IPv6 and Internet Privacy
Privacy and the Presence of Pervasive Monitoring
What comes to mind when you think about the topics of pervasive monitoring and mass surveillance? Does your mind immediately conjure up images of the Eye of Providence or, more popularly, the Eye of Sauron from J. R. R. Tolkien’s The Lord of the Rings epic saga? There are so many literary references to mysterious ever-watching beings or omniscient technologies such as the telescreen from George Orwell’s book Nineteen Eighty-Four, which, by the way, inspired the Judas Priest song Electric Eye about an eavesdropping satellite!
The people behind the “Eyes” on the Internet are most often governments and their law enforcement and intelligence agencies. Corporations are also seeking to gain a greater understanding of the customers who use their products and services. They seek out greater brand intimacy and “stickiness” with these customers and leverage customer information for sales and marketing purposes. Other companies collect this information and sell it to other companies that attempt to monetize the data.
On the Internet, not only our web surfing traffic can be inspected, but our DNS packets as well. We can take measures (or rather our browsers and apps most often take them for us) to protect the confidentiality of our web traffic by using Transport Layer Security (TLS) encryption and HTTPS. Some may use The Onion Router (Tor) or use IPsec/SSL VPN tunnels. When it comes to DNS privacy, there are emerging methods, such as DNS over HTTPS (DoH) for preserving the confidentiality of DNS queries and responses.
Anonymity for Nefarious IPv4 Internet Behavior
Over the past two decades, the Internet has become much more densely populated. Public IPv4 address exhaustion occurred years ago, but thanks to Network Address Translation (NAT) and protocols like HTTP that cooperate with NATs, the Internet continues to work. As service providers have felt the sting of limited public IPv4 addresses for subscribers, they have had to resort to using Carrier-Grade-NAT/Large-Scale-NAT (CGN/LSN) systems to provide continued operation and facilitate future growth.
NAT and web proxies have allowed clients on private networks to access Internet resources while preserving some of their anonymity. This use of multiple layers of NAT has caused IPv4 addresses to become increasingly localized. Multiple layers of NAT have also created “invisible” places and provided added anonymity to not only legitimate users of the Internet but malicious actors as well. In John Curran’s (President and CEO of ARIN) presentation at the 2017 North American IPv6 Summit titled “The future of the Internet, IPv6, and the long tail” he commented on how other non-technical users are afraid of the Internet. John quoted a poem eloquently articulating these fears of the Internet.
These NATs provide anonymity for attackers and have made fighting online crime more difficult. Europol has called for an end of CGN to increase accountability online. Service providers that have implemented CGN/LSN systems have struggled to perform Lawful Interception (LI) as required by Law Enforcement Agencies (LEAs) as well as legislation like the Communications Assistance for Law Enforcement Act (CALEA). Even enterprises have difficulty performing cybersecurity forensics when there are multiple levels of NAT taking place.
IPv6: Globally Unique Addresses Without NAT
The primary advantage IPv6 has over IPv4 is its large 128-bit address space, which creates sufficient globally-unique addresses and removes the requirement for NAT. IPv6 was designed to restore the end-to-end model of Internet communications with all nodes on networks using globally unique addresses. Considering this, it’s tempting to conclude that IPv6 might provide a greater degree of authenticity for identifying who or what is connecting to the Internet. However, organizations should be cautioned against trying to use an IPv6 address as an authentication factor.
IPv6 has the potential to change how organizations observe user behavior on the Internet or in private corporate networks. If organizations are observing IPv4 network traffic, they are not seeing the “whole picture” and thus lack situational awareness. The “client” IPv4 address observed by the Internet service is actually from a service provider’s NAT pool, or the external IP address of the enterprise perimeter firewall. If the web service is using reputation filtering and the client happens to use a bad IPv4 address in the NAT pool, then the legitimate connection could be dropped.
One of the advantages of using IPv6 that appeals to content providers is that they get greater visibility of user or customer behavior on the Internet. The “client” IPv6 address observed by the Internet service is the actual global address currently assigned to the source of the connection. However, while the IPv6 prefix of the client’s subnet is stable, when using DHCPv6 or temporary addresses, the last 64-bits of the IPv6 address—the Interface Identifier (IID)--is subject to change over time.
Social media companies could be using both IPv4 and IPv6 to give them visibility to the broadest population of their users. Using IPv6 gives them global visibility and IPv6 allows them insights into portions of the network that have traditionally been hidden from view behind NATs. The social media company would know more precisely the IPv6 prefix that the client uses and could more accurately traceback to the client’s source, than when they are using IPv4 with NAT.
Retail organizations are tracking customer location within their stores based on Wi-Fi or Bluetooth signals from their mobile devices. They track dwell times and then use the data gathered to optimize showroom and store layout based on the most popular products. The company that offers those free Internet services or makes that free mobile app receives something in return for your usage of their application. They get the ability to gather information about your usage and online behavior with both the client’s NAT’ed IPv4 address and its global IPv6 address.
Many consumers are not aware that their mobile devices already have IPv6 enabled and that many of their communications are already utilizing IPv6. When mobile phones are using global IPv6 addresses, but private IPv4 addresses, then using IPv6 allows for greater knowledge of the user’s location. This information can be used for the purpose of creating greater customer intimacy and value or for tracking behavior. However, it should be noted that this is not unique to IPv6. Websites have been using cookies and other tracking methods for years to understand who the user is, regardless of what network a device currently is on. IPv6 simply provides another unique data point for them to gather.
When it comes to service providers, IPv6 primarily provides them a way to scale their networks beyond the limitations and scarcity of IPv4 addresses. However, with IPv4, the number of devices within a residence is unknown to them because the residential broadband gateway performs NAT. There could be anywhere from one to one hundred IPv4 devices in the home, but the ISP or the online retailer cannot determine the actual device information. However, if the residential service used global IPv6 addresses, then the ISP would absolutely know how many devices are in the home. IPv6 would make their CALEA responsibilities much easier while still providing the same service and access they provide today.
Hiding in the Vastness of IPv6
We are also aware that the vastness of the IPv6 address space is one of the security advantages of using IPv6. Not only are IPv6 prefixes sparsely utilized out of blocks of addresses allocated to organizations by RIRs, but the those /64 prefixes are extremely sparely populated by nodes (i.e., tens or hundreds or even thousands out of 18,446,744,073,709,551,616 addresses). IPv6 nodes can (and typically do) use privacy extensions (RFC 4941) to prevent any tracking of their burned-in MAC address(es), which are easily readable in the original modified EUI-64 interface identifier format. But some organizations didn’t want that much privacy for users so stable IPv6 interface identifiers (RFC 8064) were developed.
Attackers can change their IPv6 addresses frequently when they are on a network. This is similar to how malicious sites perform “fast-flux”, which they accomplish by changing their IP addresses frequently to avoid being picked up and placed onto block lists and poor-reputation lists. Systems like the Moving Target IPv6 Defense (MT6D) developed at Virginia Tech show how rapidly-changing IPv6 addresses can help avoid detection. Companies Like Morphisec see these techniques as a security protection measure. People are also considering how using the vastness of IPv6 can improve the anonymity provided by Tor.
Even within IPv6 networks, identifying the IPv6 address of a bad actor can be difficult. Enterprises perform proactive monitoring to learn what devices are connected to their networks. IPv6 changes network reconnaissance and how organizations perform vulnerability scanning. In general, IPv6 geolocation is not as accurate as IPv4 geolocation. There is an IETF draft titled “Analysis of the Crime Attribution Characteristics of Various IPv6 Address Assignment Techniques”, which covers the methods of identifying a malicious actor using IPv6.
It is still possible to spoof the source address of IPv6 packets and send them off into the Internet towards an unwitting target. As organizations proceed to deploy IPv6, they should follow the best practices found in the IETF document BCP 38, which advocates ingress and egress filtering at the Internet perimeter.
Conclusions About IPv6 Internet Visibility
As with IPv4, there is no inherent security built into IPv6. Spam, DDoS attacks, and botnets are still present on the IPv6 Internet. Even though NAT is not recommended and is typically not used with IPv6, you can still have web proxies that perform a NAT-like function. There are firewall manufacturers that list NAT66 and NPTv6 on their product specifications. Bad actors can hide within the vastness of the IPv6 address space, changing their addresses frequently to avoid discovery.
If your organization wants to gather more information about your customers, your subscribers, your vendors, and your partners, then you will want use both IPv4 and IPv6 for greater insights. What you do with that information is up to you, but consider using this valuable data responsibly. As Google used to say, “Don’t be evil”.
Scott Hogg (@ScottHogg) is CTO of HexaBuild.io, an IPv6 consulting and training company. Scott is Chair Emeritus of the Rocky Mountain IPv6 Task Force (RMv6TF) and authored the Cisco Press book on IPv6 Security. Follow HexaBuild on Twitter and LinkedIn.