on the vast diversity of resources. They applied an extensible common language for describing computer incidents formalized on the same year as IPv6. Vulnerabilities related to security and privacy have been separated as well as the countermeasures they ought to address. A checklist approach seemed the best fit for the intended format. Researchers came up to the conclusion that a large part of the presented issues can be mitigated. Thus, IPv6 security is not less secure than IPv4 when listed countermeasures are applied as well as the experience gained from the previous version. Nevertheless, IPv6 suffers from some common well-known vulnerabilities present in IPv4. This is partly due to the original design that put trust at the core of the protocol. A number of security flaws have been introduced by fearing IPv6, limited security knowledge and poor experience combined explains why the transition technologies causes roughly 30 percent of the presented vulnerabilities. New vulnerabilities are inherently linked to some drawbacks such as the overhead created through intensive cryptographic calculation at scale or the unacceptable efforts created at bootstrapping deployment steps. This leads us to three remaining issues that are left as imperfectly addressed by the study.
This paper is the result of a long and methodical study. The provided survey is thorough and well formatted, more readable than [4]. I was not able to find any other similar quality work in the literature that could combine those two aspects [2][3][4]. It has been presented at the top security conference WOOT in 2014 which is a good sign. The list of references cited by the authors [1](p. 10-11) is well-chosen and thus brings real credibility to their results, that is not the case in general [2][3][4]. According to the references, a substantial amount of efforts is put by the research community in the three research challenges described. The standardization documents provided by the Internet Engineering Task Force lay the basis of a robust and credible core documentation as the technical level and reviews of those documents are solid. However, a good idea would have been to make a detailed description of the testbed put in place by the team to conduct the experiments as well as the tools used to test, reproduce and monitor the described effects as what was done in [3]. That way the reader can make the comparison with an existing infrastructure. This would have brought a notion of the feasibility in pseudo-real scenarios, helping the network administrators to pinpoint the critical part of their network, assess their security, experiment with real effects of bad configurations and deploy countermeasures [2](p. 5).
Feedback on security challenges and issues companies using IPv6 are facing in production would have been a must and helped to focus on the most crucial aspects seen in real cases, as opposed to [2](p. 4). The most common vulnerabilities, their impacts are large scale with real network appliances and possible drawbacks of countermeasures would be perceived from a different angle. Assigning a criticality level would then have made sense. According to the authors, fear caused by the poor documentation and lack of feedback [1](p. 10) had made engineers and researchers take bad decisions on design choices, such an insight would have contributed to make that fear fade away in some extents. An interesting development in my opinion would be to study and describe how IPv6 features can be used by botnets to ensure their stealthiness and resilience. Especially how the scanning and covert channels [1](p. 5) vulnerabilities discussed can be leveraged to do so. With the unprecedented number of devices that are, and will be, connected via IPv6 to the worldwide network, the size of such malicious sub-networks will drastically increase along with their overall firepower. New architectures and communication schemes will emerge relying on side effects of IPv6 new features/vulnerabilities. No mentions are made about this topic in the research [1][2][3][4]. Detecting botnets and taking them down will always require more creativity and is a timely subject.
- [1] Ullrich, J., Krombholz, K., Hobel, H., Dabrowski, A. and Weippl, E.R., 2014, August. IPv6 Security: Attacks and Countermeasures in a Nutshell. In WOOT.
- [2] Yang, X., Ma, T. and Shi, Y., 2007, March. Typical dos/ddos threats under ipv6. In Computing in the Global Information Technology, 2007. ICCGI 2007. International Multi-Conference on (pp. 55-55). IEEE.
- [3] Nicolls, V., Le-Khac, N.A., Chen, L. and Scanlon, M., 2016, August. IPv6 security and forensics. In Innovative Computing Technology (INTECH), 2016 Sixth International Conference on (pp. 743-748). IEEE.
- [4] Martin, C.E. and Dunn, J.H., 2007, October. Internet Protocol version 6 (IPv6) protocol security assessment. In Military Communications Conference, 2007. MILCOM 2007. IEEE (pp. 1-7). IEEE.