Article Preview
TopIntroduction
IPv6 existence has increased the challenges in maintaining security of an enterprise network. Besides taking a good care of the network operation and activities, analyzing the network vulnerabilities during IPv6 deployment is necessary. Some specific IPv6 vulnerabilities that are commonly debated are reconnaissance attacks, misuse of routing header type 0 (RH0), misuse of multicast, and misuse of ICMPv6 (Durdagl & Buldu, 2010). An overview of these vulnerabilities is depicted in Figure 1.
Figure 1. IPv6 specific vulnerabilities
By identifying the vulnerabilities of IPv6 and the cause that initiates them, determining the appropriate countermeasure is possible. Unfortunately, the misuses of multicast and ICMPv6 have not totally been solved. ICMPv6 is precisely designed to tell the host about errors encountered in incoming or outgoing packets. Since ICMPv6 plays a primary role to sustain and establish communications of nodes, finding alternative solutions to the problem is crucial. Moreover, they can be exploited to attack the IPv6 network (Hogg & Vynke, 2009). Some ICMPv6 vulnerabilities have been used in performing various number of Denial-of-Service attacks against the TCP (Cisco, 2012) and multiple Cisco products were affected regarding the ICMPv6 vulnerabilities (Gont, 2007).
ICMPv6 is one of the protocols used to present reporting errors in a packet transmitting diagnostic function and framework for implementing IPv6 control aspects (Conta, Deering, & Gupta, 2006). They are very important for smooth IPv6 communication. ICMPv6 messages contain a type (1byte) and a code (1 byte) that associate the details of the messages to the type of message. ICMPv6 messages are classified into informational messages and error messages. Error messages use type 0 through 127, and provide useful information back to the source of the IPv6 communications about any errors that might have occurred in the connection. Informational messages use type 128 to 255, and perform diagnostic functions and additional host functionality. Figure 2 shows the classification of ICMPv6 messages: Informational Messages and Error Messages and their associated types and codes.
Figure 2. Overview of the ICMPv6 messages associated with respective types and codes. (Adopted from (Taib, Shaari, Ali, & Budiarto, 2012))
Despite having an important role in IPv6 communication, ICMPv6 messages are exposed to some security risks (Caicedo, Joshi, & Tuladhar, 2009; Davies, Krishnan, & Savola, 2007; Hayoung, Kijoon, HyoChan, & JungChan, 2006; Hogg & Vyncke, 2009; Liu, Duan, Lin, Li, & Wu, 2009; Convery & Miller, 2003). Due to its vital function, as well as the existence of threats and vulnerabilities, ICMPv6 has become the target of attacks. Realizing that ICMPv6 must be properly controlled and secured, this paper emphasizes the implementation of proper ICMPv6 filtering at each node. Filtering ICMPv6 messages is needed and must be done carefully as they cannot be simply blocked because by doing so, it may result in network connectivity problem. Thus, they should not be blindly filtered by the firewall. For instance, fragmentation and reassembly are done by IPv6 end nodes. The intermediate routers are expected to generate ICMPv6 Type 2 (packet too big) if the MTU of outbound interface is less than the packet size. The intermediate router is expected to put the right PMTU value in the ICMPv6 error messages. If these messages do not reach the transmitting end node, it will not have information on path MTU and it will continue to send messages with original MTU which will be dropped by the intermediate router.