IPv6 Security

IPv6 Security Impact

Many security issues in IPv6 remain the same as in IPv4, but v6 also has new features that affect system and network security, as well as potentially impacting on policies and procedures. IPv6 and IPv4 usually operate completely independently over the same Layer 2 infrastructure, so additional and separate IPv6 security mechanisms must be implemented. Many areas will need overhauling, such as firewalls, monitoring and accounting. It is important to keep in mind that IPv6 is young operationally and may have issues not yet encountered, or even imagined.

  • IPv4-Only Systems

    Many enterprises solely using IPv4 assume IPv6 intrusion cannot happen on their systems. This is quite incorrect – see IPv6 Security Myth No. 1. All sites should now firewall and monitor both IPv4 and IPv6. If IPv6 traffic is not monitored then it is impossible to know how much IPv6 traffic is on networks, and it is almost a certainty that some IPv6 traffic is being carried. At the user level, IPv6 can be accidentally or deliberately employed to bypass usage and security policies. See here for a list of IPv6 monitoring and testing software.

  • Moving To an IPv6 Frame of Mind

    For decades, system and network admins have learnt to conserve and apportion scant IPv4 allocations. To deal with the astonishing abundance of IPv6 addresses takes a complete change of mindset. The standard IPv6 allocation for a single subnet or small enterprise is a /64 prefix, which contains four billion times the total of possible addresses in today's IPv4 Internet. An entirely new approach to addressing must be adopted to use IPv6 optimally, focused on well-designed layouts that reflect service location or function, network growth or potential mergers, or other relevant parameters.

    An example of IPv4 thinking that must radically change in an IPv6 setting concerns ICMP (the ping protocol). In IPv6, routers do not fragment too-large packets, which greatly improves throughput. If a packet is too large to forward, the router discards the packet and sends the host an ICMPv6 Packet Too Big message, which includes the MTU of the next hop. The host now uses the lower MTU and successfully retransmits the packet. Many IPv4-experienced admins firmly believe blocking ICMP is a good security practice, but in IPv6 this will cause severe, difficult-to-diagnose problems.

Security Implications

  • ICMP and Multicast
    The common IPv4 practice of blocking ICMP packets as a supposed security measure (see above) should not occur, as IPv6 functioning depends on ICMPv6 for error messages, path MTU discovery, multicast group management and Neighbour Discovery. IPv6 also relies upon multicast availability, which will impact on firewalls, intrusion detection and access control rules.
  • Dual Stacking
    Dual stacking means devices have both IPv4 and IPv6 protocol capabilities. It is usually seen as an essential transition method for staged deployment of IPv6, but it means two protocols are in play: security must be maintained for both. This is expensive in terms of time and effort, so some large organisations, e.g. Facebook, are now adopting IPv6 entirely on their internal networks, and using conversion techniques at the network borders.
  • Automatic Tunnels
    Tunnelling means packets of one protocol are encapsulated by packets of a second protocol, for transport across a network of the second type. Tunnels are an essential IPv6 transition technique. However, some operating systems out of the box will automatically establish an IPv6 network when a client is connected to a server, e.g. various Windows releases. Potentially unwanted new paths to hosts can be set up, and firewalls may be unprepared.
  • Autoconfiguration
    Autoconfiguration in IPv6 is an efficient and economic process, but has potential vulnerabilities. SLAAC (Stateless Address Autoconfiguration) is the process by which a host configures its own address based on its hardware (MAC) address. But the exposure of MAC addresses may permit host identification via interface ID, NIC vendor, or host vendor. Addresses generated by random, temporary, or cryptographic means can tackle this problem. DHCPv6 (Dynamic Host Configuration Protocol) allows a server to supply addresses to hosts. DHCP in IPv4 needed external support, but in IPv6 it requires nothing but a working router for the connected host to be immediately reachable.
  • Hosts with Multiple Addresses
    In IPv4, multiple addresses are always possible, but rare. But in IPv6 they are very common, arising from SLAAC, temporary DHCPv6, link-local addresses, multiple prefixes, overlapping lifetimes, as well as IPv4 addresses. Admins must be aware of all possible interface addresses and the capacity of network devices to create their own addresses, e.g. in conjunction with radvd, the Router Advertisement Daemon.
  • Scans and IPv6
    With 18 billion billion addresses in a /64 subnet, sequential scanning is pointless. It would take 500,000 years to scan a single /64 at a million probes per second. However, hinted scanning (using other sources to gain information on address ranges) may still be possible. This can leverage facilities such as Neighbor Discovery, routing table, whois, or reverse DNS to locate vulnerable hosts.