ICMP with IPv4 vs. IPv6: How secure? (just a little food for thought)

Fancy Graphic!

Co-Authored by “Beef Supreme”.

Internet Control Message Protocol (ICMP) is a required protocol tightly integrated with IP. ICMP messages, delivered in IP packets, are used for out-of-band messages related to network operation or mis-operation. Of course, since ICMP uses IP, ICMP packet delivery is unreliable, so hosts can’t count on receiving ICMP packets for any network problem. Internet Protocol security (IPsec) uses cryptographic security services to protect communications over Internet Protocol (IP) networks.

IPv4 uses a 32-bit addressing structure, which means that 4.3×10^9 addresses (2^32) are theoretically possible, although as we know many addresses are reserved for alternate usage. IPv4 addresses are divided into 4 octets, although they are more commonly expressed in dot decimal notation, for example IPv4 addresses are divided into 5 classes, A through E, and each class is assigned to a certain type of business or client or type of usage. IPv4 addresses are commonly converted to website or domain names, which requires the use of DNS, or Domain Name Systems, to translate between numeric IP addresses and their corresponding domain names.

By contrast, IPv6 is a relatively recent standard. It uses 128-bit addressing, which means that a theoretical 3.4×10^38 addresses are possible under this scheme (2^128). To put that in perspective, the standard subnet in IPv6 contains 2^64 number of IP addresses, or the square of the total number of IPv4 addresses possible. IPv6 addresses are written as 8 groups of 4 hexadecimal digits separated by colons and still makes use of classes and DNS.
So, why do we need all of this change? Are we worried about security with the new IPv6 standards? According to Gordon Moore, co-founder of Intel, technology grows at an exponential rate. Moore’s Law, as it is now know, says that the number of transistors on a chip doubles every two years. This theorem has also carried over to other areas of technology growth. Technology guru Ray Kurzweil says that all technological change follows an exponential curve, an idea he fleshes out in the Law of Accelerating Returns, and it has been very apt for IP addressable devices as well. In fact, the last blocks of IPv4 addresses will be allocated by the end of this year, meaning that we exhausted the pool in just 22 years.

IPv6 has other advantages as well, other than just more addresses. Due to the exponentially larger address pool, IPv6 will allow the continued roll out and development of packet-switched technologies into areas of the world which are not currently supported. It will allow billions of new devices to be connected quickly and easily, everything from smartphones and tablets to your new car. It has built-in support for mobile devices through Mobile IP. It is also more secure than IPv4 because it has been designed from day 1 to incorporate IPsec from end to end, with a much more robust ICMP standard.

With regard to technology, IPv6 is different from IPv4 in two major ways. The first is that the ping sweep or port scan, when used to examine the hosts on a subnet, are much more difficult to complete in an IPv6 network. The second is that new multicast addresses in IPv6 would not enable a hacker to find a certain set of key systems (routers, servers, etc.) without some degree of difficulty. Beyond these two differences, sweep techniques via ICMP in IPv6 are the same as in IPv4. Additionally, IPv6 networks are even more dependent on ICMP to function properly. A network that ordinarily required only the sending of 256 scan probes now requires sending more than 18 quintillion scan probes to cover an entire subnet. But even at a scan rate of 1 million probes per second (more than 400 Mbps of traffic), it would take more than 28 years of constant scanning to find the first active host, assuming the first success occurs after iterating through 50 percent of the first 1.8 quadrillion addresses. If we assume a more typical subnet with 100 active hosts, that number jumps to more than 28 centuries of constant 1-million-packet-per-second scanning to find that first host on that first subnet of the victim network. So, with the newer ICMP standards, the limitations are generally with the IP traffic flow and not the coding itself, making IPv6 a more secure option in addressing scheme.