The Dangers of Ignoring IPv6

I was sitting next to a really nice security engineer during the fantastic dinner-in-a-wine-cellar @ Troopers 13 and as we started talking about security implications of ignoring IPv6, I was quickly able to persuade him that it's dangerous to pretend IPv6 doesn't exist and that even though you might choose not to deploy it, you still have to acknowledge it exists and take protective measures.

It’s always great fun to explain the dangers of ignoring IPv6 to a networking or security audience, and see some people muttering “oh, ****”

I was writing about this topic numerous times so I won't repeat the details. Here are a few of the blog posts you absolutely should read:

On top of all that, there are two additional scenarios that an intruder can use to gain unfiltered access to client's workstation:

  • When a Windows host with IPv4-only connectivity tries to connect to an IPv6-only server (a server with AAAA but no A records in its DNS entry), it creates an automatic Teredo tunnel (IPv6-over-UDP-over-IP). Making a malware-distributing server available only on IPv6 is thus a great way of bypassing HTTP filtering (assuming the client's network has permissive everything-going-out-is-allowed firewall policy). Conclusion: make sure you filter all IPv6 transition mechanisms at the borders of your network if you decide to stay an IPv4-only shop;
  • Some older VPN clients were IPv4-only. IPv4 traffic was encrypted and (based on VPN head-end security policy) sent through a central Internet exit point (where it was properly inspected and filtered), but if the client got local IPv6 connectivity (all it takes is an RA message sent by a "friendly" neighbor), it was able to reach the whole IPv6 Internet directly, including all IPv4 web sites if the “friendly” neighbor graciously supplied NAT64 and DNS64 services.

Conclusions: You might decide you don't want to bother with IPv6 deployment. I would disagree with your choice, but that's just my personal opinion and I know you have plenty of more important things to do. However, you cannot ignore IPv6 existence any more - you have to take active measures to protect your subnets (VLANs) and hosts against IPv6-specific attacks.

Finally, I don't think using the "disable IPv6 everywhere" approach would work - it reminds me too much of a whack-a-mole fight, particularly with BYOD devices … and don’t forget that Windows 2008 relies so heavily on IPv6 that some products (example: Direct Access) stop working if you disable IPv6, as one of the attendees quickly confirmed during the IPv6 session I ran @ Interop Las Vegas.

More information

IPv6 security webinar describes numerous IPv6-related security issues and countermeasures implemented in Cisco IOS (thanks to guest star Eric Vyncke).

1 comment:

  1. honestly ipv6 to a network engineer is like Communism to a Marxist. It would come in such a distant future that it would be in a form we can barely picture accurately. Would NAT still be the norm? Will dual stack be the preferred way? Or encapsulation? History shows us that people are not willing to deal with headaches just to appease some Platonic ideal of elegant design. So my money is on NAT444, at least in the US.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.