The Dangers of Ignoring IPv6
I was sitting next to a really nice security engineer during the fantastic dinner-in-a-wine-cellar @ Troopers 13 and as we started talking about security implications of ignoring IPv6, I was quickly able to persuade him that it's dangerous to pretend IPv6 doesn't exist and that even though you might choose not to deploy it, you still have to acknowledge it exists and take protective measures.
It’s always great fun to explain the dangers of ignoring IPv6 to a networking or security audience, and see some people muttering “oh, ****”
I was writing about this topic numerous times so I won't repeat the details. Here are a few of the blog posts you absolutely should read:
- It's pretty easy to do traffic and DNS hijacking in IPv4-only world with no IPv6 RA Guard;
- There are other interesting hijacks you can do within a single layer-2 (bridged) domain;
- A few more examples of what can be done in IPv6-ignorant world;
On top of all that, there are two additional scenarios that an intruder can use to gain unfiltered access to client's workstation:
- When a Windows host with IPv4-only connectivity tries to connect to an IPv6-only server (a server with AAAA but no A records in its DNS entry), it creates an automatic Teredo tunnel (IPv6-over-UDP-over-IP). Making a malware-distributing server available only on IPv6 is thus a great way of bypassing HTTP filtering (assuming the client's network has permissive everything-going-out-is-allowed firewall policy). Conclusion: make sure you filter all IPv6 transition mechanisms at the borders of your network if you decide to stay an IPv4-only shop;
- Some older VPN clients were IPv4-only. IPv4 traffic was encrypted and (based on VPN head-end security policy) sent through a central Internet exit point (where it was properly inspected and filtered), but if the client got local IPv6 connectivity (all it takes is an RA message sent by a "friendly" neighbor), it was able to reach the whole IPv6 Internet directly, including all IPv4 web sites if the “friendly” neighbor graciously supplied NAT64 and DNS64 services.
Conclusions: You might decide you don't want to bother with IPv6 deployment. I would disagree with your choice, but that's just my personal opinion and I know you have plenty of more important things to do. However, you cannot ignore IPv6 existence any more - you have to take active measures to protect your subnets (VLANs) and hosts against IPv6-specific attacks.
Finally, I don't think using the "disable IPv6 everywhere" approach would work - it reminds me too much of a whack-a-mole fight, particularly with BYOD devices … and don’t forget that Windows 2008 relies so heavily on IPv6 that some products (example: Direct Access) stop working if you disable IPv6, as one of the attendees quickly confirmed during the IPv6 session I ran @ Interop Las Vegas.
More information
IPv6 security webinar describes numerous IPv6-related security issues and countermeasures implemented in Cisco IOS (thanks to guest star Eric Vyncke).
1 comments: