lolloj - Fotolia
How IPv6 deployment affects the security of IoT devices
IPv6 deployment is looming, but what does this mean for the security of IoT devices? Expert Fernando Gont explains.
IPv6, the successor to the IPv4 protocol, will provide vast address space to enable the present and future growth of the internet.
IPv6 is usually seen as a key enabler technology for the internet of things, since it can easily accommodate the increasing number of smart sensors connecting to the internet. However, the possible security interactions between IPv6 and IoT devices are generally overlooked, as well as the possible inadvertent shift in the paradigm associated with the security of IoT devices.
Inside the I of IoT
The de facto basic security architecture for most networks consists of an internal network connected to the public internet via a network address translation (NAT) device. The NAT device not only allows a single address -- or a group of addresses -- to be shared among multiple systems on the internal network, but, as a side effect, also enforces a security policy only allowing outgoing communications. That is, outgoing communications, such as TCP connections, initiated from the internal network to the public internet are allowed, while communications initiated from the public internet to the internal nodes are blocked.
Many protocols and applications assume that both the nodes on the internal network and the internal network itself can be trusted, while any networks and nodes outside of the internal network cannot. As a result, most smart devices employ two different sets of protocols: one set of insecure protocols that operate on the local network, and another, typically secured set that operates across the internet.
On the local network, smart devices typically employ simple proprietary protocols lacking authentication, authorization and confidentiality. In some cases, some operation and management functions that do not require authentication, or that employ default credentials that are rarely changed or updated by the user, are also available via a web interface. This is bad for the security of IoT devices, as witnessed in the October 2016 IoT distributed denial-of-service attack. On the other hand, operation over the internet frequently employs some form of cloud service provided by the device vendor, with communication being carried out over HTTPS.
Thus, these smart devices go along believing that the local network is trusted, while the external network -- the internet -- is not. This model is certainly questionable, as having access to the local network need not imply permission to operate local smart devices. However, at the very least, a border between the trusted and untrusted network should be enforced. For some simple network setups and scenarios, one may get away with this model.
The impact of IPv6 deployment on the security of IoT devices
As mentioned earlier, the main driver for IPv6 deployment is its vast address space, which can accommodate the present and foreseeable future growth of the internet and internet-connected devices.
As a result of their vast address space, IPv6 devices are provisioned with at least one unique global address and, thus, NATs are doomed to disappear. Therefore, a NAT's enforcement of the filtering policy to only allow outgoing communications is also likely to disappear, meaning communication between internal and external systems may no longer be policed by the network.
In fact, the distinction between internal and external networks may disappear altogether if a filtering policy is not enforced at the network border. While this could have potential benefits -- for example, for peer-to-peer applications, in which unsolicited inbound communications are common -- this clearly comes at the expense of increased attack exposure.
Unless explicit measures are taken, IPv6 deployment could result in all the internal nodes of a network becoming directly reachable from the public internet. This would mean, for example, that on-packet attacks, such as the IPv6-based ping of death, could be readily exploited against IoT devices. In addition, protocols that have been engineered to operate on a local trusted network may inadvertently end up operating on the untrusted public internet.
Does IoT really need IPv6?
When it comes to IPv6 and IoT, many believe that IPv6 is required for IoT to unleash its full potential. However, it is interesting to analyze the extent to which IPv6 -- and, in particular, global addressing and any-to-any connectivity -- may be required for IoT.
In the IPv4 world, the use of private address space can be problematic for a number of reasons, such as when networks employing overlapping private address space need to be merged or interconnected. Provisioning all devices with global addresses can help avoid this and other associated problems -- although the unique local address space, fc00::/7, which provides addresses of local scope that are statistically unique, could also be used with similar results.
Regardless of whether global address space is employed, the question arises whether any-to-any connectivity -- including unsolicited inbound communications -- is desirable, as well as the effect it would have on the security of IoT devices. In the IPv4 world, unsolicited inbound communications are blocked as a result of the use of NATs. With the possible disappearance of NATs and their network filtering policies in the IPv6 world, global any-to-any communication can enable increased flexibility -- albeit at the expense of increased attack exposure.
Whether to enforce the same filtering policy for IPv6 and IoT devices will depend on the communications model of the associated devices; whether external entities are expected to poll the IoT devices, or if the IoT devices are expected to notify the external entities. If it is the former, the IoT network would need to accept inbound, unsolicited communications. If it is the latter, incoming communications could be blocked by the network, while IoT devices would be able to contact external systems as needed.
Since IoT is still an area of current development, it is hard to make any educated predictions regarding which communications model will be preferred. Note, however, that since IoT devices currently operate on IPv4 with the paradigm that only outbound communications are allowed, it is extremely likely that the same paradigm will be employed for IPv6. Thus, the same filtering policy from the IPv4 world will be enforced for IPv6-based IoT networks.
A possible way forward
Besides the possible communications model for IoT devices, one may wonder if, when communication from an external network to an IoT network is desirable, such communication should directly involve the IoT devices, or whether it should be performed via an intermediary IoT proxy that serves as a gateway between the external network and the IoT network and devices. Clearly, such a gateway is likely to be in better shape security-wise, and may be in a good position to police traffic to the typically fragile IoT devices.
The vast IPv6 address space represents the present and foreseeable future growth of the internet. Unless concrete actions are taken, IPv6 deployment may inadvertently hinder the security of IoT devices by increasing their attack surface.
Whether the associated increased exposure is warranted or not will depend on the communications paradigm employed by the IoT devices. As a rule of thumb, the principle of blocking communication unless it is actually required should be applied.
Is IoT speeding up IPv6 deployment?
Internet pioneer Paul Vixie talks IoT, IPv6 and security
Stay secure as you transition to IPv6