If you are a network geek like me you may have been reading a lot
lately about IPv6 and how it is different from IPv4. From a security
perspective, one of things stated as being a benefit of IPv6 is the mind boggling size
of a subnet to the extend that most network engineers will state that
we need never subnet again. I would have to agree! But from the other
side of the security coin, how does one scan an IPv6 subnet given this size issue? Perhaps for performing your own
security scanning with a tool like OpenVAS.
Lets
have a think about how we might achieve this. First, a lesson in IPv6
for the uninitiated. IPv6 addresses are 128 bits long, I'm sure you've
all read that somewhere. What that represents in raw numbers is huge.
What is more useful is how that 128 bits are broken up. An enterprise will probably recieve either a /48 or smaller allocation. Residential users will perhaps only recieve a /56 or perhaps even a /64.
The
important thing to know is that even though the ISP may well leave you
80 bits to play with the convention is to allocate the last 64 bits as
the interface identifier. Most thought on this topic will simply taken those
64 bits as an impossible problem (i.e. a very large number of possibilities) and
ignore the scanning possibilities.
I think there are a
few things to note about the structure of the 64 bits. Firstly,
engineers are free to allocate these bits how they see fit and of course
if these bits are allocated at random then yes it will be a near
impossible task to scan an IPv6 subnet.
But if the
engineer uses EUI-64 to fill out the 64 bits then we know a bit more
about the structure of these bits. Put simply, EUI-64 states that you
break apart the MAC address and place the bit pattern FFFE in between.
You also flip the 7th bit in the 2nd hex digit but hey whose counting? This of course will only apply to hosts that are using auto-configuration and are not using privacy extensions to scramble this.
So
we have potentially reduced the 64 bits down to say 48 bits. Still a lot of bits
but perhaps we can get a bit closer. The first half of a MAC address
identifies the vendor of the NIC. We can make a smart guess about the
NIC vendor, say pick a list of 1024 vendor IDs or perhaps 256 and we can
reduce the 48 bits down to 32 bits to scan. You may even be able to
use information about what portion of the lower 24 bits has been
allocated by various vendors to narrow down that part of the search
also.
Also worth considering is for those engineers
who choose to allocate the 64 bits manually, many will use relatively
small numbers for this purpose. The first 64 bits already uniquely
identifies the subnet so there's no need for a large number.
So
perhaps you would try a sequential scan of the lower bits, say 8 or 10
bits scanning from 1 to 1000. Then try for random numbers within
sensable ranges for the vendor IDs you are using.
Now
I'm not forgetting the first 64 bit but I wouldn't suggest using
scanning to find the content of these bits. It isn't that hard to find
allocations of IPv6 that have been given out but the best you will get
is the first 48 bits.
Alternatively, there are many
ways to collect this information.I leave that as an exercise for the reader.
So what do we have? If we
can find the /48 allocation, then we have the 16 bits that make up the
subnet number, plus say 32 bits of scanning for the lower 32 bits. How
long will it take to scan a single /48 using these optimising methods?
We
have a total of 48 bits to scan which makes for a large number. If we
scan 1024 addresses every second then it will still take over 8700 years
to do a single IPv6 /48 allocation. This is a long time in anyone's reckoning
but certainly a lot shorter than you might see in the media.
I
think others could do a better job than I have but it would still be a
large task. Perhaps you're doing this internally and you don't mind
whacking your network then you could get this down, Gigabit networks can
do many more packets per second. Perhaps you could have better guesses
for the subnet number?
I think its still in the realm of impractical but if you were sufficiently motivated perhaps you might find a way to scan.
This of course is to scan a single IPv6 subnet!
I
would imagine that perhaps in the IPv6 future, we will see slow
persistent scanning develop for those that have the time. IPv6 scanning
won't be for the casual players.
