IPv6 Security Threats
Here’s a list of the most common IPv6 threats that network vendors are hearing about from their enterprise customers:
1. Rogue IPv6 traffic
Organizations that aren’t running IPv6 and don’t plan to run it anytime soon, should use their firewalls to block IPv6 traffic from coming in and out of their networks. Most experts say this should be a temporary measure because an increasing amount of Internet traffic is IPv6-based, and organizations don’t want to limit access to customers or business partners around the world that will be using IPv6. “What customers need to do within their intrusion-prevention systems or within their firewalls is to explicitly look for IPv6 traffic and drop it,” says Tim LeMaster, director of systems engineering for Juniper’s Federal group.
2. IPv6 tunnels
Three types of IPv6 tunnels —Teredo, 6to4 and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) — allow IPv6 packets to be encapsulated inside IPv4 packets that can be sent through IPv4-enabled firewalls or network address translation devices. To a network manager, tunneled IPv6 packets look like normal IPv4 traffic. That’s why network managers need deep packet inspections systems that can peer into tunnels to examine what’s inside of them. Brown says you need to have firewalls and intrusion-prevention systems that “support IPv6 but they also need to support full inspection for the tunneling mode.” Brown says he’s seen “traditional IPv4 attacks” that take advantage of IPv6 tunneling to enter networks where tunneling traffic wasn’t being inspected.
3. Rogue IPv6 devices
The auto-configuration capabilities that are built into IPv6 allow an attacker to define a rogue device that assigns IP addresses to all the other devices on the network. “Someone could set up a rogue device like a router to assign IPv6 addresses on your network, and you wouldn’t even know it,” LeMaster says.
Eric Vyncke, a Cisco Distinguished Engineer, says a hacker can set up a rogue network device that is pretending to be an IPv6 router. “All the traffic can be diverted to the rogue router, which can do sniffing of traffic or modify traffic or drop traffic,” Vyncke says.
4. Type 0 routing header
This well-known IPv6 vulnerability creates the opportunity for denial-of-service attacks because it gives a hacker the ability to manipulate how traffic flows over the Internet. This feature of IPv6 allows you to specify in the header what route is used to forward traffic. A hacker could use this feature to saturate a particular part of the network, Brown says. “We haven’t seen this yet,” Brown said, adding that “this would be a targeted attack.”
5. Built-in ICMP and multicast
Unlike IPv4, IPv6 features built-in Internet Control Message Protocol (ICMP) and multicast. These two types of network traffic are integral to how IPv6 works. With IPv4, network managers can block ICMP and multicast traffic to prevent attacks coming over these channels. But for IPv6, network managers will need to fine-tune the filters on their firewalls or routers to allow some ICMP and multicast traffic through. “You have to explicitly configure ICMP6 and multicast with IPv6,” Schiller says.