Broadband

World IPv6 launch day set: Security pitfalls to look out for

Patrick Lambert warns that when the IPv6 launch date officially arrives this June 6, it will be prudent to watch out for some security gaps in the initial days. Here are some issues to think about.

Last year, many may remember that the Internet Society, along with some major ISPs and content companies, set to run a breakthrough 24-hour test during what was then called World IPv6 Day. It was fairly short, and aimed to test whether or not the world was ready to move beyond version 4, and onto version 6 of the Internet Protocol. Overall, it was a success, and there were very few issues. All the major providers like Google and Facebook reported users could access their sites fine with an IPv6 address, and the major providers who participated were also running smoothly. Now, this year is the real deal. On June 6, the IPv6 switch gets turned on again, but this time it will stay on. But what does this mean for organizations and companies? Is everyone ready, and if not, will things break? Worse, are there security concerns that may arise from such a major event?

The basic reason to move to IPv6 is well known: we're running out of addresses. As soon as IPv4 addresses are all allocated, then that's it, no one else can get online. That's obviously a major problem, and while there are solutions, like using NAT filtering, the better way to go is to add a lot of new addresses, which is what IPv6 brings to the table. Also, the new protocol includes some added benefits, like the ability to do IPsec much more easily. In a world of only IPv6, we would see a much better infrastructure, and things would run much smoother, with no need for NAT routers, everyone using high security, and addresses aplenty. Of course, that's not what will happen. IPv4 will remain for years, probably decades, to support older systems, so what we really will end up with is a hybrid, with many complex translation processes.

And that's where the first problem may appear. There are currently a lot of different technologies in use to implement IPv6 and do the translation: 4to6, 6to4, ISATAP, Teredo, IPv6 brokers, and so on. It can be fairly complex to setup an entire network to run over IPv6 when these diverging technologies are used, and that in turn may bring mistakes, and security problems. While there's no evidence that anything more than "things not working" has occurred so far from misconfigured systems, it would be foolish to ignore the possibility. Right now, most ISPs are looking at allocating new customers with IPv6 addresses in the coming years, while keeping the majority of their network on IPv4. While I have all confidence that Comcast and AT&T will get their transition systems working, when some small provider finds out that they can't get another batch of IPv4 addresses from their upstream link, and instead get IPv6 addresses, and they need to rush to adapt, that may be a different story.

Another potential problem with IPv6 is the perceived security of having an endless list of addresses. One common attitude that's been shown is that because you end up with so many addresses, and NAT isn't needed anymore, administrators should assign public IPs to all systems. But NAT is useful for more than just a lack of Ips; it's also a big help with security to have private addresses on internal systems. In an IPv6 world, link-local addresses are provided in its place, but how many organizations will simply use their billion public addresses instead? If everyone has a public address, that means it's much easier for people on the Internet to access them, and exploit any vulnerability. The common retort to this is that it would be impossible to find which address has an active system, since you would have to scan billions of possible addresses, until you realize that many administrators end up simply assigning computers to addresses like 2001:470:1f10:deb::1, 2001:470:1f10:deb::2, 2001:470:1f10:deb::3, and so on, which is the equivalent of doing 10.0.0.1, 10.0.0.2, 10.0.0.3, etc. That's really easy to find out and exploit as long as you know at least one address, such as the corporate web server.

Then, there's all the local exploits that can be done on a stack that's new and not mature, and as such may have holes and security exploits unknown yet. Already it's been shown that it's fairly trivial to impersonate an IPv6 router, and because the recommended way to assign IPv6 addresses is with auto-configuration, which means the router gives out the information rather than having static IPs, then you end up compromising the whole network. Right now, the IPv6 targets are ridiculously small, and not worth bothering for hackers and script kiddies, but I fully expect we'll have a lot of growing pain down the road once version 6 becomes the dominant platform.

Overall, all of these issues shouldn't dissuade anyone from moving on with their IPv6 implementations, but it's good to remember that as World IPv6 Day approaches, and the big players like Comcast, AT&T, Facebook, Google, and so on are all on board, it's always the small players that are going to be playing catch up, and may get things wrong. And that's where a particular attention should be paid to implementation security, and making sure things are done right.

Have you thought of any other possible snags as we transition into IPv6?

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

15 comments
stigall
stigall

NAT is not security itself but home and other routers that use it also have a default deny built in so that just having a router blocks malicious traffic. Even if you only have one computer, you should have a router with NAT between you and the Internet. Unpatched computers should be behind a router until they are secure. I have had machines compromised during installation when I did not have it behind a router.

owens-bill
owens-bill

I'm sorry to have to be so critical, but this is really a terrible article. Other comments have already addressed the mistaken assertion that NAT provides security; that's the tip of the iceberg. The author goes on to mention stateless address autoconfiguration (without apparently knowing enough to call it that) while asserting that IPv6 addresses will be manually assigned in numeric order - and uses a valid IPv6 prefix as his example, for extra credit. He trots out the ancient idea that IPv6 magically makes it easier to do IPsec and invents '4to6' as a transition mechanism. Going back to NAT he equates IPv6 link-local addresses with RFC1918. He asserts that the 'stack' is 'new and not mature' and uses router impersonation as an example, failing to note that the problem has been known about for years and that switch vendors have implemented fixes for years (Cisco since at least 2009, as an example). Sadly, throughout it all he does not mention any of the real issues that need to be considered - IPv6 support in management and security tools, mapping security rules from the v4 world to v6 without breaking critical v6 capabilities, dealing with privacy addresses and their impact on logging and event reporting, etc. The second-to-last paragraph is a fine summary; perhaps it would have been better if the article were simply left at that. And in response to the final question: yes, people have been thinking of those snags for many years now. Don't assume that because you're late to the game, everyone else is too. Bill.

Doug Vitale
Doug Vitale

Pat, nice job linking to the Internet Society's "Deploy 360" website. There really is a wealth of information there concerning IPv6 and DNSSec. http://www.internetsociety.org/deploy360/ipv6/ As you mentioned, I think it's safe to say that we're going to see IPv4 and IPv6 coexist side-by-side for quite some time. Once IPv6 "goes live" I am sure that several security concerns will arise (and be remedied), but unlike IPv4, security was taken into consideration from the ground up in IPv6's development. One consideration with IPv6 that should be taken into account is that it will increase the importance of DNS (which is already critical). If DNS isn't working properly, it's no big deal to type '192.168.10.20' but can you imagine typing '2001:470:1f10:deb::2'? Even with the IPv6 address abbreviation it would still be a pain. With IPv6 coming up, 64-bit computing replacing 32-bit, and storage space getting cheaper and cheaper, the days are bright for information technology, and I for one am excited about the future.

Michael Kassner
Michael Kassner

I see that was mentioned in the article. I felt the same way before I wrote several articles about IPv6. Along the way an expert on IPv6, Joe Klein, (https://sites.google.com/site/ipv6security/) set me straight. NAT is not nor should be considered a security measure.

delphi9_1971
delphi9_1971

NAT is not Security, it is merely obfuscation of your address space. The real security is provided by a Statefull firewall with well engineered ACLs. In fact NAT tends to do more harm than good by creating the need for massively complex translation configurations that in themselves can be exploited.

Slayer_
Slayer_

How to work out the addresses specifically. I'm kind of dumb.

Bogdan Peste
Bogdan Peste

About 90% of all incoming SPAM messages are rejected because of SPAM lists, and only about 10 % really go through the SPAM checker. There are no lists for IPV6 spammers, so we have to start from square 1; I agree that blacklisting is not the best method against fighting SPAM, but it works, and with minimum impact on system resources.

Michael Kassner
Michael Kassner

I have read a few of your blogs when I was researching my articles about IPv6. I have a favor to ask. TR member Slayer in an earlier comment was looking for some help with IPv6 information.

Slayer_
Slayer_

Tough part is, I don't know enough to know the questions to ask...

Slayer_
Slayer_

The part about how it is generated confuses me, is it no longer like IPV4 which was based on a subnet mask, is there no longer subnet masking?

Slayer_
Slayer_

Might have to wait till Friday though :(. I tend to do my best learning on Fridays. Those links should almost be in the original blog, they look like they will be very helpful.

owens-bill
owens-bill

I haven't been actively involved in IPv6 training for a while now, but the folks at the Deploy360 program are collecting lots of good resources: http://www.internetsociety.org/deploy360/ipv6/ Hurricane Electric, one of the pioneers in v6 commercial networking has also taken on the task of educating users; they even have an informal certification program: http://ipv6.he.net/presentations.php and http://ipv6.he.net/certification/ You can use one of their tunnels to get a connection to the IPv6 Internet, if your current ISP doesn't yet support IPv6 (and sadly, most don't). That should be plenty to get you up to speed on IPv6. . .

Slayer_
Slayer_

Site ID's? Is it just that, it works the same as before, and you only get 4 changable blocks from your ISP unless you NAT them. I suspect many orgs are going to maintain the IpV4 in their internal networks, just for ease of maintenance. The typical 2 or 3 digit subnet is easier to remember.

Editor's Picks