This article is a guest post from Jonathan Abolins, who will be leading the next webinar in our Online Investigations Series: “Internationalised Domain Names, Foreign Language Websites, & Investigations.” While the two topics are unrelated, they do have one thing in common: both present previously uncharted challenges for online investigators.
There’s no place like home.
There’s no place like 127.0.0.1. (IPv4 version)
There’s no place like ::1. (IPv6 version)
The widely used Internet Protocol (Version 4) – IPv4 – was created approximately 30 years ago and it has served us well. But it’s also showing its age. Back in the early 1980s, it was almost impossible to anticipate the growth in the demand for IP addresses. Now we are running out of IPv4 addresses (”IPv4 address exhaustion”). Also various people have been seeing the need for various improvements in the Internet Protocol.
To address these issues, Internet Protocol (Version 6) – IPv6 – was proposed in the mid-1990s. IPv6 is not yet in wide use but it would be a big mistake to assume that IPv6 cannot affect our networks.
Most operating systems and systems now include IPv6 support by default. There is also the ability to tunnel IPv6 via IPv4 with Teredo, 6to4, etc. For those whose ISPs don’t provide IPv6 connections, there are services, such as Hurricane Electric Free IPv6 Tunnel Broker1, which allow people to tunnel with IPv4 to get to the service that will give them IPv6 connections.
IPv6 is going to become a bigger part of our networking and investigations in the near future. Will our tools and methods be able to handle the changes?
IPv6 vs IPv4: A Few Key Points
Without going into much detail, here are some of the key differences between IPv6 and IPv4:
Number of bits and address space.
- IPv4 has 32 bits, allowing just over 4 billion addresses. Not even enough to give a unique address to each human being on Earth.
- IPv6 has 128 bits, allowing 340,282,366,920,938,000,000,000,000,000,000,000,000 unique addresses. This is roughly like giving 252 addresses for every star in the known universe. Not likely to run out of of IPv6 addresses.
- IPv4 usually uses dotted decimal notation. E.g., 192.168.2.12.
- IPv6 uses groups of 16-bit hexadecimal numbers separated by colons (“:”). E.g., 2001:04c0:0000:0000:0000:c5ef:0000:0231.
- The IPv6 addresses can be compacted. So the above example becomes 2001:4c0::c5ef:0:0231.
- In a mixed IPv4/IPv6, the IPv6 32 bit address can be incorporated into an IPv4 address. E.g., 2001:04c0::192.168.1.1 or ::220.127.116.11 (Note the switch from colon separators to dotted format.)
IP security (IPsec) is built into IPv6, the ability to cryptographically sign the packets.
There are various IPv6 tools for defense (if we know how to use them).
This is barely scratching the surface. The Resources section (below) has IPv6 specifications and other documents for more in-depth information.
Security, Forensics & Investigations Issues for IPv6
As mentioned above, IPv6 has some security features. Also, some IPv6 feature might be helpful in investigations. For example, IPv6 may give the source’s MAC address in some cases. But there are security problems raised by IPv6 and the current networking environments.
The gigantic IPv6 address space means that scanning IPv6 networks with IPv4 methods where we can try each possible IP address is not going to work. It’s possible to scan the entire IPv4 address space this way in several days. Scanning the entire IPv6 address space the same way would take billions of centuries. Even an IPv6 subnet could take over 145,000 years. So we need IPv6 methods, such as neighbour discovery, of finding systems at IPv6 addresses.
Tools designed for IPv4 environments might not properly process IPv6 information. Some log processing applications truncate IPv6 addresses and many may not properly interpret IPv6 traits. Black listing tools may miss problem addresses because they cannot associate IPv6 with IPv4 or IPv4 within IPv6 notation. It is likely that some of the analysis tools for linking data such as IP address associated with crimes might have problems once IPv6 addresses come into play. What else might trip up with IPv6?
Keep in mind too that there are many tools available that can be used for attacking IPv6 systems or for using IPv6 to bypass security. Firewalls set up for IPv4 may ignore IPv6 connections and, thus, fail to protect the internal networks. Detection software may ignore the IPv6 or tunnelling.
Even many commonly used network tools can fail unless we have the right versions of the tools and suitable network connections. For example, here’s a part of a sample SMTP e-mail header with a reference to the IPv6 address of 2001:470:0:64::2:
From email@example.com Tue Nov 23 09:51:00 2010
Received: from ipv6.he.net (ipv6.he.net [IPv6:2001:470:0:64::2])
by Duncan-Server.duncan (8.14.3/8.14.3/Debian-9ubuntu1) with
Try “ping 2001:470:0:64::2” and it will likely fail. If you have ping6, it might work but not if your network connection doesn’t support IPv6. Same for traceroute and various other tools. Nslookup, dig, and whois work better. (Example of an IPv6 whois lookup via the ARIN Web site) But they are not enough for our security & forensics toolkit.
The most critical security & investigatory challenge is getting up to speed with IPv6.
IPv6 has much to offer. It is also outpacing many of the tools and methods for securing IPv4 networks and investigating activities on the networks. Our tools, methods, and our understanding of IPv6 will need to adapt.
IETF, RFC 2460 – Internet Protocol, Version 6 (IPv6) Specifications.
The Internet Society. Internet Issue – Ipv6.
Klein, Joe. Collection of IPv6 Security presentations. These presentations are an excellent resource for understanding the security issues with IPv6. Joe Klein is a great resource in this field.
Leinwebe, James. IPv6 and the future of network forensics. UW-Madison Information Security Team. June 6, 2011.
Nikkel, Bruce J. An introduction to investigating IPv6 networks. July 19, 2007 [Originally published by Elsevier in Digital Investigation: The International Journal of Digital Forensics and Incident Response, Vol. 4, No. 2 (10.1016/j.diin.2007.06.001)]
Wireshark Wiki. Sample PCAP Captures – Ipv6 and Tunneling.
Acknowledgements: Many thanks to Joe Klein, Joshua Marpet, and Jeremy Duncan for their insights and help.