5.1.2. IPv4 vs. IPv6 and Secure Protocols
💡 First Principle: IP addressing and routing are the infrastructure that makes all network communication possible — and also the infrastructure that attackers exploit to redirect, intercept, or block that communication. The security properties of IP are weak by design: IP packets carry no authentication of the source address, enabling spoofing. Routing protocols are trusted between peers, enabling route injection. Understanding these architectural weaknesses explains why overlay security (TLS, IPsec) is necessary.
IPv4 addressing review:
| Class | Range | Default Subnet | Typical Use |
|---|---|---|---|
| A | 1.0.0.0 – 126.x.x.x | /8 | Large organizations |
| B | 128.0.0.0 – 191.255.x.x | /16 | Medium organizations |
| C | 192.0.0.0 – 223.255.255.x | /24 | Small organizations |
| D | 224.0.0.0 – 239.255.255.255 | N/A | Multicast |
| E | 240.0.0.0 – 254.255.255.255 | N/A | Reserved/experimental |
Private (RFC 1918) addresses — not routable on the internet:
- 10.0.0.0/8 (Class A private)
- 172.16.0.0/12 (Class B private: 172.16.0.0 – 172.31.255.255)
- 192.168.0.0/16 (Class C private)
CIDR (Classless Inter-Domain Routing): Modern addressing uses variable-length subnet masks (VLSM), not classful boundaries. /24 = 256 addresses; /25 = 128; /26 = 64; /27 = 32.
IPv6 security implications:
| Feature | IPv4 | IPv6 | Security Note |
|---|---|---|---|
| Address space | 32-bit (~4.3B) | 128-bit (340 undecillion) | IPv6 scanning impractical; enables privacy extensions |
| IPsec | Optional | Mandatory in spec (often optional in practice) | IPv6 was designed with IPsec integration; doesn't guarantee use |
| NAT | Widely deployed | Not needed (sufficient addresses) | No NAT means every device can be globally routable — security boundary changes |
| Autoconfiguration | DHCP | SLAAC (Stateless Address Auto-Config) | SLAAC can expose MAC address in address; privacy extensions randomize |
| ARP | ARP (Layer 2 broadcast) | NDP (Neighbor Discovery Protocol) | NDP is susceptible to its own spoofing attacks |
IPv6 transition threats: Dual-stack systems (running both IPv4 and IPv6) may have IPv4 security controls but incomplete IPv6 controls — attackers use IPv6 to bypass IPv4-only security monitoring and firewalls.
Routing protocol security:
| Protocol | Type | Security Risk | Mitigation |
|---|---|---|---|
| RIP v1 | Distance vector | No authentication; accepts any route update | Replace with RIPv2 or migrate to OSPF/BGP |
| RIP v2 | Distance vector | MD5 authentication available | Enable authentication; still consider replacing |
| OSPF | Link state | Can authenticate with MD5 or SHA (OSPFv3 uses IPsec) | Enable authentication; validate neighbor relationships |
| BGP | Path vector | No built-in authentication; BGP hijacking via route injection | BGPsec (RPKI) route origin validation; MD5 TCP session authentication |
BGP hijacking is one of the most significant internet-scale attack vectors. By announcing more specific routes (longer prefix = more specific = preferred) for legitimate address blocks, an attacker can redirect internet traffic through their infrastructure. Notable incidents include YouTube outage (Pakistan Telecom, 2008) and cryptocurrency theft via BGP hijacking (2018). RPKI (Resource Public Key Infrastructure) provides cryptographic validation of route origin authority, but adoption remains incomplete.
⚠️ Exam Trap: IP spoofing — forging the source IP address in packets — is trivially possible because IP has no source authentication. However, replies to spoofed packets go to the spoofed address, not the attacker. This limits spoofing utility to: reflection/amplification DDoS attacks (sending requests with victim's IP, replies flood victim) and one-way DoS attacks. TCP sessions cannot be spoofed without a MITM position because the attacker needs to see the sequence numbers in the SYN-ACK response.
Reflection Question: A BGP route for 8.8.8.0/24 (Google DNS) is normally announced by Google's AS. An attacker announces 8.8.8.0/25 and 8.8.8.128/25 (two more specific /25 prefixes covering the same space). What happens to traffic destined for 8.8.8.8, why does this work, and what cryptographic mechanism does RPKI use to prevent it?
