Measuring IPv6 Resilience and Security

    Research output: ThesisPhD Thesis - Research UT, graduation UT

    122 Downloads (Pure)

    Abstract

    The Internet Protocol (IP) is the most used protocol on the planet. The specific version of IP that we have used already for decades, is version 4 (IPv4 for short). To counter some of its shortcomings, like the small address space, the successor to IPv4 was defined already 20 years ago: IP version 6, or IPv6.
    With attacks on the Internet becoming a common item on the evening news, naturally the question rises, where are we with IPv6 in terms of security? As the adoption of IPv6 is finally taking off we can now measure which problems IPv6 has in reality. Many possible IPv6-specific threats have been described over the years, but measurements to find out which of these threats are real problems in the Internet have not been conducted. In this thesis, we focus on measuring the actual state and severeness of these problems, and propose solutions on how to prevent and avoid them.
    First, we found a fraction of IPv6 network goes unnoticed in measurement systems, giving networking operators an incomplete and incorrect view of what is going over their networks. A second problem are firewalls, which can be evaded when so-called Extension Headers are present in IPv6 traffic. Third, we found a vast number of Ipv6-specific misconfigurations in the DNS, rendering services unreachable over Ipv6. Last, we show that abusable hosts can be found without scanning the entire Ipv6 address space.
    Summarising, we found that misconfigurations and unawareness are the significant problem in IPv6 deployments. In this thesis, we show what traffic goes unnoticed, present actionable solutions for operators to prevent misconfigurations, and provide tools to verify their network setups. With these, we aim to improve the overall resilience and security in our IPv6 Internet.
    Original languageEnglish
    QualificationDoctor of Philosophy
    Awarding Institution
    • University of Twente
    Supervisors/Advisors
    • Pras, Aiko , Supervisor
    • de Boer, Pieter-Tjerk , Co-Supervisor
    Award date18 Jan 2019
    Place of PublicationEnschede
    Publisher
    Print ISBNs978-90-365-4710-9
    Electronic ISBNs978-90-365-4710-9
    DOIs
    Publication statusPublished - 18 Jan 2019

    Fingerprint

    Internet protocols
    Internet
    Planets
    Scanning
    Network protocols

    Keywords

    • IPv6
    • Network measurements
    • Network Security

    Cite this

    Hendriks, Luuk . / Measuring IPv6 Resilience and Security. Enschede : University of Twente, 2019. 159 p.
    @phdthesis{b6c45863863c4834bc3be323e3cef40b,
    title = "Measuring IPv6 Resilience and Security",
    abstract = "The Internet Protocol (IP) is the most used protocol on the planet. The specific version of IP that we have used already for decades, is version 4 (IPv4 for short). To counter some of its shortcomings, like the small address space, the successor to IPv4 was defined already 20 years ago: IP version 6, or IPv6.With attacks on the Internet becoming a common item on the evening news, naturally the question rises, where are we with IPv6 in terms of security? As the adoption of IPv6 is finally taking off we can now measure which problems IPv6 has in reality. Many possible IPv6-specific threats have been described over the years, but measurements to find out which of these threats are real problems in the Internet have not been conducted. In this thesis, we focus on measuring the actual state and severeness of these problems, and propose solutions on how to prevent and avoid them.First, we found a fraction of IPv6 network goes unnoticed in measurement systems, giving networking operators an incomplete and incorrect view of what is going over their networks. A second problem are firewalls, which can be evaded when so-called Extension Headers are present in IPv6 traffic. Third, we found a vast number of Ipv6-specific misconfigurations in the DNS, rendering services unreachable over Ipv6. Last, we show that abusable hosts can be found without scanning the entire Ipv6 address space.Summarising, we found that misconfigurations and unawareness are the significant problem in IPv6 deployments. In this thesis, we show what traffic goes unnoticed, present actionable solutions for operators to prevent misconfigurations, and provide tools to verify their network setups. With these, we aim to improve the overall resilience and security in our IPv6 Internet.",
    keywords = "IPv6, Network measurements, Network Security",
    author = "Luuk Hendriks",
    year = "2019",
    month = "1",
    day = "18",
    doi = "10.3990/1.9789036547109",
    language = "English",
    isbn = "978-90-365-4710-9",
    series = "DSI Ph.D. thesis series",
    publisher = "University of Twente",
    number = "19-003",
    address = "Netherlands",
    school = "University of Twente",

    }

    Hendriks, L 2019, 'Measuring IPv6 Resilience and Security', Doctor of Philosophy, University of Twente, Enschede. https://doi.org/10.3990/1.9789036547109

    Measuring IPv6 Resilience and Security. / Hendriks, Luuk .

    Enschede : University of Twente, 2019. 159 p.

    Research output: ThesisPhD Thesis - Research UT, graduation UT

    TY - THES

    T1 - Measuring IPv6 Resilience and Security

    AU - Hendriks, Luuk

    PY - 2019/1/18

    Y1 - 2019/1/18

    N2 - The Internet Protocol (IP) is the most used protocol on the planet. The specific version of IP that we have used already for decades, is version 4 (IPv4 for short). To counter some of its shortcomings, like the small address space, the successor to IPv4 was defined already 20 years ago: IP version 6, or IPv6.With attacks on the Internet becoming a common item on the evening news, naturally the question rises, where are we with IPv6 in terms of security? As the adoption of IPv6 is finally taking off we can now measure which problems IPv6 has in reality. Many possible IPv6-specific threats have been described over the years, but measurements to find out which of these threats are real problems in the Internet have not been conducted. In this thesis, we focus on measuring the actual state and severeness of these problems, and propose solutions on how to prevent and avoid them.First, we found a fraction of IPv6 network goes unnoticed in measurement systems, giving networking operators an incomplete and incorrect view of what is going over their networks. A second problem are firewalls, which can be evaded when so-called Extension Headers are present in IPv6 traffic. Third, we found a vast number of Ipv6-specific misconfigurations in the DNS, rendering services unreachable over Ipv6. Last, we show that abusable hosts can be found without scanning the entire Ipv6 address space.Summarising, we found that misconfigurations and unawareness are the significant problem in IPv6 deployments. In this thesis, we show what traffic goes unnoticed, present actionable solutions for operators to prevent misconfigurations, and provide tools to verify their network setups. With these, we aim to improve the overall resilience and security in our IPv6 Internet.

    AB - The Internet Protocol (IP) is the most used protocol on the planet. The specific version of IP that we have used already for decades, is version 4 (IPv4 for short). To counter some of its shortcomings, like the small address space, the successor to IPv4 was defined already 20 years ago: IP version 6, or IPv6.With attacks on the Internet becoming a common item on the evening news, naturally the question rises, where are we with IPv6 in terms of security? As the adoption of IPv6 is finally taking off we can now measure which problems IPv6 has in reality. Many possible IPv6-specific threats have been described over the years, but measurements to find out which of these threats are real problems in the Internet have not been conducted. In this thesis, we focus on measuring the actual state and severeness of these problems, and propose solutions on how to prevent and avoid them.First, we found a fraction of IPv6 network goes unnoticed in measurement systems, giving networking operators an incomplete and incorrect view of what is going over their networks. A second problem are firewalls, which can be evaded when so-called Extension Headers are present in IPv6 traffic. Third, we found a vast number of Ipv6-specific misconfigurations in the DNS, rendering services unreachable over Ipv6. Last, we show that abusable hosts can be found without scanning the entire Ipv6 address space.Summarising, we found that misconfigurations and unawareness are the significant problem in IPv6 deployments. In this thesis, we show what traffic goes unnoticed, present actionable solutions for operators to prevent misconfigurations, and provide tools to verify their network setups. With these, we aim to improve the overall resilience and security in our IPv6 Internet.

    KW - IPv6

    KW - Network measurements

    KW - Network Security

    U2 - 10.3990/1.9789036547109

    DO - 10.3990/1.9789036547109

    M3 - PhD Thesis - Research UT, graduation UT

    SN - 978-90-365-4710-9

    T3 - DSI Ph.D. thesis series

    PB - University of Twente

    CY - Enschede

    ER -

    Hendriks L. Measuring IPv6 Resilience and Security. Enschede: University of Twente, 2019. 159 p. (DSI Ph.D. thesis series; 19-003). https://doi.org/10.3990/1.9789036547109