Yesterday’s 6th Slovenian IPv6 Summit was (as always) full of awesome presentations, this time coming straight from some of the IPv6 legends: check the ones from Eric Vyncke (and make sure you read his IPv6 Security book), Randy Bush and Mark Townsley. The epic moment, however, was the “I was getting bored” part of Eric’s presentation (starts around 0:50:00). This is (in a nutshell) what he did:
He was connected to a public WiFi hotspot and started an equivalent of radvd. In seconds, he had more than 50 IPv6 neighbors – everyone in the airport using the same public WiFi started using IPv6 after hearing an RA message from Eric.
By itself, that’s nothing new. We know a rogue IPv6 “router” can wreak havoc in your network (that’s why you should always enable RA guard in your switches) – that was one of the major concerns some people had before World IPv6 Day. However, at that moment Eric could easily do man-in-the-middle attack on any IPv6 traffic – anything going to any dual-stack web server would be intercepted by his workstation.
To make matters worse, he could use DHCPv6 to advertise DNS server address, start a fake DNS server (some hosts prefer IPv6 DNS over IPv4 DNS) and create fake dual-stack DNS replies attract even more traffic. DNSsec would prevent that (yeah, everyone is using that) as would SSL (you’re using Facebook and Twitter over SSL, aren’t you?), but he would still be able to do significant damage.
As I said, the man-in-the-middle attack using fake RA messages should be well known, but there are a few other security implications:
- Some IPsec clients don’t enforce split tunnel policy on both protocols. Even though your company’s policy requires your VPN client to send all Internet traffic to the central firewall/IDS, IPv6 traffic can bypass that (making you a perfect entry point into your company’s network);
- Unix-based operating systems usually have two different firewalls – iptables for IPv4 and ip6tables for IPv6. If someone gives you unexpected IPv6 connectivity, you might become wide open to the Internet at large unless you’ve configured ip6tables.
You might argue the situation is no better in the IPv4 world – a lot of hotspots are totally unprotected against ARP spoofing attack, but at least some access points give you the option to configure DHCP guard and DHCP/ARP inspection. Having no wireless experience, here’s a question for the experts: how many access points support RA guard (assuming they even know what IPv6 is)? Please share your experience in the comments.