IPv6 Day: Time to think about security testing for IPv6
Today, on Wednesday June 8th, we celebrate the World IPv6 Day. The IPv6 Day was introduced to motivate organizations across the industry to prepare their services for a successful transition from IPv4 to IPv6, once the IPv4 address space runs out. Today, major organizations and web companies will enable IPv6 on their main websites for 24 hour test flight, hoping to discover and address any challenges that come up and to analyze the impact that IPv6 deployment has on online business such as Voice over IP or website traffic.
Although IPv6 itself is a big step towards more secure Internet, the transition from IPv4 to IPv6 is bound to also create new security, quality and interoperability challenges. IPv4 is widely used, and over the years it has been thoroughly tested. While IPv6 has been developed for a while now (it was first deployed around 1999) and is already used in many large networks, it is still a relatively new technology and has never been enabled at a global scale. Unlike IPv4, it has not been used and tested for years, so most of the vulnerabilities relating to it are still undiscovered. To iron out the vulnerabilities hiding in IPv6 implementations; testing, testing and more testing is required.
Why use fuzz testing to test your IPv6 deployment? New technology and lot of unknown vulnerabilities means that traditional security solutions cannot cover it. They rely on signatures and databases of disclosed vulnerabilities - but if something unexpected happens as a result of a triggered unknown vulnerability, they are pretty much toothless. In fuzz testing, valid protocol messages are altered slightly to create anomalous unexpected messages. The anomalies are fed to the system under test, and the system behavior is monitored. If the system gives an unexpected response to the input, such as a crash, it indicates that there is a possibly exploitable vulnerability in the software. Since fuzz testing does not rely on vulnerability databases or signatures, it is an excellent way to test new technologies, like IPv6, for unknown vulnerabilities.
Why IPv6 Is Not Used?
IPv6 is not thoroughly tested because IPv6 has not been widely adapted. So far, there has been little motivation to start using IPv6. Organizations and companies do not deploy IPv6 since there is no demand. People do not see the point of transferring to IPv6 since there is no content - it is a kind of a vicious circle. Now the IPv4 addresses are running out for real, and that forces IPv6 on us whether we want it or not. When that happens, and it is probably going to be sooner rather than later, we'd better be ready. World IPv6 Day is a commandable effort to get the organizations working for the common goal to improve that readiness, and also to raise the awareness of IPv6 and the effects of the upcoming transition.
Past IPv6 Vulnerabilities Found Using Fuzzing
To celebrate the IPv6 Day, here is a recent IPv6 robustness testing video. The video is demonstrating how one of the critical flaws from last year was found with a fuzzer. It demonstrates how Ubuntu Linux 2.6.31-14 crashes when tested with Defensics IPv6 fuzz test suite. The bug shown in the video was found by Codenomicon CROSS project in January 2010, and has already been reported and fixed. I think (hope) everyone should have fixed their Linux deployments by now! The quality of the video is not the greatest, but I'm sure you get the drift.
Happy world IPv6 day!