IPv6 Security

IPv6 is already available on all modern operating systems and network devices. It can be used today by those seeking to bypass firewalls, steal data, consume resources or simply eavesdrop. Significant amounts of IPv6 traffic now circulate on global networks, and running IPv4 alone is no protection. IPv6 and IPv4 usually operate independently over the same infrastructure, so additional and separate IPv6 security mechanisms must be implemented. Here are some resources for system and network administrators.

Security References

Introductions to IPv6 Security

Configuring Servers Against IPv6-Based Attacks

Books

IPv6 Security: Protection Measures for the Next Internet Protocol, Scott Hogg, Eric Vyncke.
Reviews potential security issues introduced by IPv6, and today's best solutions.

IPv6 Security Standards

Security Testing and Monitoring

The tools below are useful for system administrators to audit, test and monitor the security of their IPv6 networks. They can be used for IPv6 troubleshooting, intrusion detection and security audits – or for exploiting IPv6 vulnerabilities. They have been freely available on the Internet for a long time to anyone who wants them, including crackers, spammers, black hats, white hats, and national security services. Please be certain you have the appropriate rights and permissions to access any networks on which you use this software. IPv6Now provides these links as an educational resource and accepts no liability for their use in any way.

Intrusion Detection and Network Monitoring

Security Onion is a Linux distribution for intrusion detection and network security monitoring. It is based on Ubuntu and contains numerous security tools. The Setup wizard builds an army of distributed sensors for an enterprise in minutes. Security Onion provides visibility into network traffic and context around alerts and anomalous events. It seamlessly weaves together three core functions: full packet capture, network-based and host-based intrusion detection systems, and powerful analysis tools.

Network Inventory and Security Auditing

Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks. Nmap runs on all major computer operating systems.

Firewall Testing
Firewall Tester for IPv6 (FT6) is a tool for examining how firewalls handles IPv6.
  • ICMPv6 Filtering: verifies firewall can filter and forward certain ICMPv6 Messages.
  • Type 0 Routing Header: Checks for Type 0 Routing Header (RH0).
  • Header Chain Inspection: Sends a selection of valid and invalid packets.
  • Overlapping Fragments: firewall should be able to drop overlapping fragments.
  • Tiny Fragments: no TCP or UDP header in the first fragment, firewall must wait.
  • Tiny Fragments Timeout: too many tiny fragments can lead to DoS.
  • Excessive Hop-By-Hop Options: should occur only in any IPv6 packet. Tests with duplicates.
  • PadN Covert Channel: Padding bytes could be used to send messages covertly.
  • Address Scopes: tests multicast and link-local address scopes.
Troubleshooting Toolset

The IPv6 Toolkit is a set of IPv6 security/trouble-shooting tools that can send arbitrary IPv6-based packets. Supported on FreeBSD, NetBSD, OpenBSD, Linux and Mac OS.
Guide to using the IPv6 Toolkit.

  • addr6: an IPv6 address analysis and manipulation tool.
  • flow6: performs a security assessment of the IPv6 Flow Label.
  • frag6: performs and assesses IPv6 fragmentation-based attacks.
  • icmp6: performs attacks based on ICMPv6 error messages.
  • jumbo6: assesses potential flaws in the handling of IPv6 Jumbograms.
  • na6: sends and assesses Neighbor Advertisement messages.
  • ni6: sends and assesses ICMPv6 Node Information messages.
  • ns6: sends and assesses Neighbor Solicitation messages.
  • ra6: sends and assesses Router Advertisement messages.
  • rd6: sends and assesses ICMPv6 Redirect messages.
  • rs6: sends and assesses Router Solicitation messages.
  • tcp6: sends TCP segments and performs TCP-based attacks.
  • scan6: An IPv6 address scanning tool.
Penetration Toolset

THC-IPv6 is a complete toolset to attack the inherent protocol weaknesses of IPv6 and ICMP6. Partial list of tools:

  • alive6: detects all systems listening to an address.
  • detect-new-ip6: detect new ip6 devices which join the network.
  • exploit6: known ipv6 vulnerabilities to test against a target.
  • denial6: a collection of denial-of-service tests againsts a target.
  • firewall6: firewall tester, sends many different types of SYN packets.
  • implementation6: performs various implementation checks on ipv6.
  • parasite6: icmp neighbor solicitation/advertisement spoofer.
  • redir6: redirect traffic with a clever icmp6 redirect spoofer.
  • dos-new-ip6: detect new ip6 devices, cause denial-of-service.
  • trace6: very fast traceroute6 which supports ICMP6 echo request and TCP-SYN.
  • flood_router6: flood a target with random router advertisements.
  • flood_advertise6: flood a target with random neighbor advertisements.
  • fake_mipv6: steal a mobile IP to yours if IPSEC is not needed for authentication.
  • smurf6: local smurfer, icmp flood attack.
  • 6to4test - check an ipv4 address for dynamic 6to4 tunnel setup.
  • etc. etc.
Penetration Testing

BackTrack is a Linux-based penetration testing arsenal intended for all audiences, from the most savvy security professionals to early newcomers to the information security field. BackTrack promotes a quick and easy way to find and update the largest database of security tools to-date. Our community of users range from skilled penetration testers in the information security field, government entities, information technology, security enthusiasts, and individuals new to the security community. Feedback from all industries and skill levels allows us to truly develop a solution that is tailored towards everyone and far exceeds anything ever developed both commercially and freely available.

Packet Scanning and Probing

Scapy is a powerful interactive packet manipulation program for scanning and probing. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery. It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining techniques (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, etc).

Website Security Scanner

Qualsys Website Scan checks websites for vulnerabilities, hidden malware and SSL security errors (requires registration, 10 free checks).