An Empirical Study Into Factors That Create Configuration
Total Page:16
File Type:pdf, Size:1020Kb
An Empirical Study into Factors that Create Configuration Inconsistencies between IPv4 and IPv6 Systems Identifying the Managerial and Scientific Implications D. Rieffe Management of Technology TU Delft Cyber Security & Forensic Technology PwC Nederland An Empirical Study into Factors that Create Configuration Inconsistencies between IPv4 and IPv6 Systems Identifying the Managerial and Scientific Implications by D. Rieffe to obtain the degree of Master of Science at the Delft University of Technology, to be defended publicly on Tuesday September 24, 2019 at 12:30. Student number: 4654862 Project duration: Februari 1, 2019 – September 1, 2019 Thesis committee: Prof. dr. ir. M.F.W.H.A. Janssen TU Delft - ICT and Governance, Chairman Dr.-Ing. T. Fiebig TU Delft - ICT and Governance, Supervisor Prof. dr. ing. A.J Klievink TU Delft - Organization and Governance, Critical Observer D. Switzer PwC Netherlands, External Member An electronic version of this thesis is available at http://repository.tudelft.nl/. Executive Summery This study performed a qualitative analysis of the rising problem of IPv6 misconfiguration. From scans of the public IP ranges of the internet is visible that currently 4,8% of all dual-stack hosts have a different con- figuration on IPv4 than IPv6. However, from an IT security perspective, the reasons for a difference in IP configuration are limited. In this thesis, the IP configuration process is studied. Furthermore, we reached out to the owners of identified misconfigured hosts and discussed with them the reason behind the misconfigu- ration. This goal of this study is to discovering why there are differences in port configuration between IPv4 and IPv6. This thesis aims to increase the literature, knowledge, and awareness levels of IPv6 port configuration. For this, the following research question is drawn: What is the reason for the existence of inconsistencies in open port policies on dual-stack hosts? For answering the main research question, four corresponding sub-questions are drafted. If answered they will aid in answering the main research question. SQ1: What actors play a part in the IPv6 configuration? SQ2: Which guidelines are considered to be most critical for port-based firewalling policies? SQ3: What processes lead to IPv4/IPv6 misconfigurations and inconsistencies that can be found in the wild? SQ4: Is there evidence of active exploitation of IPv6 misconfigurations? Methodology Most literature based on IPv6 port configuration has a technical approach to the problem. However, review- ing the IPv6 configuration from a managerial perspective is lacking. The identified knowledge gap was filled by an exploratory qualitative study. For this, we performed thirteen interviews with IPv6 security experts and owners of identified misconfigured hosts. From these interviews, we got insights on how IP configuration is performed and why IPv6 configuration is often poorly configured. Results The thirteen interviews were transcribed and analyzed with ATLAS.ti. From the interviews, we found that the larger the company, the more formal the port configuration becomes. This process increases the number of reviews, but also time to implement a change. Next, we discovered that there are no real use cases for imple- menting IPv6 and only IT networking enthusiasts prefer to use IPv6. There is IPv4 scarcity but IPv4 lifetime extension technologies (Carrier-Grade NAT and NAT) are currently preferred over implementing IPv6. Discussion and Conclusion In the discussion, we compared our results with current literature. We discuss two reasons for IPv6 implemen- tation, Europol and Rabobank. Secondly, we discuss two methods for organizations to migrate from IPv4 to IPv6. In one case IPv4 is used internally and IPv6 externally, and in the other case the entire network is run- ning IPv6. Thirdly, a comparison is made between existing technology adoption theories and the adoption of IPv6. Also, a similar technology migration on the internet is added in this section. Finally, management awareness and the different actors in the IPv6 landscape are discussed. IPv6 configuration has proven to be a difficult subject. Not all parties are ready for IPv6, and the general awareness and knowledge of IPv6 lacks behind. Thus far, there are little use cases for IPv6 implementation, which results in no priorities on IPv6. Resulting in improper and half configurations of firewalls and differ- ences in open ports on dual-stack hosts. It is expected that in the future, with an increase of cost of IPv4 iii iv Executive Summery extension technologies and IPv4 scarcity, the world will migrate to IPv6. If this increases the knowledge and awareness of IPv6, it is expected that the number of misconfigured devices will decrease. Furthermore, it is essential that besides technicians also managers become aware of this IPv6 problem. Growth in awareness and knowledge concerning IPv6 will be two factors that will greatly reduce the number of mis- configurations. Currently, there is no clear actor who is responsible for addressing this problem to managers. In this study, we discuss that Internet governance agencies, e.g., RIPE, could take this role. Contents List of Figures xi List of Tables xiii 1 Introduction 1 1.1 Focus and Goal..........................................2 1.2 Problem Description.......................................3 1.3 Intended Audience........................................3 1.3.1 Actors...........................................4 1.4 Societal Relevance........................................4 1.5 Management of Technology....................................4 2 Background Knowledge5 2.1 What is Cyber Security......................................5 2.1.1 Vulnerability-Threat-Control Paradigm..........................5 2.2 Malicious Actor..........................................6 2.3 Cyber Security Roles.......................................6 2.4 Common Attack Methods.....................................7 2.4.1 Password Attacks......................................7 2.4.2 Social Engineering.....................................8 2.4.3 Denial of Service......................................8 2.4.4 Vulnarabilities.......................................9 2.4.5 Vulnerabilties and Misconfiguration............................9 2.5 Consequences of a Cyber Attack................................. 10 2.6 History of the Internet...................................... 10 2.7 Internet Governance....................................... 11 2.8 OSI Model............................................. 12 2.9 TCP/IP.............................................. 13 2.9.1 IP Addresses........................................ 13 2.9.2 IP Depletion........................................ 14 2.9.3 Ports............................................ 15 2.9.4 Network Address Translation................................ 15 2.9.5 Carrier-grade NAT..................................... 17 2.10 DNS................................................ 17 2.11 IPv6 transition protocols..................................... 18 2.12 Disabeling IPv6.......................................... 19 3 Methodology 21 3.1 Interviews............................................. 22 3.2 Structured Approach....................................... 23 3.2.1 Qualitative Research.................................... 23 3.3 Ethical Considerations...................................... 23 3.3.1 Confidentiality....................................... 23 3.3.2 Informed Consent..................................... 24 3.3.3 Harm........................................... 24 4 Collecting Qualitative Data 25 4.1 Vulnerable Host Identification.................................. 25 4.2 Ownership Identification..................................... 26 4.3 Internal IPv4/External IPv6 Configuration............................ 28 v vi Contents 4.4 Recruitment........................................... 30 4.4.1 Limitations and Roadblocks................................ 31 4.4.2 Facts and Figures..................................... 31 4.5 Interview Setup.......................................... 32 4.5.1 Interview Phases...................................... 33 4.6 Data Analysis........................................... 33 4.7 Summary of Approach...................................... 34 5 Results 35 5.1 Information Sources....................................... 35 5.2 Security in General........................................ 36 5.3 Port Configuration Process.................................... 37 5.3.1 Opinions.......................................... 38 5.3.2 Verification........................................ 39 5.3.3 IPv6 Port Configuration.................................. 39 5.3.4 Logical Differences..................................... 40 5.3.5 Opinions About Process.................................. 41 5.4 Security Implications....................................... 41 5.4.1 Summary Port Configuration............................... 42 5.5 IPv6 Adoption........................................... 42 5.5.1 Summary Adoption.................................... 44 5.6 IPv6 Implementation Examples.................................. 44 5.7 Internal/External Configuration................................. 45 5.8 Limitations............................................ 46 5.9 Summary Results......................................... 46 6 Discussion 47 6.1 Implementation Cases...................................... 47 6.1.1 Bank Implementation................................... 47 6.1.2 Europol.......................................... 47 6.1.3 Analysis.........................................