Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Will IPv6 Make Us Unsafe?: Page 3 of 4

It's up to you to ensure that your systems are protected and your security personnel are educated. The best place to start identifying potential vulnerabilities is to understand key differences between IPv6 and IPv4 that affect security. Here are seven areas to know:

Neighbor Discovery Protocol: NDP is essential to the operation of IPv6. It replaces several functions performed by separate protocols under IPv4, such as router discovery and redirects, and enables new functions for IPv6. However, NDP also presents a range of exploits for an attacker who can gain local access to a subnet.

ICMPv6: The ICMP messaging protocol is a favorite vector for denial-of-service and CPU attacks, and guarding against ICMP message floods is a fundamental security best practice. But IPv6 is more dependent on ICMP than is IPv4, so simply blocking all ICMP messages at security checkpoints will break some IPv6 functions.

Fragmentation: Fragmentation attacks are another old favorite that might be given a new spin by IPv6. Unlike IPv4, IPv6 routers don't fragment packets. Instead, the spec requires the originating end system either to test the maximum transmission units along a path to a destination and fragment accordingly or to fragment all packets exceeding 1,280 bytes--the smallest MTU an IPv6 interface is allowed to support.

Extension Headers: IPv6 economizes its default header by eliminating optional fields. Instead, when an optional capability, such as fragmentation, source routing, encryption, or authentication is required, an applicable extension header is inserted between the default IPv6 header and the packet payload. Unfortunately, attackers can abuse extension headers in a number of ways, as we discuss in our full report.

5 Key Considerations
For IPv6 Security
Security involves more than firewalls and access control lists. Are all your IP systems ready for IPv6? How about your processes and people? Training is critical.

Some networking systems process IPv6 in software vs. hardware support for IPv4. Can you say CPU depletion attacks?

Many modern operating systems enable IPv6 by default. Do you know where all instances of these operating systems reside?

IPv6 standards and code are new, and new code is buggy. There have been security holes found, and more will come to light as v6 systems are put into production. Monitor and patch.

Black hats are studying IPv6 closely, looking for new attack vectors. Your security team needs to do the same

Flow Labels: The Flow Label field is the only field in the default IPv6 header that has no analogous function in the IPv4 header. It's intended to enable efficient processing of microflows for improved service classification, but mainstream network systems do not yet use it. An intentionally miswritten Flow Label value could create a covert channel.

Automatic Tunnels: Automatic tunneling mechanisms, such as 6to4 and Teredo, are supported by most host operating systems. They're used to create IPv6 connectivity over an IPv4-only network or segment, but they may also be used to create an unsecured channel, and most lack a means of authentication.

Large-Scale NAT: Also called Carrier-Grade NAT, or CGN, LSN isn't a part of the IPv6 specification, but it is often associated with IPv6 transitional architectures. LSN setups allow network operators to centralize their public IPv4 address pools, thus extending their useful lives by multiplexing more IPv4 flows to each address. These centralized NATs--often single points of failure for tens of thousands of end systems--represent attractive targets for CPU or address pool depletion attacks.