Oct 6, 2008
Most internet users will be unaware and unconcerned by the computer science and technology that underpins their daily web surfing, emails, chats, and Twitter updates. But, there are, of course, thousands of incredibly bright people working behind the scenes to make the internet work. One aspect of the backroom work that goes on, is the development of the software systems that carry the packets of information across the internet, whether that’s to open a web page in your browser, connect your net phone to a friend across the ocean, or trap spam on its way to your inbox.
At the moment, the internet is mainly running on a system known as Internet Protocol version 4, or IPv4. Version 4 was first mooted in 1981, years before the Web was invented and certainly long before broadband, Youtube, MySpace, Facebook, Twitter, and VoIP entered the public consciousness. What IPv4 does is to try and deliver the packets of information across a network. It’s imperfect, because it doesn’t ensure the packets are delivered in the right order, or even that they are delivered at all. In fact, it is known technically as a “best effort” protocol. As such, IPv4 requires another layer over the top of it that makes sure all packets are delivered and sorts them into the correct order before they are used to render a web page, download an email, or Tweet that Plurk.
Another disadvantage of IPv4 is that it can handle a mere 232 addresses. That may seem like a huge number, but work it out and it actually only comes to well over four billion. However, with billions more people on the planet, millions of organisations, collectives and companies, one can see that 232 is rather a small number if everyone wants an internet address.
IPv5 IPv6, Internet Protocol version 6 hopes to remedy all these problems. First off, it can handle 2128, that’s about 3.4×1038*, internet addresses. Even with population growth the way it is, we are unlikely to ever need quite so many addresses, at least in the foreseeable future. Moreover, this added addressing capacity solves in one fell swoop almost all the network management and routing issues seen with IPv4, which means once it is widely adopted the whole of the internet will be rendered much, much more efficient.
However, while IPv4 has been in place for decades and IPv6 is not even quite fully packaged up and ready for delivery, researchers are already spotting security flaws in IPv6. Writing in the International Journal of Internet Protocol Technology, a team in New Zealand has highlighted several security issues that developers and device users may face once IPv6 goes online, particularly across the mobile internet. With every third person using a Blackberry, an iPhone, a Google Android phone or similar, mobile security will soon rise to the top of the agenda for hackers, crackers, and those who seek to defeat them.
Michael Dürr and Ray Hunt of the Department of Computer Science and Software Engineering, at the University of Canterbury, in Christchurch, New Zealand, explain that in parallel with the design and development of IPv6, run several protocol extensions for mobile support, which are labelled MIPv6.
Over the last decade, access network technologies available to connect stationary as well as mobile devices to the internet have reached a remarkable diversity. Wireless systems such as Bluetooth, 802.11x, GSM, UMTS and WiMAX have shown very significant development and each individually can provide reasonable internet connectivity with more or less acceptable data rates.
However, the different characteristics of each technology means that an overarching MIPv6 to unite them all in a way that is transparent to users is now needed. Sciencetext has previously covered the issue of connecting 3G devices to wi-fi networks for instance. Such unity in always-on connectivity across disparate, interwoven networks, brings new security challenges not yet addressed by the underlying protocols. The various insecurities all boil down to attacker Charlie eavesdropping on Alice and Bob, sabotaging their connection, changing the information being sent between Alice and Bob, or causing a denial of service to prevent Alice and Bob communicating at all. The various insecurities fall into the following categories all of which are technically feasible with the current state of MIPv6:
- Address theft is a security attack where Charlie pretends to be a certain node at a given address and attempts to steal traffic from Alice destined for Bob.
- Secrecy and integrity attacks involve Charlie pretending to be Bob and intercepting the new connection between Alice and Bob and possibly changing the information being sent between Alice and Bob.
- Replay attacks involve Charlie impersonating a mobile node and redirecting Alice and Bob’s traffic with malicious intent.
- Flooding attacks involve Charlie redirecting traffic from one or more nodes to an arbitrary internet address.
- Binding update attacks let Charlie exploit the strong authentication mechanisms in the IPv6 technology to trigger a denial of service (DoS) so that Alice and Bob can no longer connect.
- Reflection attacks trick suitable nodes, called reflectors, into sending data packets from Alice and Bob to Charlie’s address.
Some threats will remain too expensive for the cyber-saboteur to consider, but intrinsically, “IPv6 cannot guarantee overall security due to its inherent architectural characteristics,” the researchers explain:
IPv6 (as well as its predecessor, IPv4) are based on a routing infrastructure, that must be trusted. The protocol itself can only be regarded as secure as the routing infrastructure constituting the internet.
By highlighting the insecurities of MIPv6, the researchers hope to provide insights into how risks and potential attacks could be limited. “Some security risks can only be mitigated, but not completely removed,” they say.
Michael Durr, Ray Hunt (2008). An analysis of security threats to mobile IPv6 International Journal of Internet Protocol Technology, 3 (2) DOI: 10.1504/IJIPT.2008.020468
*3.4×1038 is the number 34 followed by 37 zeroes: 340,000,000,000,000,000,000,000,000,000,000,000,000 (340 billion, billion, billion, billion)