IPv6 Deployment and Finding IPv6 Needles in Internet Haystacks: Passive DNS & IPv6 Address Discovery

Even though the Internet is racing along toward complete IPv4 addressexhaustion within the ARIN region as elsewhere, with ARIN estimated toexhaust availability of its general use IPv4 address space by the end ofJune 2015, operational deployment of IPv6 in North America and worldwideremains quite limited.

If you’re a site that still hasn’t made progress toward deploying IPv6,the time has really come for you to buckle down and do your IPv6 chores.Farsight Security, Inc., is making extensive use of IPv6, and there’s noreal reason why you shouldn’t be, too.

As you get ready to deploy IPv6, some of you may worry that IPv6 willbe somehow less secure than IPv4. It’s not. Others of you may wronglybelieve the complete opposite, that somehow IPv6 is MORE secure thanIPv4. That’s not true, either.

Nonetheless, for many years, there was a commonly heard myth that wentsomething like this…

Because it isn’t realistic to attempt a brute force active scan of asite’s IPv6 address space using tools such as nmap, it would be hard orimpossible for a penetration tester (or a malicious hacker/cracker) toenumerate an organization’s hosts that have IPv6 connectivity….

Over time, the community has come to understand that even if brute forceactive scans are impractical against IPv6 addresses, other methods foridentifying IPv6 hosts do exist and are potentially productive. One suchmethod is to use passive DNS to look for IPv6 AAAA records.

For example, let’s look at UCLA, long known as a site that’s highlyinterested in IPv6 deployment for services (see, e.g., slide 2 here). We know from DNS thatwww.ucla.edu uses the quad A address 2607:f010:2e8:228::ff:fe00:152

$ dig +short www.ucla.edu aaaa
gateway.lb.it.ucla.edu.
2607:f010:2e8:228::ff:fe00:152


Are there other UCLA hosts that also have public IPv6 connectivity?

Checking ARIN IPv6 Whois, we can see that UCLA’s2607:f010:2e8:228::ff:fe00:152 is part of an IPv6 /32:

$ whois -h whois.arin.net 2607:f010:2e8:228::ff:fe00:152
[...]
NetRange: 2607:F010:: - 2607:F010:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR: 2607:F010::/32
NetName: UCLANET6
NetHandle: NET6-2607-F010-1
Parent: NET6-2600 (NET6-2600-1)
NetType: Direct Allocation
OriginAS: AS52
Organization: University of California, Los Angeles (UCLA)
RegDate: 2007-05-15
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET6-2607-F010-1
​[etc]


An IPv6 /32 represents2^(128-32)=2^96=79,228,162,514,264,337,593,543,950,336 IPv6 addresses.

Since it is difficult to comprehend numbers that immense, wewill mention for purposes of comparison that the approximate diameter ofthe visible universe is 920,000,000,000,000,000,000,000,000 meters.

920,000,000,000,000,000,000,000,000, while obviously a large number,would still need to be multiplied by a factor of 86.11 to make it asbig as the number of IPv6 addresses in an IPv6 /32 address block (andan IPv6 /32 is the smallest size IPv6 address allocation made by theRegional Internet Registries (ARIN, RIPE, APNIC, etc.)).

Brute force active probing of 65,535 potential ports on each of those79,228,162,514,264,337,593,543,950,336 IP addresses would obviouslynot be possible, even if you could run trillions of tests per secondon a sustained basis without somehow managing to getting detected andsummarily blocked.

Smarter-Than-Brute-Force Options

Brute force methods are not the only option for IPv6 node discovery,however. For example, as nmap itself documents, there are multiplenon-brute force options that will potentially work for IPv6 hostdiscovery.

Using Passive DNS to find active IPv6 addresses in the Internet “haystack”

Passive DNS is one very viable way of finding active IPv6 addresses,even in an IPv6 /32.

This simple Farsight Security DNSDB query command:

$ dnsdb_query -i 2607:F010::/32


allows us to easily find over 450 unique UCLA hostnames that have IPv6AAAA records in 2607:F010::/32.

While there will certainly be additional UCLA IPv6-connected ucla.eduhosts that our sensors have never seen, narrowing the “hunt” from79,228,162,514,264,337,593,543,950,336 potentially active IPv6 addressesto roughly 450 IPv6-connected hosts still represents an almostunfathomable improvement in focus for an IPv6 penetration testing team(or, of course, for potential bad guys).

To avoid any potential misunderstanding on this point, let me hastento add that we are NOT proposing passive DNS as an IPv6 attack orreconnaissance tool; rather, we want to emphasize that while IPv6 mayseem to give you the ability to “hide in plain sight,” IPv6 in factactually provides little or no cover or concealment.

Therefore, always assume that the whole world knows the identity — andthe IPv6 address — of all your IPv6-connected hosts, just as they knowthe identity and IPv4 address of all your hosts connecting via IPv4.Plan accordingly. IPv4 and IPv6 both enable connectivity, not camouflageor anonymity.

Any belief that IPv6 gives you protection from host discovery is just adangerous illusion, as this example readily demonstrates.

And any belief that you can continue to postpone deployment of IPv6forever is a REALLY dangerous illusion. Please get your network IPv6enabled!

Joe St Sauver, Ph.D. is a Distributed System Scientist for FarsightSecurity, Inc.