Planning a secure migration to IPv6

January 22, 2009, 1:00 AM — Scott Hogg, author of IPv6 Security shares his 5 must-dos for IPv6 security, a favorite script, and a personal philosophy that favors hard work.

This is part of a regular series that highlights new books and their authors. Also in this series: Joel Scambray on Exposing the hacker's advantage and Brandon Carroll on getting back to basics with wireless networking.

You should begin planning your secure migration to IPv6 sooner rather than later, says Scott Hogg, author of IPv6 Security. Remember the tortoise and the hare story. You will regret not spending more time planning when you end up scrambling to implement it in a hurry. And besides, learning about IPv6 is exciting because it's new.

Advice for newbies: You can quickly check to see if your computer is running IPv6.

Microsoft: netsh interface ipv6 show address

Linux/BSD/Sun: ifconfig –a

If you see addresses like: fe80:1234::1234:abfe:5678 or 2002:1256:abcd::1256:abcd then you have IPv6 enabled on your computer and you didn’t even realize it.

5 must-dos

• Know what computers are running IPv6 in your environment.
• Understand the risks associated with running IPv6 without any security protections.
• Understand how to restrict IPv6 communications to only the minimum systems that require it.
• Understand the capabilities in your network and security equipment for handling IPv6 packets and extension headers.
• Consider IPv6 prior to implementation or you will have security vulnerabilities.

5 don'ts

• Don’t underestimate an attacker’s understanding of how to leverage IPv6.
• Don’t allow perimeter devices, network devices, or computers to process or forward IPv6 packets with Routing Header Zero (RH0).
• Don’t forget to consider the security implications of running IPv6 on a LAN.
• Don’t buy network or security products that don’t have IPv6 capabilities and methods to secure IPv6.
• Don’t just secure your perimeter against IPv6 threats but also secure the interior of your network environment.

Do you have any favorite scripts you want to share?
Sample Scapy6 script for crafting an IPv6 RH0 packet
[root@fez scapy6]# ./scapy6.py

Welcome to Scapy (1.2.0)
IPv6 enabled
>>> ATTACKER = '2001:db8:11:0:20c:29ff:feb8:7e50'
>>> TARGET = '2001:db8:22:0:20c:29ff:fefd:f35e'
>>> MIDWAY = '2001:db8:12:0:202:e3ff:fe11:4585'
>>> rh0pkt = IPv6(src=ATTACKER, dst=TARGET)/IPv6ExtHdrRouting(addresses=[MIDWAY])/ICMPv6EchoRequest()
>>> rh0pkt.show2()
>>> ans,unans=sr(rh0pkt, timeout=2)

Who should read this book? This book is intended to be read by people in the IT industry who are responsible for securing computer networks. You should already know the basics of the IPv6 protocol and networking technology. This book is not an introduction to IPv6. There are many good books and online resources that can teach you about IPv6, and there are many great books on computer network security.

What can readers expect to learn? This book is arranged so that it covers the threats first and then describes ways to combat these threats. By outlining all the risks and showing that a solution exists for each threat, you can feel more comfortable with continuing the transition to IPv6. You learn about techniques hackers might use to breach your networks and what Cisco products to use to protect the networks.

However, showing attacks without solutions is socially irresponsible, so the focus is on the current techniques that are available to make the IPv6 network more secure and on the best current practices. By reading this book, you can gain an understanding of the full range of IPv6 security topics.