Rhino Security Labs

broken myths about IPv6 security

IPv6 Security: Myths in the Stack

IPv6, while not new, is still widely misunderstood among engineers across the globe. In addition to a vastly larger address space, IPv6 security differs from IPv4 in both subtle and drastic ways, and can be confusing for companies, users, and security vendors. However from a security standpoint, IPv4 and IPv6 are very similar. Companies should not avoid implementing IPv6, but should ensure their engineers have proper training in the new version. Additionally, security devices should be audited and updated before making the deliberate decision to employ IPv6. Given the confusion and controversy surrounding IPv6 security, this blog post will attempt to dispel the most common security myths regarding IPv6.

Myth 1: "Man-in-the-Middle (MITM) isn't possible with IPv6"

Truth: ARP spoofing as a basis of MITM is no longer possible with IPv6, since ARP is not a protocol implemented in v6. However taking its place is the Neighbor Discovery (ND) Protocol, which is subject to its own brand of MITM attacks. While this blog post is an overview of IPv6 security essentials, Man-in-the-Middle attacks and other IPv6 vulnerabilities could be a post in themselves (and will be soon).

Myth 2: "IPv6 Security enhancements (such as IPsec) makes it safer than IPv4"

Truth: IPsec is an end-to-end security mechanism, providing authentication and encryption on the network layer. Although developed in conjunction with IPv6, deployment problems IPsec resulted in it not being widely adopted in the new IP stack. Similarly, IPv4 has had an adopted version of IPsec that can be implemented for extra security. It is unlikely that the adoption of IPv6 across the globe will stimulate a widespread use of IPsec.

Saying IPv6 is safer than IPv4 is in itself a challenging claim. With the failure to make IPsec required with the implementation of IPv6, v6 and v4 have nearly identical encryption and authentication controls.

Myth 3: "IPv4 is more secure than IPv6 because of NAT"

Truth: The purpose of NAT is wildly misunderstood among engineers and managers alike. When implemented in Ipv4, NAT was intended to be a temporary solution to the diminishing number of publicly-addressable addresses on the internet. With IPv6 and the (seemingly) limitless amount of addresses it brings, NAT is no longer required.

For many, the thought of every endpoint being publicly accessible seems terrifying and unsafe. However, companies can (and should) emulate the security of NAT by implementing a firewall with stateful inspection of packets. A stateful firewall (http://en.wikipedia.org/wiki/Stateful_firewall) will only allow packets that are part of an active connection – internal systems are allowed to connect outbound, but not vice versa. Even if a hacker knows the IP address of your internal system, they would not be permitted to start an unsolicited connection.

Myth 4: "I'm not using IPv6"

Truth: This is one of the most dangerous security myths regarding IPv6. Today, nearly every modern operating systems ships with IPv6 enabled by default.   In fact, certain Windows enterprise applications (including Exchange 2013) fail to work when IPv6 is disabled. However, any security devices 10+ years old may not support v6 traffic and cause issues in the transition. Companies should verify that their firewalls and other devices properly filter IPv6 traffic, and consult with their vendors on configurations specific to the new protocols. Similarly, IPv6 penetration testing is recommended to test these new security controls and highlight new vulnerabilities.

IPv6 tunnels (such as ISATAP, 6to4, and Teredo) are also enabled by default on Windows systems and allow IPv6 packets through IPv4 routers. For better or worse, this enables NAT’d hosts to be accessible globally through IPv6, often unknowingly to network administrators.

Myth 5: "Hackers aren't using IPv6"

Truth: While many companies haven’t made the (conscious) transition to dual-stack networks yet, hackers have embraced IPv6 in part because of the confusion and controversy. Popular security tools such as Nmap, Metasploit, and THC already support IPv6 scanning and exploitation. Penetration testing companies should support IPv6 testing for the same reason – even a system that is hardened against IPv4 attacks can be vulnerable on IPv6.

Despite this commentary, don’t get me wrong – IPv6 is not a vulnerability in itself. However it can be a dangerous blindspot for companies not prepared or trained in its security repercussions. Eventually IPv6 will be commonplace, any company left unprepared will find itself struggling to keep up with new network and security updates. Firewalls, intrusion detection systems, and other appliances should be tested for compatibility with IPv6, and receive thorough security auditing for IPv6 vulnerabilities. Without this security oversight for the new stack changes, organizations may find themselves unprepared for the flurry of IPv6-specific attacks ahead.