“From where you didn't expect”: how IPv6 can compromise networks

May 16, 2022
IPv6
“From where you didn't expect”: how IPv6 can compromise networks
The EUI-64 standard is to be blamed. It became a legacy category, but is still used by IoT-device developers (but not limited to). We explain what the matter is here.

Obstacles on the way

It is a common fact that IPv6 implementation is rather slow – about 21% of sites support work with it. Experts expect that mass migration to a new generation protocol will occur no earlier than in ten years. There are several reasons for this: these are technical and financial difficulties, as well as presence of NAT, which “smooths” the shortage of IPv4 addresses. However, the process is also hindered by issues related to information security.

The official IPv6 launch took place almost ten years ago, but engineers are still finding vulnerabilities in the technical stack. So, in 2020, a bug was discovered related to ICMPv6, which uses the router declaration mechanism (CVE-2020-16898).

This vulnerability allowed attackers to run malicious code on a compromised machine.

One of the most recent problems was identified by specialists from the Max Planck Institute of Informatics at the end of March. According to their report, devices using the EUI-64 mechanism to generate the interface identifier (the second part of the IPv6 address) compromise the operation of the network in which they are located.

How did it come out?

There is a SLAAC mechanism that allows the device to get prefix information from the router without the help of a protocol for configuring DHCPv6 nodes. This information and the 64-bit interface identifier (IID) are needed to get an individual IPv6 network address.

One way to generate a unique IID is to generate it based on the MAC address of the device (EUI-64 mechanism). But such an approach today is considered not just unreliable, but even dangerous, since it reveals the hardware identifier at the network level. Therefore, the community has developed special extensions to the IPv6 stack, for example, described in RFC4941, which “randomize” the part of the address selected by the host. At the same time, Internet service providers substitute address prefixes for additional protection.

server details

But, unfortunately, a number of hardware developers (for the most part Internet of Things devices) still use “pure” EUI-64 to generate IID. With its help, attackers can identify the manufacturer of the network device (and, as a result, potential vulnerabilities), as well as monitor other devices on the network using a similar IID.

According to research engineers, about 19% of all prefixes in the networks of major global Internet service providers are exposed to this vulnerability.

What’s to be done

In general, the solution to the problem falls on hardware and software developers — they should pay attention to the information security of devices and enable the available security mechanisms by default.

According to experts, the issue can also be resolved at the government level, if regulators require suppliers to certify products for compliance with the standards that allow closing down EUI-64 vulnerabilities. At the same time, Internet service providers can check routers before handing them over to their customers.

We use cookies to optimize site functionality and give you the best possible experience. To learn more about the cookies we use, please visit our Cookies Policy. By clicking ‘Okay’, you agree to our use of cookies. Learn more.