[ipv6hackers] Pros and Cons of Address Randomization
jim.small at cdw.com
Sat Dec 1 20:32:22 CET 2012
I would like to develop a list of talking points around the merits of IPv6 address randomization. Here is what I have done to prepare:
Watched a recent talk by Fernando:
Read RFC 5157:
Read Fernando and Tim's Revised Internet Draft:
Note: This is absolutely fantastic and should be mandatory reading for any network or security engineer. The pros/cons of address randomization are by no means meant to take away from this publication.
Followed the conversations on the IETF WG and other places such as LinkedIn.
Are there other sources I should study?
Pros/Cons of IPv6 Address Randomization:
Let me start be saying that I welcome disagreement and criticism. May I ask though, when you criticize or disagree please share your thinking on what I missed or got wrong. That said:
Address Randomization Value
* Makes host scans/enumeration very difficult (assuming of course they can't use DNS or some other means to identify the host - see above I-D by Fernando/Tim)
* Having more security options/tools is always a good thing. The RFC and I-D provide some excellent points to think through especially if you use global multicast.
* Definitely makes sense in some cases - e.g. Clients
* The biggest issue I have with this is it seems to imply that you must hide your address if you connect to the Internet. I have a hard time with this. What about firewalls, access control, and system hardening? Is this really the right place to focus resources?
* My next biggest concern is that if this is recommended best practice it's one more barrier to IPv6 adoption. I can already hear the groans about how onerous it will be to implement and operate IPv6 because of the burdensome security requirements.
* To some degree this appears like security through obscurity - I read the defense in depth part but I'm still having a hard time getting past this
* How many system compromises are from random scans? Perhaps it depends on the type of network being discussed. In the Enterprise for example, my understanding is that most attacks are drive by download exploits, social engineering, or simple mistakes. Perhaps a case could be made for publicly accessible systems in a DMZ, but in general?
* Increases operational complexity
Rather than systems using a predictable pattern that's easy to remember and administer we use totally random addresses that make addresses hard to use and remember
The use of DNS or even full DDI is virtually forced - this is another potential cost/barrier to deploy IPv6
In some organizations DNS and Network administration are siloes and forcing the Network team to rely on a separate team could create additional challenges or a barrier to adoption
* Typically if you need the address of a host/system you can just ask someone (social engineering)
So there are classes of systems and a value proposition in regards to address randomization for each of them:
* Clients - For general clients I am a fan of randomized identifiers, especially if Fernando's stable privacy address proposal gets adopted. With clients we can also typically use DHCPv6 (Android being the exception) to provide a randomized IID.
Recommend using DHCPv6 server which can supply randomized IIDs
Recommend using Fernando Gont's stable privacy addressing for non-DHCPv6 nodes
** Strongly against rotating addresses for the Enterprise - too complex and limits accountability
* Servers - Different schools of thought:
** Questioning Value:
Critical servers which probably need to be static (DNS, DHCP, Directory Servers) - for these I would prefer some kind of pattern versus a randomized address. The value of an addressing scheme with a pattern is it makes server administration easier.
Servers with static addressing - again, a pattern makes life easier.
Servers accessible to Internet or in a DMZ - here a randomized address makes sense
Servers which can use DHCPv6 reservations - as long as a reliable Dynamic DNS or DDI solution is in place
Bad (IMHO) Value:
* Infrastructure Devices (Routers, Switches, Firewalls, Load Balancers, etc...) - For these I am questioning the value of address randomization. I would much rather use an address like 2001:db8::1/64 for my router than 2001:db8::ea23:f02b:139e:ffe2. The latter makes operations much harder and it's easy to transpose the digits if you're typing them in (CLI access). Perhaps you could break these into categories:
** Questioning Value:
Loopback interfaces, management interfaces, default gateways, VIPs (routers/load balancers)
** Possible Value:
Where devices are transparently bridging and need an address but it's not the default gateway or used for management
Where DNS can be used though I'm skeptical of this as it hasn't seemed to work very well in IPv4 - perhaps I'm saddled by IPv4 thinking here...
I guess the question is - does the potential security value of address randomization outweigh the increased operational complexity incurred? I would like to add though that despite my efforts to reshape my neurons into IPv6 mode and shed the legacy IPv4 mentality, perhaps I am being saddled by this? I am interested in your thoughts on the value of address randomization. As I described above I think there are cases where it's valuable and cases where I question the value.
I don't believe there are absolutes with IPv6 security - I am just trying to understand both sides of address randomization so I can be a good guide when helping people on their IPv6 journey.
All comments greatly welcomed,
More information about the Ipv6hackers