IPv6: Windows Server 2003 Supports a More Secure IP - Sort of
With its 128 bit addressing, IPv6 allows for a huge address space that could do away with the need for Network Address Translation and other address-conservation techniques. However, IPv6 provides for more than just an increase in the number of available addresses. It is also designed to provide for better performance and, even more important in today's business world, better security of IP communications.
Windows Server 2003 provides better support for IPv6 and for some of its security mechanisms. However, it is important for administrators to be aware of the limitations of Server 2003's implementation of IPv6 when it comes to security features. In this article, we'll discuss both the theoretical and the practical aspects of using IPv6 to create a more secure network environment with Microsoft's latest server operating system. This article is an overview of Microsoft's IPv6 implementation and is not intended to be a complete guide to implementing IPv6 on your network.
IPv6 addresses are formatted as a series of up to eight 16 bit hexadecimal numbers with colons separating them, so they look differently from IPv4 addresses, which are commonly notated as four decimal numbers with dots between them (thus the term "dotted quad").
IPv6 Support in Server 2003
To use IPv6 with Windows 2000 (with SP1 or above), you had to download free files from Microsoft to add support for the new version of IP to the operating system (and the system had to be rebooted to enable IPv6). You could get third-party products to add IPv6 support to Windows NT and 9x. Server 2003, however, includes IPv6 support "out of the box" without any add-ons. You install IPv6 as a network protocol via the Properties box for the local area connection, as shown in Figure A.
FIGURE A: Installing IPv6 as a protocol in Windows Server 2003
To install IPv6 support, follow these steps:
Click Start | Control Panel | Network Connections
Right click the local area connection and select Properties.
Click the Install button.
Select Protocol in the network components box and click the Add button.
Click Microsoft TCP/IP version 6 and click OK.
IPv6 will now show up in the list of installed protocols in the connection's properties, as shown in Figure B.
FIGURE B: After installation, TCP/IP version 6 appears as an installed network component
In Server 2003, you cannot install IPv6 only; IPv4 must also be installed (and is installed by default when you install the operating system).
You can configure these items for IPv6:
- IPv6 address (can be obtained by a router advertisement or you can assign manually).
- Default router to be used to communicate with IPv6 nodes on network segments other than its own (can be assigned automatically via router advertisement or added to the IPv6 routing table manually)
- DNS server used to resolve host names to IPv6 addresses
Most configurations for IPv6 can be done using the Netsh command in IPv6 context. To switch to IPv6 context, type netsh interface ipv6. You can then use the IPv6 commands, which allow you to add, modify and delete addresses and routes, add 6 over 4 or 6 in 4 tunneling, configure temporary address generation, and more.
NOTE: for a complete list of IPv6 context netsh commands, see the Windows Server 2003 Help files.
How a Larger Address Space Increases Security
The huge increase in the address space itself provides some measure of extra security, by simply making it more time consuming and difficult for a potential attacker to scan all the possible addresses. Although this is more of a "security through obscurity" technique and shouldn't be relied upon to protect your systems without additional security mechanisms, anything that slows down an intruder works to your advantage.
IPv6 Support for IPSec
The most important security feature in IPv6 is its built-in support for the IP Security protocol (IPSec). IPSec is an Internet standard that is designed to provide data confidentiality, integrity and authentication through the use of the Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols.
IPSec support for IPv4 was added after the fact, whereas it is an inherent part of IPv6. However, Microsoft's Help files state that the implementation of IPSec that comes with Server 2003 IPv6 is not recommended for production use. This is because it uses static keying and does not provide for updating of keys when sequence numbers are reused, and thus does not provide the level of security necessary for mission-critical communications. Here's another problem: the IPSec implementation that comes with Server 2003's IPv6 doesn't support ESP data encryption, which means it fails to provide for data confidentiality (you can use ESP with null encryption, but it only provides authentication and integrity, not data confidentiality). Further, Internet Key Exchange (IKE) is not supported for negotiating security associations. In other words, the IPSec aspect of IPv6 in Server 2003 is not ready for prime time.
Note that we're talking here only about the IPSec in IPv6 - this is a separate implementation from Microsoft's IPSec for TCP/IP (version 4), which does support data encryption and IKE SAs.
Temporary Address Support
Temporary addressing can enhance security by providing some anonymity when you access the Internet, similar to that enjoyed by IPv4 dialup users who are assigned dynamic IP addresses by their ISPs each time they connect. Random interface identifiers are created whenever the IPv6 protocol initializes, so that it is more difficult to track a specific user via IP address (which is easy with regular IPv6 dialup connections because the interface identifier is based on the physical address).
By default, Server 2003 IPv6 does not generate temporary addresses, but this feature can be enabled by using the set privacy command within the IPv6 context in netsh.
Does IPv6 Introduce New Security Vulnerabilities?
Although designed to provide better security via IPSec, IPv6 also includes many enhancements, some of which can be exploited by attackers. For example, the address autoconfiguration feature be used by attackers to announce rogue routers. In addition, some of the transitioning mechanisms designed to allow for easier interaction between IPv6 and IPv4 networks can be misused by attackers. Transitioning tools create a way for IPv4 applications to connect to IPv6 services, and IPv6 apps to connect to v4 services.
Because of the standardized transitioning methods, such as 6to4, Simple Internet Transition (SIT) tunnels and IPv6 over UDP (such as Teredo and Shipworm), IPv6 traffic may be coming into networks without their administrators being aware of the fact (and thus, without them being aware that they are vulnerable to IPv6 exploits). For example, since many firewalls allow UDP traffic, IPv6 over UDP can get through those firewalls without administrators realizing what's happening. Attackers can use 6 over 4 tunnels to evade Intrusion Detection software.
It's also important to note that the Internet Connection Firewall (ICF) that is included with Server 2003 is only capable of filtering IPv4 traffic; it cannot block IPv6 traffic. Attackers can exploit this and get into your network with IPv6 packets if you don't implement other firewall software that has this capability.
IPv6 is the next generation of the Internet Protocol and is designed with security in mind. Microsoft has taken an important step toward full IPv6 support by including it in Windows Server 2003 (and Windows XP) as a network component that can be installed without downloading anything. Microsoft is working diligently toward that goal, and will be improving the IPv6 stack in the future. XP Service Pack 1 includes a production quality version of IPv6. For more information about Microsoft's IPv6 implementations, see the Windows Server 2003 IPv6 web site at http://www.microsoft.com/windowsserver2003/technologies/ipv6/default.mspx#implementations.