4 IPv6 Security Fallacies
Posted by
Brian Prince
August 09, 2013
It's been a little more than a year since ISPs and Web companies organized World IPv6 Launch Day. Today, Akamai reports that the amount of IPv6 traffic on its content delivery platform has increased 250%, to about 10 billion requests per day.
Though that is still well behind IPv4 traffic, the momentum around IPv6 is growing. At the same time, certain misconceptions about the communication protocol continue to live on and impact its implementation and the security of enterprise networks.
After talking with security and networking experts, Network Computing has come up with a list of four popular IPv6 security fallacies.
1. IPv6 Defenses Aren't Required on IPv4-only Networks
The first misconception is related to IPv6 but actually has more to do with IPv4. Organizations with IPv4 networks may think that they aren't susceptible to IPv6-based attacks, but experts say that's not the case.
"IPv6 has been around for several years now, and most modern operating systems and mobile devices ship ready to work with IPv6 networks," says Ron Gula, CEO of Tenable Network Security. "This means if you run or have to audit an IPv4 network, there are systems on it just waiting to speak to you over IPv6. This creates an opportunity for exploitation by hackers and malware."
HD Moore, chief research officer at Rapid7, says every modern operating system--including Windows, Mac OS X, Ubuntu Linux, iOS and Android--enable IPv6 by default.
"The Windows Homegroup feature uses TCP over IPv6 exclusively for local network management. Every system with IPv6 enabled has a 'link-local' address that any other machine on the local network can communicate with. This allows an intruder with access to the local network--directly or through a compromised IPv4 system--to access and attack the IPv6 interfaces of other local machines."
[Cisco says its LISP protocol is an ideal transition tool for IPv6, but are tunnel broker services a better alternative? Read Tom Hollingsworth's analysis in "IPv6 Transition: Cisco LISP Vs. Tunnel Services."]
With IPv6 uncontrolled but enabled, enterprises open themselves up to a multitude of possible attacks, says Johannes Ullrich, dean of research and a faculty member of the SANS Institute.
"Recently, I have been experimenting with a particular attack that could be a big problem for corporate systems using VPNs to connect from untrusted networks back to corporate resources," says Ullrich. "For example, an employee traveling may connect to a hotel wireless network and establish a VPN tunnel back to the corporate network. However, this VPN tunnel will only forward IPv4 traffic. An attacker could now set up an IPv6 router in the hotel network, assigning the host an IPv6 address and providing an IPv6 capable DNS server. This way, the attacker can prevent traffic from passing through the VPN and in turn, it can now be intercepted by the attacker."
2. IPv6 With Mandatory IPSec Is More Secure Than IPv4
A widely assumed benefit of IPv6 is IPSec support, but the reality is more nuanced. While IPv6 supports IPSec for transport encryption, notes Moore, actually using IPSec is not mandatory and it is not configured by default.
"IPSec requires extensive configuration to be properly secured, even when it has been enabled," Moore says.
3. IPv6 Prevents Man-In-The-Middle Attacks
Since IPv6 doesn't use Address Resolution Protocol (ARP), it's assumed that it prevents man-in-the-middle-attacks. In fact, IPv6 uses ICMPv6 to implement the Neighbor Discovery Protocol, which replaces ARP for local address resolution. The Neighbor Discovery Protocol, notes Moore, is just as vulnerable to man-in-the-middle attacks as ARP--if not more so.
"A single compromised internal node can expose all local assets to the global IPv6 network through a simple route advertisement," he told Network Computing.
4. IPv6 Is Less Secure Than IPv4
While some IPv6 misconceptions revolve around its perceived security, some believe it's less secure than IPv4 due to a lack of NAT.
"Network Address Translation (RFC 1918) is a scheme that allows organizations to assign private, un-routable IPv4 addresses to many devices, which are then provided connectivity to the Internet via a limited number of public IPv4 addresses," says Brent Bandelgar, associate security consultant at Neohapsis.
"However, the private addressing is mistaken as a security feature and its omission is frequently cited as a reason not to deploy IPv6," he adds. "IPv6’s expanded address space solves the problem that NAT addressed. The real security in NAT deployments was provided by the accompanying usage of stateful inspection of inbound traffic. An organization should not be any more or less secure with IPv6 as opposed to NAT, as long as the appropriate access controls are in place."
