IPv6 was designed to solve the limited addressing space of IPv4 and includes built-in security features to provide authentication, data confidentiality and integrity. However, it does not address service availability and security, which may occur due to IPv6’s inherent vulnerabilities and weaknesses that can be exploited by attackers.
World IPv6 Day (June 8, 2011) was a landmark for the Internet society. The day, also known as “Test Drive Day,” was an event sponsored and organized by the Internet Society and several large content providers to test public IPv6 deployment. The goal: To prepare services for IPv6 and ensure a successful transition as IPv4 address space runs out.
I expected this day to pass successfully, with only a few operational issues that would probably be resolved that day. The question I got from people was whether the day was going to be the attackers’ day as well? My answer: Definitely not! Attackers will launch new attacks only once IPv6 usage will become significant.
So what should you – an ecommerce site, or anyone else running service using IPv6 – do before ramping up a new service layer? Here is what you should know about IPv6 threats:
1. Non-compliant security equipment
Most vendors today claim to have IPv6-ready security products. Are they? Many offer a special version that supports IPv6 or require a license to operate it. But even if IPv6 support is enabled, one needs to carefully learn how they operate. For example:
- Firewalls may simply forward IPv6 traffic uninspected (instead of dropping it as the non-IPv6 version used to)
- IPv6 traffic may bypass deep packet engines, which are hardware components that may not support IPv6 traffic, resulting in the evasion of attacks
- IPv6 headers are four times bigger than IPv4, which may slow down the processing of traffic significantly
2. IPv6 is complex to administer
Have you ever seen an IPv6 address? Do you have the experience to configure firewall rules to allow or block IPv6 traffic? How do you treat IPv6 traffic tunneled over IPv4? Do you know that the Internet Control Message Protocol (ICMP) is now embedded into the IPv6 protocol? These are only few questions which may determine a company’s ability to effectively protect their network servers.
3. IPv6 vulnerabilities
Managers of IPv6 networks must be aware of the protocol’s vulnerabilities. The designers of IPv6 understood the need for network security and included mandatory IPSec in the basic protocol definition. However, recent experiences with network attacks have shown that IPSec does not address all vulnerabilities of an IPv6 network. Bugs, design flows and protocol weaknesses are inherent to IPv6, which is by far more complex than IPv4. It will take time for application vendors to fix and patch IPv6 vulnerabilities; therefore, one needs an IPS vendor which not only supports IPv6 traffic forwarding but also includes stateful signatures set to patch IPv6-based systems.
4. IPv6 tunnels
IPv6 traffic can be tunneled over IPv4 using several type of tunnels (Teredo, 6to4, ISATAP). Attackers can exploit IPv6 tunnels to infiltrate cloak attacks, knowing that tunneled IPv6 packets look like normal IPv4 traffic. One needs to explicitly verify with firewall and IPS vendors that they can perform Deep Packet Inspection (DPI) into IPv6 tunneled traffic to examine the contents. There is a large gap between IPS and firewalls – those that “support IPv6” and those which really perform DPI of IPv6.
5. Rogue IPv6 devices
The stateless auto-configuration capabilities that are built into IPv6 allow an attacker to define a rogue device that assigns IP addresses to all other devices on a network. Smart attackers can set up a rogue network device that acts as an IPv6 router to sniff, modify or drop traffic – without the system administrator even knowing about it.
6. IPv6 encryption
Similar to SSL encryption, IPv6 includes a built-in encryption mechanism. While the encryption was designed to provide authentication and confidentiality to the communications between clients and servers, it also enables attackers to use encrypted tunnels to deliver attacks directly to the server – bypassing inspection by firewalls and IPSs – which cannot inspect encrypted content.