If you are a network geek like me you may have been reading a lot lately about IPv6 and how it is different from IPv4. From a security perspective, one of things stated as being a benefit of IPv6 is the mind boggling size of a subnet to the extend that most network engineers will state that we need never subnet again. I would have to agree! But from the other side of the security coin, how does one scan an IPv6 subnet as a result? I'm not thinking about hacking but perhaps about performing your own security scanning with a tool like OpenVAS.
Lets have a think about how we might achieve this. First, a lesson in IPv6 for the uninitiated. IPv6 addresses are 128 bits long, I'm sure you've all read that somewhere. What that represents in raw numbers is huge. What is more useful is how that 128 bits are broken up. As an end user, you will probably recieve either a /48 or smaller allocation. Consumers will perhaps only recieve a /56 or perhaps even a /64.
The important thing to know is that even though the ISP may well leave you 80 bits to play with the done thing is to allocate the last 64 bits as the interface identifier. Most posts I've seen have simply taken those 64 bits as a given (i.e. a very large number of possibilities) and ignore the scanning possibilities.
I think there are a few things to note about the structure of the 64 bits. Firstly, engineers are free to allocate these bits how they see fit and of course if these bits are allocated at random then yes it will be a near impossible task to scan an IPv6 subnet.
But if the engineer uses EUI-64 to fill out the 64 bits then we know a bit more about the structure of these bits. Put simply, EUI-64 states that you break apart the MAC address and place the bit pattern FFFE in between. You also flip the 7th bit in the 2nd hex digit but hey whose counting?
So we have reduced the 64 bits down to say 48 bits. Still a lot of bits but perhaps we can get a bit closer. The first half of a MAC address identifies the vendor of the NIC. We can make a smart guess about the NIC vendor, say pick a list of 1024 vendor IDs or perhaps 256 and we can reduce the 48 bits down to 32 bits to scan. You may even be able to use information about what portion of the lower 24 bits has been allocated by various vendors to narrow down that part of the search also.
Also worth considering is for those engineers who choose to allocate the 64 bits manually, many will use relatively small numbers for this purpose. The first 64 bits already uniquely identifies the subnet so there's no need for a large number.
So perhaps you would try a sequential scan of the lower bits, say 8 or 10 bits scanning from 1 to 1000. Then try for random numbers within sensable ranges for the vendor IDs you are using.
Now I'm not forgetting the first 64 bit but I wouldn't suggest using scanning to find the content of these bits. It isn't that hard to find allocations of IPv6 that have been given out but the best you will get is the first 48 bits.
Alternatively, there are many ways to collect this information. A fake website sent in a spam email could get people to deliver traffic to you which would expose lots of useful information. Mostly this technique would be useful for internet facing systems. Internal systems would be heavily protected by firewalls even without NAT.
So what do we have? If we can find the /48 allocation, then we have the 16 bits that make up the subnet number, plus say 32 bits of scanning for the lower 32 bits. How long will it take to scan a single /48 using this optimising methods?
We have a total of 48 bits to scan which makes for a large number. If we scan 1024 addresses every second then it will still take over 8700 years to do a single IPv6 subnet. This is a long time in anyone's reckoning but certainly a lot shorter than you might see in the media.
I think others could do a better job than I have but it would still be a large task. Perhaps you're doing this internally and you don't mind whacking your network then you could get this down, Gigabit networks can do many more packets per second. Perhaps you could have better guesses for the subnet number?
I think its still in the realm of impractical but if you were sufficiently motivated perhaps you might find a way to scan.
This of course is to scan a single IPv6 subnet!
I would imagine that perhaps in the IPv6 future, we will see slow persistent scanning develop for those that have the time. IPv6 scanning won't be for the casual players.
