Measuring IPv6 Resilience and Security

Research output: ThesisPhD Thesis - Research UT, graduation UTAcademic

67 Downloads (Pure)

Abstract

The Internet Protocol (IP) is the most used protocol on the planet. The specific version of IP that we have used already for decades, is version 4 (IPv4 for short). To counter some of its shortcomings, like the small address space, the successor to IPv4 was defined already 20 years ago: IP version 6, or IPv6.
With attacks on the Internet becoming a common item on the evening news, naturally the question rises, where are we with IPv6 in terms of security? As the adoption of IPv6 is finally taking off we can now measure which problems IPv6 has in reality. Many possible IPv6-specific threats have been described over the years, but measurements to find out which of these threats are real problems in the Internet have not been conducted. In this thesis, we focus on measuring the actual state and severeness of these problems, and propose solutions on how to prevent and avoid them.
First, we found a fraction of IPv6 network goes unnoticed in measurement systems, giving networking operators an incomplete and incorrect view of what is going over their networks. A second problem are firewalls, which can be evaded when so-called Extension Headers are present in IPv6 traffic. Third, we found a vast number of Ipv6-specific misconfigurations in the DNS, rendering services unreachable over Ipv6. Last, we show that abusable hosts can be found without scanning the entire Ipv6 address space.
Summarising, we found that misconfigurations and unawareness are the significant problem in IPv6 deployments. In this thesis, we show what traffic goes unnoticed, present actionable solutions for operators to prevent misconfigurations, and provide tools to verify their network setups. With these, we aim to improve the overall resilience and security in our IPv6 Internet.
Original languageEnglish
QualificationDoctor of Philosophy
Awarding Institution
  • University of Twente
Supervisors/Advisors
  • Pras, Aiko , Supervisor
  • de Boer, Pieter-Tjerk , Co-Supervisor
Award date18 Jan 2019
Place of PublicationEnschede
Publisher
Print ISBNs978-90-365-4710-9
Electronic ISBNs978-90-365-4710-9
DOIs
Publication statusPublished - 18 Jan 2019

Fingerprint

Internet protocols
Internet
Planets
Scanning
Network protocols

Keywords

  • IPv6
  • Network measurements
  • Network Security

Cite this

Hendriks, Luuk . / Measuring IPv6 Resilience and Security. Enschede : University of Twente, 2019. 159 p.
@phdthesis{b6c45863863c4834bc3be323e3cef40b,
title = "Measuring IPv6 Resilience and Security",
abstract = "The Internet Protocol (IP) is the most used protocol on the planet. The specific version of IP that we have used already for decades, is version 4 (IPv4 for short). To counter some of its shortcomings, like the small address space, the successor to IPv4 was defined already 20 years ago: IP version 6, or IPv6.With attacks on the Internet becoming a common item on the evening news, naturally the question rises, where are we with IPv6 in terms of security? As the adoption of IPv6 is finally taking off we can now measure which problems IPv6 has in reality. Many possible IPv6-specific threats have been described over the years, but measurements to find out which of these threats are real problems in the Internet have not been conducted. In this thesis, we focus on measuring the actual state and severeness of these problems, and propose solutions on how to prevent and avoid them.First, we found a fraction of IPv6 network goes unnoticed in measurement systems, giving networking operators an incomplete and incorrect view of what is going over their networks. A second problem are firewalls, which can be evaded when so-called Extension Headers are present in IPv6 traffic. Third, we found a vast number of Ipv6-specific misconfigurations in the DNS, rendering services unreachable over Ipv6. Last, we show that abusable hosts can be found without scanning the entire Ipv6 address space.Summarising, we found that misconfigurations and unawareness are the significant problem in IPv6 deployments. In this thesis, we show what traffic goes unnoticed, present actionable solutions for operators to prevent misconfigurations, and provide tools to verify their network setups. With these, we aim to improve the overall resilience and security in our IPv6 Internet.",
keywords = "IPv6, Network measurements, Network Security",
author = "Luuk Hendriks",
year = "2019",
month = "1",
day = "18",
doi = "10.3990/1.9789036547109",
language = "English",
isbn = "978-90-365-4710-9",
series = "DSI Ph.D. thesis series",
publisher = "University of Twente",
number = "19-003",
address = "Netherlands",
school = "University of Twente",

}

Hendriks, L 2019, 'Measuring IPv6 Resilience and Security', Doctor of Philosophy, University of Twente, Enschede. https://doi.org/10.3990/1.9789036547109

Measuring IPv6 Resilience and Security. / Hendriks, Luuk .

Enschede : University of Twente, 2019. 159 p.

Research output: ThesisPhD Thesis - Research UT, graduation UTAcademic

TY - THES

T1 - Measuring IPv6 Resilience and Security

AU - Hendriks, Luuk

PY - 2019/1/18

Y1 - 2019/1/18

N2 - The Internet Protocol (IP) is the most used protocol on the planet. The specific version of IP that we have used already for decades, is version 4 (IPv4 for short). To counter some of its shortcomings, like the small address space, the successor to IPv4 was defined already 20 years ago: IP version 6, or IPv6.With attacks on the Internet becoming a common item on the evening news, naturally the question rises, where are we with IPv6 in terms of security? As the adoption of IPv6 is finally taking off we can now measure which problems IPv6 has in reality. Many possible IPv6-specific threats have been described over the years, but measurements to find out which of these threats are real problems in the Internet have not been conducted. In this thesis, we focus on measuring the actual state and severeness of these problems, and propose solutions on how to prevent and avoid them.First, we found a fraction of IPv6 network goes unnoticed in measurement systems, giving networking operators an incomplete and incorrect view of what is going over their networks. A second problem are firewalls, which can be evaded when so-called Extension Headers are present in IPv6 traffic. Third, we found a vast number of Ipv6-specific misconfigurations in the DNS, rendering services unreachable over Ipv6. Last, we show that abusable hosts can be found without scanning the entire Ipv6 address space.Summarising, we found that misconfigurations and unawareness are the significant problem in IPv6 deployments. In this thesis, we show what traffic goes unnoticed, present actionable solutions for operators to prevent misconfigurations, and provide tools to verify their network setups. With these, we aim to improve the overall resilience and security in our IPv6 Internet.

AB - The Internet Protocol (IP) is the most used protocol on the planet. The specific version of IP that we have used already for decades, is version 4 (IPv4 for short). To counter some of its shortcomings, like the small address space, the successor to IPv4 was defined already 20 years ago: IP version 6, or IPv6.With attacks on the Internet becoming a common item on the evening news, naturally the question rises, where are we with IPv6 in terms of security? As the adoption of IPv6 is finally taking off we can now measure which problems IPv6 has in reality. Many possible IPv6-specific threats have been described over the years, but measurements to find out which of these threats are real problems in the Internet have not been conducted. In this thesis, we focus on measuring the actual state and severeness of these problems, and propose solutions on how to prevent and avoid them.First, we found a fraction of IPv6 network goes unnoticed in measurement systems, giving networking operators an incomplete and incorrect view of what is going over their networks. A second problem are firewalls, which can be evaded when so-called Extension Headers are present in IPv6 traffic. Third, we found a vast number of Ipv6-specific misconfigurations in the DNS, rendering services unreachable over Ipv6. Last, we show that abusable hosts can be found without scanning the entire Ipv6 address space.Summarising, we found that misconfigurations and unawareness are the significant problem in IPv6 deployments. In this thesis, we show what traffic goes unnoticed, present actionable solutions for operators to prevent misconfigurations, and provide tools to verify their network setups. With these, we aim to improve the overall resilience and security in our IPv6 Internet.

KW - IPv6

KW - Network measurements

KW - Network Security

U2 - 10.3990/1.9789036547109

DO - 10.3990/1.9789036547109

M3 - PhD Thesis - Research UT, graduation UT

SN - 978-90-365-4710-9

T3 - DSI Ph.D. thesis series

PB - University of Twente

CY - Enschede

ER -

Hendriks L. Measuring IPv6 Resilience and Security. Enschede: University of Twente, 2019. 159 p. (DSI Ph.D. thesis series; 19-003). https://doi.org/10.3990/1.9789036547109