{"id":2564,"date":"2016-09-14T05:59:15","date_gmt":"2016-09-14T05:59:15","guid":{"rendered":"https:\/\/live-infoblox-blog.pantheonsite.io\/?p=2564"},"modified":"2022-10-19T16:10:55","modified_gmt":"2022-10-19T23:10:55","slug":"ipv6-security-vulnerability-scanning","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/ipv6-coe\/ipv6-security-vulnerability-scanning\/","title":{"rendered":"IPv6 Security Vulnerability Scanning"},"content":{"rendered":"

There are many topics that fall under the heading of \u201cHow is the IPv6 protocol that I am less familiar with different than the IPv4 protocol that I know very well\u201d.\u00a0 By now, readers of the\u00a0Infoblox IPv6 Center of Excellence community blog<\/a>\u00a0should be familiar with several of the major differences between IPv4 and IPv6.\u00a0 Among these differences are the packet header format,\u00a0addressing format<\/a>,\u00a0extension headers<\/a>,\u00a0neighbor discovery protocol<\/a>,\u00a0DHCP server redundancy<\/a>, among other protocol characteristics.\u00a0 There are also several important distinctions between how security vulnerability scanning is performed for IPv4 and IPv6 nodes.\u00a0 This article will highlight these variations so you are prepared to evaluate your IPv6 security as your organization moves forward with its IPv6 deployment.<\/p>\n

Security Vulnerability Scanning<\/h2>\n

Typical security\u00a0vulnerability scanners<\/a>\u00a0like\u00a0Qualys QualysGuard<\/a>,\u00a0Rapid7 Nexpose<\/a>,\u00a0Tenable Nessus<\/a>, among numerous others, send packets to IP addresses on local or remote networks and record what gets returned.\u00a0 They try to send packets to systems in order to discover nodes on the networks and detect if they can establish connections to services listening on specific open TCP or UDP ports.\u00a0 This basic\u00a0port scanning<\/a>\u00a0function is the lowest common denominator among all products.\u00a0 The vulnerability scanners come with pre-loaded and constantly updated known vulnerabilities that are tested and provide reports of known weaknesses in the environment.\u00a0 Other scanners have more advanced functionality, like performing web application scanning and looking for the\u00a0OWASP top 10 web application risks.<\/a>\u00a0 Vulnerability scanners can perform credentialed scans of computers based on known authorized usernames and passwords to inspect the internal configuration of the target system.\u00a0 Performing continuous vulnerability assessments is number 4 on the\u00a0SANS\/CIS 20 Critical Security Controls<\/a>\u00a0(CSCs).<\/p>\n

Some methods of performing vulnerability assessments involve putting an agent or software component on the device under test (DUT<\/a>).\u00a0 That agent then reports back to a centralized system about the security settings on that computer.\u00a0 Agents, however, can be problematic. \u00a0Enterprises may struggle with the challenges of loading an agent on all computers in the enterprise.\u00a0 Many computers are not within reach of the IT department and agents require updating and occasional troubleshooting.<\/p>\n

Scanning IPv4 Networks<\/h2>\n

Historically, vulnerability scanners only had one IP version running on the network to perform remote testing.\u00a0 On an IPv4 network, the vulnerability scanning appliance or virtual scanning system can scan all the internal IPv4 addresses (e.g., 10.0.0.0\/8, etc.).\u00a0 The vulnerability scanner will then proceed to constantly scan the network, or run scheduled scans that take hours or days to complete.\u00a0 The duration depends on the size of the network, the population density of the IP subnets, and the rigorousness of the scans.<\/p>\n

We can perform a rough calculation of how long a scan might take.\u00a0 Let\u2019s suppose that we want to sequentially scan an IPv4 \/8 block with a total of 16,777,216 possible IPv4 addresses.\u00a0 If we started by only scanning for 30 popular TCP port numbers at a rate of 1000 packets-per-second (pps) then it would take 140 hours or about 6 days to complete.\u00a0 However, there are much faster scanners available that are optimized and multi-threaded for improved performance.\u00a0 There are even highly-optimized tools like\u00a0ZMAP<\/a>\u00a0and\u00a0MASSCAN<\/a>\u00a0that have the ability to generate tremendous amounts of scanning traffic.\u00a0 ZMAP and MASSCAN can be used to map out the entire public IPv4 address space in\u00a0less than an hour<\/a>.<\/p>\n

Scanning IPv6 Networks<\/h2>\n

Now, let\u2019s consider how IPv6 changes the scanning practice.\u00a0 The IPv6 address space is so immense that it is nearly impossible to scan each IPv6 address in a given subnet to try to determine if a node is using that address.\u00a0 For example, within a single \/64 prefix, there are 18,446,744,073,709,551,616 (about 18 quintillion) unique interface identifiers (IIDs).\u00a0 As stated in IETF\u00a0RFC 5157<\/a>\u00a0\u201cIPv6 Implications for Network Scanning\u201d: \u201cAt a very conservative one probe per second, such a scan may take some 5 billion years to complete.\u201d\u00a0 Hackers may be patient and persistent, but that is too much.\u00a0 \u00a0(The IETF\u00a0RFC 7707<\/a>\u00a0titled \u201cNetwork Reconnaissance in IPv6 Networks\u201d obsoletes RFC 5157 and describes additional methods of reconnaissance that could be used by a vulnerability scanner.)<\/p>\n

We should also mention that there are more intelligent methods of performing reconnaissance on a link-local segment. These methods offer improvements over the brute-force sequential scanning method.\u00a0 They might include, for example, the same techniques used to perform\u00a0Internet worm propagation<\/a>.<\/p>\n

Reconnaissance scanning is trivial in the following situations:<\/p>\n