September 21, 2009, 9:36 PM — With only 10% of reserved IPv4 blocks remaining, the time to migrate to IPv6 will soon be upon us, yet the majority of stakeholders have yet to grasp the true security implications of this next generation protocol. Many simply have deemed it an IP security savior without due consideration for its shortcomings.While IPv6 provides enhancements like encryption, it was never designed to natively replace security at the IP layer. The old notion that anything encrypted is secure doesn’t stand much ground in today’s Internet, considering the pace and sophistication in which encryptions are cracked. For example, at the last Black Hat conference hacker Moxie Marlinspike revealed vulnerabilities that breaks SSL encryption and allows one to intercept traffic with a null-termination certificate.
Unfortunately, IPsec, the IPv6 encryption standard, is viewed as the answer for all things encryption. But it should be noted that:
IPsec “support” is mandatory in IPv6; usage is optional (reference RFC4301). There is a tremendous lack of IPsec traffic in the current IPv4 space due to scalability, interoperability, and transport issues. This will carry into the IPv6 space and the adoption of IPsec will be minimal. IPsec’s ability to support multiple encryption algorithms greatly enhances the complexity of deploying it; a fact that is often overlooked.
Many organizations believe that not deploying IPv6 shields them from IPv6 security vulnerabilities. This is far from the truth and a major misconception. The likelihood that rogue IPv6 traffic is running on your network (from the desktop to the core) is increasingly high. For starters, most new operating systems are being shipped with IPv6 enabled by default (a simple TCP/IP configuration check should reveal this).
IPv4 based security appliances and network monitoring tools are not able to inspect nor block IPv6 based traffic. The ability to tunnel IPv6 traffic over an IPv4 network using brokers without natively migrating to IPv6 is a great feature. However, this same feature allows hackers to setup rogue IPv6 tunnels on non-IPv6 aware networks and carry malicious attacks at will. Which begs the question, why are so many users routing data across unknown and non-trusted IPv6 tunnel brokers?
IPv6 tunneling should never be used for any sensitive traffic. Whether it’s patient data that transverses a healthcare WAN or Government connectivity to an IPv6 internet, tunneling should be avoided at all costs. By enabling the tunneling feature on the client (e.g. 6to4 on MAC, Teredo on Windows), you are exposing your network to open, non-authenticated, unencrypted, non-registered and remote worldwide IPv6 gateways. The rate at which users are experimenting with this feature and consequently exposing their networks to malicious gateways is alarming.
Is your security conscious head spinning yet?