IPv6 Deployment and Finding IPv6 Needles in Internet Haystacks: Passive DNS & IPv6 Address Discovery
By Joe St Sauver
Even though the Internet is racing along toward complete IPv4 address exhaustion within the ARIN region as elsewhere, with ARIN estimated to exhaust availability of its general use IPv4 address space by the end of June 2015, operational deployment of IPv6 in North America and worldwide remains quite limited.
If you're a site that still hasn't made progress toward deploying IPv6, the time has really come for you to buckle down and do your IPv6 chores. Farsight Security, Inc., is making extensive use of IPv6, and there's no real reason why you shouldn't be, too.
As you get ready to deploy IPv6, some of you may worry that IPv6 will be somehow less secure than IPv4. It's not. Others of you may wrongly believe the complete opposite, that somehow IPv6 is MORE secure than IPv4. That's not true, either.
Nonetheless, for many years, there was a commonly heard myth that went something like this…
Because it isn't realistic to attempt a brute force active scan of a site's IPv6 address space using tools such as nmap, it would be hard or impossible for a penetration tester (or a malicious hacker/cracker) to enumerate an organization's hosts that have IPv6 connectivity….
Over time, the community has come to understand that even if brute force active scans are impractical against IPv6 addresses, other methods for identifying IPv6 hosts do exist and are potentially productive. One such method is to use passive DNS to look for IPv6 AAAA records.
For example, let's look at UCLA, long known as a site that's highly interested in IPv6 deployment for services (see, e.g., slide 2 here). We know from DNS that www.ucla.edu uses the quad A address 2607:f010:2e8:228::ff:fe00:152
$ dig +short www.ucla.edu aaaa gateway.lb.it.ucla.edu. 2607:f010:2e8:228::ff:fe00:152
Are there other UCLA hosts that also have public IPv6 connectivity?
Checking ARIN IPv6 Whois, we can see that UCLA's 2607:f010:2e8:228::ff:fe00:152 is part of an IPv6 /32:
$ whois -h whois.arin.net 2607:f010:2e8:228::ff:fe00:152 [...] NetRange: 2607:F010:: - 2607:F010:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF CIDR: 2607:F010::/32 NetName: UCLANET6 NetHandle: NET6-2607-F010-1 Parent: NET6-2600 (NET6-2600-1) NetType: Direct Allocation OriginAS: AS52 Organization: University of California, Los Angeles (UCLA) RegDate: 2007-05-15 Updated: 2012-03-02 Ref: http://whois.arin.net/rest/net/NET6-2607-F010-1 [etc]
An IPv6 /32 represents 2^(128-32)=2^96=79,228,162,514,264,337,593,543,950,336 IPv6 addresses.
Since it is difficult to comprehend numbers that immense, we will mention for purposes of comparison that the approximate diameter of the visible universe is 920,000,000,000,000,000,000,000,000 meters.
920,000,000,000,000,000,000,000,000, while obviously a large number, would still need to be multiplied by a factor of 86.11 to make it as big as the number of IPv6 addresses in an IPv6 /32 address block (and an IPv6 /32 is the smallest size IPv6 address allocation made by the Regional Internet Registries (ARIN, RIPE, APNIC, etc.)).
Brute force active probing of 65,535 potential ports on each of those 79,228,162,514,264,337,593,543,950,336 IP addresses would obviously not be possible, even if you could run trillions of tests per second on a sustained basis without somehow managing to getting detected and summarily blocked.
Brute force methods are not the only option for IPv6 node discovery, however. For example, as nmap itself documents, there are multiple non-brute force options that will potentially work for IPv6 host discovery.
Using Passive DNS to find active IPv6 addresses in the Internet "haystack"
Passive DNS is one very viable way of finding active IPv6 addresses, even in an IPv6 /32.
This simple Farsight Security DNSDB query command:
$ dnsdb_query -i 2607:F010::/32
allows us to easily find over 450 unique UCLA hostnames that have IPv6 AAAA records in 2607:F010::/32.
While there will certainly be additional UCLA IPv6-connected ucla.edu hosts that our sensors have never seen, narrowing the "hunt" from 79,228,162,514,264,337,593,543,950,336 potentially active IPv6 addresses to roughly 450 IPv6-connected hosts still represents an almost unfathomable improvement in focus for an IPv6 penetration testing team (or, of course, for potential bad guys).
To avoid any potential misunderstanding on this point, let me hasten to add that we are NOT proposing passive DNS as an IPv6 attack or reconnaissance tool; rather, we want to emphasize that while IPv6 may seem to give you the ability to "hide in plain sight," IPv6 in fact actually provides little or no cover or concealment.
Therefore, always assume that the whole world knows the identity – and the IPv6 address – of all your IPv6-connected hosts, just as they know the identity and IPv4 address of all your hosts connecting via IPv4. Plan accordingly. IPv4 and IPv6 both enable connectivity, not camouflage or anonymity.
Any belief that IPv6 gives you protection from host discovery is just a dangerous illusion, as this example readily demonstrates.
And any belief that you can continue to postpone deployment of IPv6 forever is a REALLY dangerous illusion. Please get your network IPv6 enabled!
Joe St Sauver, Ph.D. is a Distributed System Scientist for Farsight Security, Inc.