[LACNIC/Seguridad] Fwd: IPv6 Address Analysis - Privacy In, Transition Out
fgont en si6networks.com
Vie Mayo 17 00:10:49 BRT 2013
---- cut here ----
IPv6 Address Analysis - Privacy In, Transition Out
IPv6 addresses come in a variety of forms. Examining the bit-patterns of
an IPv6 address can tell us, or give a strong indication, about the way
that it was generated. In early work on the subject, Dave Malone
explains, "IPv6 addresses are longer than IPv4 addresses, and are so
capable of greater expression. Given an IPv6 address, conventions and
standards allow us to draw conclusions about how IPv6 is being used on
the node with that address."
At the recent Internet Engineering Protocol Group (IEPG) meeting in
Orlando, Florida, Fernando Gont presented his work on Scanning the IPv6
Internet: theory & practice. The much larger address space of IPv6 makes
crude brute-force network scans unfeasible. In his presentation Fernando
talked about the ways in which IPv6 changes the network reconnaissance
game because of this and he also presented the IPv6 Toolkit suite of
IPv6 security and troubleshooting tools that he has developed.
Gont has built on Malone's earlier work by providing a tool (address6)
to analyse large numbers of IPv6 addresses and classify them into
various categories depending on whether they appear to be
auto-generated, randomised privacy addresses, manually configured
low-byte or IPv4-based addresses and so on. These categories are
described in more detail in the IETF Operational Security Capabilities
for IP Network Infrastructure (opsec) Working Group document, "Network
Reconnaissance in IPv6 Networks."
Malone's results are presented in Figure 1. As the opsec WG document
observes, '[Malone's] are the most comprehensive address-measurement
results that have so far been made publicly available', and, 'evolution
of IPv6 implementations, changes in the IPv6 address selection policy,
etc. since [Malone2008] was published might limit (or even obsolete) the
validity of these results.'
[Figure 1 - Results from Malone2008]
Given some webserver logs and Gont's address6 tool it is fairly trivial
to explore whether the ratios of client address types have in fact
changed since 2008. Using the last 12 months worth of webserver logs for
the Internet Society's website, comprising over 50,000 unique IPv6
addresses, the following results were obtained.
Less than 2% of connections used the 6to4 transition technology while
the remainder were native IPv6 connections, a mark of the growing
maturity of the IPv6 Internet. This result is mirrored in the IPv6
statistics produced by Google that show that the use of transition
technology has been declining since 2010 and now less than 1% of users
that access Google over IPv6 are using a transition technology. It's
also probably worth noting that we saw no Teredo connections in the period.
Figure 2 shows a more detailed analysis of the interface identifiers in
the sample. This is very strikingly different to Malone's results from
2008 and clearly shows the impact of changes to IPv6 implementations in
the intervening period. The vast majority (nearly 70%) of addresses are
now classified as 'Randomized', while the auto-configured addresses that
previously comprised 50% of the sample are now less than 8%. IPv4-based
addresses are still a significant proportion (nearly 14%) and the
manually-generated 'low-byte' addresses are just over 6%, similar to
[Figure 2 - IPv6 Interface ID analysis]
These measurement results update the public understanding of IPv6
address types in use today and show us that randomized interface
identifiers are far more prevalent than they used to be. It is also
notable that transition technologies (Teredo and 6to4) are either
non-existent or very little used on the IPv6 Internet of 2013.
Acknowledgements: Thanks to Peter Godwin at the Internet Society for
providing access to the webserver logs necessary for this analysis.
---- cut here ----
e-mail: fgont en si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
Más información sobre la lista de distribución Seguridad