The Internet Engineering Task Force (IETF) has identified many security threats related to IPv6,the long-anticipated upgrade to the Internet’s main communications protocol.
Security concerns around IPv6 deployment are real, although the number of IPv6-based attacks remains small.
“Obviously, as the protocol gets adopted, we’re going to see more attacks,” says Greg Brown, senior director of McAfee’s Network Defense business unit. “Because IPv6 is not broadly deployed,we haven’t seen a lot of attacks.”
Nonetheless, the number of IPv6-based attacks is on the rise, experts say.
“We’re not seeing denial-of-service attacks on IPv6 because most of the targets that people want to attack aren’t IPv6,” says Jason Schiller, senior Internet network engineer, Global IP Network Engineering for the Public IP Network at Verizon Business. But Schiller says he is seeing “quite a bit” of botnet command and control traffic using IPv6.
Network White Paper – Available with free subscription:8 must-have features for today’s network demands
Schiller says most IPv6 security risks come from bugs in the code, protocol weaknesses and poor implementation by vendors. He says these risks are the result of the network industry not having as much familiarity with IPv6 as it does with IPv4, which has been around for 30 years.
“You turn on IPv6 and don’t realize that your firewall doesn’t process IPv6 traffic. It just passes it blindly through. Or you forget to set up filters,” Schiller explains. “People have to consciously go in and take all the security infrastructure that’s been created in IPv4 and mirror image it in IPv6.”
Here’s a list of the most common IPv6 threats that network vendors are hearing about from their enterprise customers:
1. Rogue IPv6 traffic
Organizations that aren’t running IPv6 and don’t plan to run it anytime soon, should use their firewalls to block IPv6 traffic from coming in and out of their networks. Most experts say this should be a temporary measure because an increasing amount of Internet traffic is IPv6-based, and organizations don’t want to limit access to customers or business partners around the world that will be using IPv6. “What customers need to do within their intrusion-prevention systems or within their firewalls is to explicitly look for IPv6 traffic and drop it,” says Tim LeMaster, director of systems engineering for Juniper’s Federal group.
2. IPv6 tunnels
Three types of IPv6 tunnels —Teredo, 6to4 and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) — allow IPv6 packets to be encapsulated inside IPv4 packets that can be sent through IPv4-enabled firewalls or network address translation devices. To a network manager, tunneled IPv6 packets look like normal IPv4 traffic. That’s why network managers need deep packet inspections systems that can peer into tunnels to examine what’s inside of them. Brown says you need to have firewalls and intrusion-prevention systems that “support IPv6 but they also need to support full inspection for the tunneling mode.” Brown says he’s seen “traditional IPv4 attacks” that take advantage of IPv6 tunneling to enter networks where tunneling traffic wasn’t being inspected.
3. Rogue IPv6 devices
The auto-configuration capabilities that are built into IPv6 allow an attacker to define a rogue device that assigns IP addresses to all the other devices on the network. “Someone could set up a rogue device like a router to assign IPv6 addresses on your network, and you wouldn’t even know it,” LeMaster says.
Eric Vyncke, a Cisco Distinguished Engineer, says a hacker can set up a rogue network device that is pretending to be an IPv6 router. “All the traffic can be diverted to the rogue router, which can do sniffing of traffic or modify traffic or drop traffic,” Vyncke says.
4. Type 0 routing header
This well-known IPv6 vulnerability creates the opportunity for denial-of-service attacks because it gives a hacker the ability to manipulate how traffic flows over the Internet. This feature of IPv6 allows you to specify in the header what route is used to forward traffic. A hacker could use this feature to saturate a particular part of the network, Brown says. “We haven’t seen this yet,” Brown said, adding that “this would be a targeted attack.”
5. Built-in ICMP and multicast
Unlike IPv4, IPv6 features built-in Internet Control Message Protocol (ICMP)
and multicast. These two types of network traffic are integral to how IPv6 works. With IPv4, network managers can block ICMP and multicast traffic to prevent attacks coming over these channels. But for IPv6, network managers will need to fine-tune the filters on their firewalls or routers to allow some ICMP and multicast traffic through. “You have to explicitly configure ICMP6 and multicast with IPv6,” Schiller says.