Visible to the public When Cellular Networks Met IPv6: Security Problems of Middleboxes in IPv6 Cellular Networks

TitleWhen Cellular Networks Met IPv6: Security Problems of Middleboxes in IPv6 Cellular Networks
Publication TypeConference Paper
Year of Publication2017
AuthorsHong, H., Choi, H., Kim, D., Kim, H., Hong, B., Noh, J., Kim, Y.
Conference Name2017 IEEE European Symposium on Security and Privacy (EuroS P)
Keywordsactive NAT mappings, backward compatibility, cellular devices, cellular middleboxes, cellular network, Cellular networks, cellular operators, cellular radio, Collaboration, composability, denial-of-service attacks, firewalls, IP address, IP networks, IP-based blacklisting, IPv4 address, IPv4 services, IPv6, IPv6 address, IPv6 cellular networks, IPv6 middlebox, ipv6 security, Logic gates, Metrics, Middlebox, middlebox security problems, Middleboxes, Mobile handsets, NAT bricking attack, NAT overflow attack, NAT resources, NAT wiping attack, over-billing attacks, pubcrawl, Resiliency, security, stateful NAT64 boxes, TCP sequence number verification, telecommunication services

Recently, cellular operators have started migrating to IPv6 in response to the increasing demand for IP addresses. With the introduction of IPv6, cellular middleboxes, such as firewalls for preventing malicious traffic from the Internet and stateful NAT64 boxes for providing backward compatibility with legacy IPv4 services, have become crucial to maintain stability of cellular networks. This paper presents security problems of the currently deployed IPv6 middleboxes of five major operators. To this end, we first investigate several key features of the current IPv6 deployment that can harm the safety of a cellular network as well as its customers. These features combined with the currently deployed IPv6 middlebox allow an adversary to launch six different attacks. First, firewalls in IPv6 cellular networks fail to block incoming packets properly. Thus, an adversary could fingerprint cellular devices with scanning, and further, she could launch denial-of-service or over-billing attacks. Second, vulnerabilities in the stateful NAT64 box, a middlebox that maps an IPv6 address to an IPv4 address (and vice versa), allow an adversary to launch three different attacks: 1) NAT overflow attack that allows an adversary to overflow the NAT resources, 2) NAT wiping attack that removes active NAT mappings by exploiting the lack of TCP sequence number verification of firewalls, and 3) NAT bricking attack that targets services adopting IP-based blacklisting by preventing the shared external IPv4 address from accessing the service. We confirmed the feasibility of these attacks with an empirical analysis. We also propose effective countermeasures for each attack.

Citation Keyhong_when_2017