IPv6: Not a Security Panacea
With only 10% of reserved IPv4 blocks remaining, the time to migrate to IPv6 will soon be upon us, yet the majority of stakeholders have yet to grasp the true security implications of this next generation protocol. Many simply have deemed it an IP security savior without due consideration for its shortcomings.While IPv6 provides enhancements like encryption, it was never designed to natively replace security at the IP layer. The old notion that anything encrypted is secure doesn’t stand much ground in today’s Internet, considering the pace and sophistication in which encryptions are cracked. For example, at the last Black Hat conference hacker Moxie Marlinspike revealed vulnerabilities that breaks SSL encryption and allows one to intercept traffic with a null-termination certificate.
Unfortunately, IPsec, the IPv6 encryption standard, is viewed as the answer for all things encryption. But it should be noted that:
IPsec “support” is mandatory in IPv6; usage is optional (reference RFC4301). There is a tremendous lack of IPsec traffic in the current IPv4 space due to scalability, interoperability, and transport issues. This will carry into the IPv6 space and the adoption of IPsec will be minimal. IPsec’s ability to support multiple encryption algorithms greatly enhances the complexity of deploying it; a fact that is often overlooked.
Many organizations believe that not deploying IPv6 shields them from IPv6 security vulnerabilities. This is far from the truth and a major misconception. The likelihood that rogue IPv6 traffic is running on your network (from the desktop to the core) is increasingly high. For starters, most new operating systems are being shipped with IPv6 enabled by default (a simple TCP/IP configuration check should reveal this).
IPv4 based security appliances and network monitoring tools are not able to inspect nor block IPv6 based traffic. The ability to tunnel IPv6 traffic over an IPv4 network using brokers without natively migrating to IPv6 is a great feature. However, this same feature allows hackers to setup rogue IPv6 tunnels on non-IPv6 aware networks and carry malicious attacks at will. Which begs the question, why are so many users routing data across unknown and non-trusted IPv6 tunnel brokers?
IPv6 tunneling should never be used for any sensitive traffic. Whether it’s patient data that transverses a healthcare WAN or Government connectivity to an IPv6 internet, tunneling should be avoided at all costs. By enabling the tunneling feature on the client (e.g. 6to4 on MAC, Teredo on Windows), you are exposing your network to open, non-authenticated, unencrypted, non-registered and remote worldwide IPv6 gateways. The rate at which users are experimenting with this feature and consequently exposing their networks to malicious gateways is alarming.
Is your security conscious head spinning yet?
The advanced network discovery feature of IPv6 allows Network Administrators to select the paths they can use to route packets. In theory, this is a great enhancement, however, from a Security perspective it becomes a problem. In the event that a local IPv6 Network is compromised, this feature will allow the attacker to trace and reach remote networks with little to no effort.
So where are the vendors that are supposed to protect us against these types of security flaws? The answer is, not very far along. Like most of the industry, the vendors are still playing catch-up. Since there are no urgent mandates to migrate to IPv6, most are developing interoperability and compliance at the industry’s pace.
So the question becomes: will the delay in IPv6 adoption give the hacker community a major advantage over industry? Absolutely! As we gradually migrate to IPv6, the lack of interoperability and support at the application and appliance levels will expose loopholes. This will create a chaotic and reactive circle of patching, on-the-go updates and application revamp to combat attacks.
Regardless of your expertise in IPv4, treat your migration to IPv6 with the utmost sensitivity. There is more to IPv6 than just larger IP blocks. The learning curve for IPv6 is extensive. People can’t be patched as easily as Windows applications, thus staff training should start very early. Many of the fundamental network principles like routing, DNS, QoS, Multicast and IP addressing will have to be revisited. Reliance on given IPv4 security features like spam control and DOS (denial of service) protection will be minimal in the IPv6 space as the Internet ‘learns’ and ‘adjusts’ to the newly allocated IP structure.
It’s essential that your network security posture is of the utmost priority in the migration to IPv6. Stakeholders should take into account the many security challenges associated with IPv6 before deeming it a cure-all security solution.
Jaghori is the Chief Network & Security Architect at L-3 Communications EITS. He is a Cisco Internetwork Expert, Adjunct Professor and industry SME in IPv6, Ethical Hacking, Cloud Security and Linux. Jaghori is presently authoring an IPv6 textbook and actively involved with next generation initiatives at the IEEE, IETF, and NIST. Contact him at firstname.lastname@example.org.