A blog post by Russ White pointed me to an article describing how IPv6 services tend to be less protected than IPv4 services. No surprise there, people like Eric Vyncke and I were telling anyone who was willing to listen that operating two-protocol networks isn’t the same thing as operating a single-protocol one (see also RFC 1925 rule 4).
I always had great fun explaining the potential security implications, and actually had someone walking out of a presentation with a deeply concerned look on his face once.
However, I disagree with Russ’ conclusions that the problem observed in that article is caused by too many features in the network operating systems. While most networking devices do have a severe case of featuritis, the root cause of the lack of IPv6 security is way simpler: ignorance (invoking Hanlon’s razor) of product managers and programmers working for major networking companies.
Just to give you a simple example: assume you control access to your Cisco IOS routers with VTY ACLs. If you enable IPv6 on those devices anyone can access them… until you configure ipv6 access-class to protect them on IPv6 side. Way worse, the last time I checked you still couldn’t restrict IPv6 access to the web server running on Cisco IOS. No comment, let captain Picard have the last word.
Linux is no better. There’s iptables and ip6tables. If your servers magically acquire IPv6 addresses you might be toast. One of the few systems that works correctly and tries to offer the same default security on IPv4 and IPv6 is Windows.
Microsoft having the most secure operating system? Are we in an alternate reality?
Would it be so hard to make things secure? Not really, in many cases it would be good enough to change the defaults from permit access from anywhere to deny access unless told otherwise or permit access from inside network (which wouldn’t solve the problem but would still be much better than what we have today). Is anyone reminded of Windows home/work/public networks?
Finally, how can we blame application developers for their total security ignorance, if even the programming teams working for networking vendors can’t get it right?