IPv6? I Thought We Only Used IPv4?

[Applause] yes so I already had a little introduction there um from David candy and today we're going to talking to you a little bit about IPv6 and why it's something we probably pay need to pay a little bit more attention to cool so according to google already almost TR to go both sides uh almost 45% of their traffic is already happening over IPv6 and in Western Europe nearly 60% of our devices support IPv6 right so I think that IPv6 is actually the most forgotten about surface area in every organization's uh digital footprint which is quite a bold statement and quite often when I say that to organizations they turn around and go well IPv6 I thought we only used

ipv4 and hopefully over the next 10 or 15 minutes or so uh we're going to answer that question right now to start IPv6 is a little bit like digital Marmite okay there's people who absolutely love IPv6 want it deployed everywhere there's those who hate IPv6 don't want it anywhere near their networks and thenn with Marmite there is a third and often forgotten about option and that's those who go what on Earth is marmite and in this case what on Earth is IPv6 so what we're going to do is a little crush course into what IPv6 is why we have it and you know what problem does it actually solve so hopefully you all know what and I IP addresses it's

basically the thing that's that gets us connected to the internet L devices to communicate with each other so it's pretty important now the version we're probably all aware of is ipv4 looks a little bit like this and now when ipv4 was created in around 1980 uh we had loads of these ipv4 addresses to give to all these devices that wanted to connect to the internet because internet was very popular back then obviously now as we know it the internet is a pretty big and popular thing and like all good things were basically feasted on these ipv4 addresses so ultimately in 2019 we run out all together so what we tried to do over the past couple of decades or so is

prolong the life of ipv4 by using things like Network address translation carrier grade Network address translation and these sort of centralized services but even with those in place it's still becoming harder and harder to connect devices to the Internet so what's the solution no prizes for getting in it's IPv6 now some of you might be thinking hang on a minute we've skipped on out there we've gone from version four to version six what happen to version 5 well the Talk's not long enough to sort of dig into that um cool so primarily what we get with IPv6 is an absolutely massive address space and that's created by the inclusion of heximal and also longer addresses as we can see compared to IP

before right and ultimately what we basically end up with is this many addresses so it's absolutely colossal number when we compare it to ipv4 now I find big numbers like that really hard to visualize it just looks like a big number so one way that you can visualize that is if you counted up every single grain of sand on earth and made an Earth for every single grain of sand that you've got then across all those Earths that you now just created C up every single grain of sand once you got that number times it by about five and you pretty much at that number there so what that means is is we've got plenty of

addresses to go around to give every single device of today and those of the future to be able to connect those to the internet and by connected I mean that every single device gets its own public address assignment which if you've not got networking rules in place and filtering things like that could be quite daunting the other thing we get with IPv6 as well is that it can automatically configure itself on a network um and it's you know fairly tolerant so it's got some really good applications in sort of like iot I know some really good talks today as well about iot IC space as well so there's some really good use cases there right

so armed with that little bit of knowledge let's go back to this question then of well IPv6 I thought we only used ipv4 so in short IPv6 is already everyone right and I mentioned earlier on in this talk that 60% of devices in Western Europe support IPv6 so well where's that figure come from well IPv6 is enabled by default on Windows since Vista since Server 2008 Mac OS uh good number of the Linux distributions as well loads of the mobile operating systems right and uh Windows actually take that a little bit further as well and if you youve got a Windows device and you give it IPv6 and ipv4 connectivity it will actually prioritize using IPv6 over ipv4 cool so hopefully

we're starting to see that most of our organizations already have loads of devices in there that nely support I6 but what about if we go a little bit further Upstream right and we go and have a look our internet service providers cloud service providers and that sort of stuff well BT Sky loads of alt Nets uh the UK educ educational Network Janet uh all support IPv6 so there's a possibility that you're actually using IPv6 right now if we have a look at our cloud service providers as well so the big ones ad West gcp sure over the past couple of years they've been making some really big pushes to offer IPv6 connectivity and IPv6 support

and actually what's happened this year is a couple of those cloud service providers have actually now started to charge for using public IP iv4 addresses whereas if you use IPv6 it's free right and there's actually one more driver that's happened over the past couple of years that's really sort of influencing the uptake of IPv6 adoption and that's government mandates so there's currently government mandates over in China in the US uh soon to be Germany and even in places like Vietnam they're actually dictating the deployment of IPv6 and in the case of china uh by 2030 every single Internet Internet connected device in China is going to be IPv6 only right that's absolutely massive because already the amount of

devices that are in China but by 2030 every single one of those devices is going to be IPv6 only so what does that mean for businesses organizations things like that well if you want to continue being able to communicate with the entire internet if you want to be able to communicate with you know US Federal departments organizations over in China then you're going to have to offer some sort of IPv6 support as well because natively IPv6 and ipv4 aren't compatible with each other right okay so what's the issue right we've got this technology that's going to be really important to the Future it's already deployed in most places now well IPv6 has basically snuck up on us

it was only a few years ago where people were basically saying IPv6 is next decad problem it's something in the future we don't have to worry about it yeah well this is a pretty good figure 10 years ago IPv6 adoption according to Google was it 3% now it's almost 45 and that rate is growing so what's basically happened is is we've got loads of organizations who are using IPv6 without actually knowing that they are um and just having a technology in sort of your stack that You' don't really manage you not really got any control over is already a big enough issue quite often as well organizations don't really account for IPv6 when it comes to

sort of audits PCI compliance ISO all that sort of stuff so that's maybe somewhere most organizations could start right sometimes What I Hear as well is organizations turn around and go okay well we know we might be using IPv6 internally it might be enabled on our devices but we're certainly not using it externally outside of our netbooks right so some of you might be thinking okay well if we've got Network where in all our devices IPv6 is basically enabled and they're looking for this IPv6 connectivity well what can an attacker do to exploit that sort of configuration right and there's documented cases of this happening basically what an attacker can do if they're local in a network is they can

advertise themselves as a router that offers IPv6 connectivity so what happens is you got all these devices which then because they prefer IPv6 or ipv4 will use your router as the connection out to the internet what basically happens is is all that traffic bypasses all that sort of filtering and network rules that the organization's implemented for ipv4 right something else that people might have heard of and there actually been quite a good topic of discussion especially in August is something called extension headers now IPv6 is designed to be around for at least the next 100 years which means it's got to be compatible with use cases that we've not even thought about yet and the way that

it does that is with something called extension headers now extension headers are notoriously easy to get wrong as we saw in August Patch Tuesday even certain operating systems don't get it quite right and basically if your handle extension head is wrong what you can ultimately end up with is remotely exploitable conditions you know remote code execution data exfiltration it's another service so you know it's all the good stuff so how do we actually start going and reducing the risk of IPv6 in our networks quite often the solution that's given is to basically disable IPv6 right but should we take that one step further if we're being told to disable technology so we go and disable ipv4 as

well should we go and disconnect ourselves from the whole internet if we go and disable IPv6 we're actually really dealing with the underlying issues and problems Microsoft's got some advice on on this as well and they basically say that IPv6 is a mandatory part of Windows now so actively discouraging organizations from going and disabling it and even if you do disable IPv6 on the network interface card then those windows devices will still keep on using it internally right basically if you're go to sa IPv6 now for whatever reason inevitably we're going to have to reenable it in the future to be able to communicate with those IPv6 only Services say in the US China all right now it's sort of widely

accepted that a way to start to manage IPv6 in your networks and start to understand your risk is to enable filtering on the network Edge right by filtering I mean using allow this because if you were to implement block this for IPv6 because it's dynamic in nature it's really easy for attackers to get around those static block lists that you put in place so trucks on allow list in there basically call out exact the types of use cases you're going to allow in and also the type of extension headers that you allow as well right and you should do this too even if your internet service provider doesn't support IPv6 yet because I know I

mentioned some internet service providers before but there's actually loads that are trial in IPv6 at the moment and uh you know if they roll that out to all their customers then at least if you've got some sort of filtering in place already then you've got a proactive defense right so Okay so we've spoken quite a lot about what the sort of risks are of IPv6 and sort of the issues but what about the security benefits okay there's absolutely loads there's far too many to just cover in this little short time frame we've got now um and the ones that I'm mainly going to talk about because not got a mass amount of time is the security

benefits related to the size of the address space cool so you can't just scan IPv6 like you would with ipv4 the address space is that large that you know takes so much time to scan it that it makes it impossible and that kills most of the attacks at the reconnaissant stage and stops them progressing from that reconnaissant stage right as organizations as well because we'd be allocated such a massive space it means we've got flexibility it means we can architect some really cool Network structures we can do segmentation we can do filtering based on hierarchy all that sort of interesting stuff right and now if we take that one step further if we're an organization we've been

allocated this massive IPv6 address space when we start dividing that down inevitably we get down to the device level and if you were to go by the book each device in your network should be allocated a space that is nearly five billion times larger than the entire ipv4 internet so it's absolutely massive right and again that gives our devices a bit of flexibility to what we can do so they can use something called stateless address Auto configuration or slack for short um and what they can basically do there is they can go and configure their own IP address from that range and what they can do is they can rotate that IP address so from an attacker point of

view that's a nightmare because if you're trying to scan a network work out where these assets are it's constantly evolving it's constantly changing which is really good from a security point of view we can go further with that as well and there's something called privacy addresses where if you've got an IPv6 device every time it goes and reaches out to an external service it basically uses an IP address for that session as soon as that session's done it throws the IP address away which is great makes them really hard to track it's really good from a privacy point of view right so there's been a little bit of research as well into if you are attacked over

IPv6 it's actually easier to defend from those attacks too um and there's loads of research into this space so you know if you go and have a look at that some really good stuff okay so hopefully we're starting to see that the issues here aren't necessarily an IPv6 itself is the fact that we don't have visibility of what our IPv6 exposure is and that our knowledge of IPv6 isn't at the same level as what we've got with ipv4 so let's go and have a look at the original question then right so IPv6 I thought we only used ipv4 well to most people that's true because the visibility that you've got of your networks and your infrastructure is only

of what's going on in ipv4 but in reality and what we've seen is that IPv6 is heavily embedded into our networks it's probably something that we should pay more attention to and account for in our security policies and procedures I mentioned before that it's quite difficult to perform reconnaissance against IPv6 but Recon against IPv6 is actively happening and what these attackers are actually looking for is sort of low hanging fruit they're looking for IPv6 networks where the organization's basically forgotten about it or where it's not been configured correctly right so what we can do as sort of Security Professionals is begin to understand what our IPv6 exposure is begin to understand what some of those attack

vectors are and in doing so will put us ahead of the vast majority of other organizations out there and mean we're no longer the lowest hanging fruit right so basically IPv6 is the next Generation internet and that's really exciting is something that we should all Embrace but what we need to make sure is that it is implemented securely so that it can continue providing you know long into the future and for the next Generations so thank you for listening and I hope you found that interesting a little bit if you did find it interesting you want to learn a little bit more then we have got a LinkedIn page where we do like regularly post

about IPv6 issues and all that sort of stuff but yeah I'm conscious it's lunch as well so if anyone wants to grab me outside means or yeah if we can save the questions and you grab him just come up and have a chat rather than doing the r questions because there is going to be a queue for sandwiches because yesterday was quite a long que thank you