Unknown and unmanaged IPv6-enabled devices on IPv4 networks are always going to cause trouble eventually.
In 2009, TechRepublic, in this article, advised that most if not all computing devices are IPv6-enabled. And not paying attention to that fact could lead to lots of trouble.
Today, five years later, Frank Herberg in this Switch Security paper raised the warning once again. Herberg mentioned IPv6 being enabled turned on autoconfiguration functionalities. More to the point, Herberg wrote, "Network operators and security people who have neither basic IPv6 experience nor measures in place to detect IPv6-related attacks run a real risk."
Herberg then brought up a point I've heard from other IPv6 experts. Bad actors are early adopters, and using IPv6 is no exception. So they have the knowledge and the experience to manipulate IPv6 to their advantage.
Examples of IPv6 attacks
Herberg offered three examples of how an attacker can exploit a company network populated with IPv6-enabled -- rogue or otherwise -- devices, but not under the watchful eye of those in charge.
Scenario one: Attackers already have access to the network, but are unable to make any progress getting to the targeted data. Since IPv6 Stateless Address Autoconfiguration is enabled by default, the attackers place IPv6 router advertisements on the network. As programmed, IPv6-enabled computers and servers will configure their network adapters' IPv6 settings and accept the default IPv6 route. The configured computers now have IPv6 connectivity, and the first hop will be the attacker's computer giving the attacker access to traffic crossing the network.
Scenario two: The attackers in the first scenario noticed the computers were protected by Access Control Lists (ACL). The attackers understand IPv4 ACLs do not recognize IPv6 traffic; opening a door, possibly wide enough, to give the attackers access to the targeted computers.
Scenario three: It is possible firewalls do not recognize IPv6 traffic traversing in an IPv4 tunnel. This allows attackers to access to the network assumed to be protected by a firewall.
What are the options?
Herberg finished by asking some thought-provoking questions. I enlisted the help of Joe Klein, a security expert who well understands the intricacies of IPv6 to address the concerns brought up by Herberg.
Do you see IPv6 traffic on your network?
Klein said there are several methods to determine if IPv6 traffic is flowing on the network. He suggested the following options:
Double check that the computers support IPv6. The slide below shows the (Windows version) properties of a network adapter. IPv6 is enabled.
The next step is to see if the network adapter received an IPv6 address. That is accomplished by opening a command prompt and typing the command ipconfig. The computer used to provide the following screen shot has an IPv6 address.
Now, the complicated step. To be sure, a packet sniffer like Wireshark needs to be connected to a management port on the main network switch and allowed to capture traffic. If any IPv6 traffic is crossing the network, it will be visible in the packet-capture log.
Does the company firewall filter (tunneled) IPv6 traffic?
Five years ago, Klein was concerned that most security implements, including firewalls, were not able to scan IPv6 traffic. Even more troubling: that concern remains valid today. Klein offered the following advice:
● It may sound obvious, but check with the manufacturer and see what they say.
● Visit the website IP6.nl, and type in the domain name of the device manufacturer -- for example Cisco.com -- and see if the site is IPv6 enabled. Klein said, "If the company is not using IPv6 on their network, it's a good indicator their products aren't either."
● The one sure way would be to place the security implement in question in a test environment, send it IPv6 tunneled traffic, and see whether the device recognizes it or not.
Does the IT department have enough knowledge about IPv6 and its exploits to detect an attack?
Klein mentioned companies with IPv6 enabled would still be hard-pressed to understand every attack. Klein added, "It is the same old problem, attackers need just one weakness to work, where companies must plan against every conceivable threat."
Do you rely on IP-based ACLs?
According to Klein, more often than not, IT managers do not realize IPv4 ACLs are ineffective against IPv6 queries.
Turning off IPv6 may break applications
Klein offered a cautionary note. It seems some companies have decided to disable IPv6 on their equipment. Depending on the size of the company that in itself can be a challenge. More to the point, many newer applications do not function with IPv6 disabled. For example, Microsoft Exchange Servers, 2008 and newer, do not communicate with IPv6 turned off. Moreover, once realized, the hapless Exchange admin will learn getting Exchange running again will require a complete reload of the application.
IPv6 unaffected by recent BGP problems
An interesting side note: internet-dependent businesses, according to Klein, may want to consider moving to IPv6. The strange BGP problems that shut down portions of the internet did not affect companies using IPv6 -- something to consider if BGP problems continue.