The basic IPv6 protocols have been complete for several years, but as IPv6 has begun to be deployed widely, its vulnerabilities have become visible. IPv6 deployment raises security issues for both those not yet managing IPv6 networks as well as those who are. Network attackers have successfully used IPv6 to evade the defenses erected against undesired network traffic. Therefore it is crucial for managers to understand the types of attacks possible using IPv6 to attack an IPv4 network and be prepared to defend against them.
Managers of IPv6 networks must also be aware of the protocol's vulnerabilities. The designers of IPv6 understood the need for network security and included mandatory IPSec in the basic protocol definition. However, recent experience with network attacks has shown that IPSec does not address all of the vulnerabilities of an IPv6 network.
IPv6 Attacks on IPv4 Networks
Hackers take advantage of the built-in IPv6 support now available on Windows, Linux, Unix and other systems to use IPv6 to attack IPv4 networks. Many network scanning and intrusion detection tools do not detect IPv6 packets, so hackers can use IPv6 to evade detection. Network managers must upgrade their tools and become familiar with how to use them to detect unwanted IPv6 packets.
Hackers have been able to gain control of systems through the use of a virus or spyware. Once in control, the hacker can use the autoconfiguration facilities in IPv6 to acquire an IPv6 address. The hacker then uses the compromised system to communicate through the IPv4 Internet using one of the techniques for transporting IPv6 packets inside IPv4 packets.
IPv6 nodes can autoconfigure an address based on a network interface MAC address. [See IPv6 Addresses for more information.] Addresses can also be allocated via DHCPv6. IPv6 routers are configured to specify which technique nodes are to use to acquire addresses. Bits in router advertisement messages inform nodes whether to autoconfigure or to use DHCP. An intruder who can gain control of a system capable of acting as an IPv6 router can request nodes to autoconfigure and can then supply a network prefix to the node.
Windows Servers since 2003 include support for 6to4 tunneling. The system accepts an IPv6 packet, adds IPv4 headers and sends it over the IPv4 Internet to a gateway system. The gateway system removes the IPv4 headers and forwards the packet based on the IPv6 address. Packets sent in this way are difficult to detect and difficult to trace. Tunneling uses protocol 41, so firewalls must be configured to block this protocol unless 6to4 tunnels are desired. If tunneling is desired, it should be confined to well controlled systems and firewalls configured to block tunnel packets from any other system.
The Teredo protocol provides another way to forward IPv6 packets through the IPv4 Internet. As in 6to4 tunnels, Teredo adds an IPv4 header to the IPv6 packet. Most NAT implementations will not recognize protocol 41 and will not forward 6to4 tunnel packets. Teredo inserts the IPv6 packet into a UDP packet. Most NAT implementations will forward any UDP packet, so Teredo packets can pass through NAT. Windows systems including Windows XP include Teredo support, so managers must scan for Teredo packets to ensure that no system has been compromised and is generating them.
IPv6 Network Security Issues
Managers of IPv6 networks must also be aware of its vulnerabilities. IPSec is specified as part of the IPv6 protocol set. It can provide authentication of the identity of network endpoints and protect the contents of messages as they traverse the Internet, but it does not protect against all potential attackers. The keys required by IPSec can be configured manually or distributed through IKE, a key distribution protocol. Manual configuration is labor intensive, but IKE requires a configured IP stack, so it cannot be used to protect the autoconfiguration process. It is therefore impossible to use IPSec to verify that router advertisements or redirects are coming from a legitimate router.
Although IKE standards have recently been modified to deal with problems revealed by early users, revised implementations are not widely available. Without a usable key distribution protocol, IPSec is difficult to manage. Its use is rare at the current time.
Much work is now underway in the Internet community to address security issues. Updated versions of protocols are becoming available. Network managers must become aware of these activities and of the dangers posed by IPv6 in order to protect IPv4 as well as IPv6 networks.
David B. Jacobs has more than twenty years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software start-ups.
