Do you know whether your computers are actively using IPv6 or not? Better check, as the bad guys probably already know. Michael Kassner explains how that might be exploited.
Microsoft began enabling IPv6 protocol by default with the release of Vista. That policy continued with Windows Server 2008 and will with Windows 7. Apple, Linux, and Solaris are also shipping their latest distributions with IPv6 enabled.
Before continuing, I need to explain something. We all understand that IPv6 is important. I even mustered enough courage with Joe Klein's (director of IPv6 security at Command Information) gracious help to write several articles about it. So that's no longer on my radar.What's on my radar
I'm not sure why, but computers are now shipping with IPv6 enabled. My guess would be that most OS developers figured IPv6 networks would be more predominate by now. Or that there's no down side to enabling IPv6, so why wait.
I do know of one Microsoft service that requires IPv6. It's called Windows Meeting Space. It uses the peer-to-peer framework and IPv6 to setup ad hoc networks automatically.What numbers are we talking about
The number of computers running IPv6 is staggering. Carolyn Duffy Marsan in a NetworkWorld article quoted Joe Klein as saying:
"We're probably talking about 300 million systems that have IPv6 enabled by default. We see this as a big risk."
What I'm wondering, is how many of the people using the 300 million computers realize IPv6 is enabled or know what it means?What's being exploited
In a concurrent article, Marsan asked experts what they considered the most serious issues of running a dual stack comprised of IPv6 and IPv4. Here's what they said:
- Rogue IPv6 traffic: Attackers realize that most network administrators aren't monitoring IPv6 traffic or they can't. Because existing firewalls, IDS, or network management tools aren't IPv6-aware. Therefore, an attacker can send malicious traffic to any computer running IPv6 and it will get through.
- IPv6 tunneling: Protocols such as Teredo and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) encapsulate IPv6 packets inside IPv4 packets. The morphed packets can easily pass through IPv4 firewalls and network address translation (NAT) equipment, defeating perimeter defenses purposed to sense and drop IPv6 packets.
- Rogue IPv6 equipment: Because IPv6 uses auto-configuration, an attacker can gain considerable control over computers running IPv6, simply by placing a rogue device capable of issuing IPv6 IP addresses on the network under attack. To make matters worse the device could have router attributes. Forcing all traffic to transit through it, allowing attackers to snoop, modify, or drop traffic at their whim.
- Built-in ICMP and multicast: Unlike IPv4, IPv6 requires ICMP and multicast traffic. That fact will significantly change how administrators approach network security. Right now, blocking ICMP and multicast traffic on IPv4 networks is the accepted practice. That will no longer work and complicated filtering of ICMP and multicast packets will be required to maintain some semblance of security.
Whether to leave IPv6 "enabled or not" is about as clear as mud. There's the yes camp and there's the no camp with the whole gray area in between littered with other opinions. I thought I'd let the experts introduced in Marsan's article present their views:Tim LeMaster: Director of systems engineering for Juniper's federal group mentions:
"If you're not prepared for IPv6, then the prudent thing to do is not to allow it into your network," LeMaster says. "But you shouldn't be blocking all IPv6 traffic for the next five years. You should only block it until you have a policy and understand the threats."Lisa Donnan: Vice president of advanced technology solutions at Command Information has a different viewpoint:
"We don't recommend that you block IPv6 traffic. We are recommending that you do an audit and find out how many IPv6 devices and applications are on your network. If you have IPv6 traffic on your network, then you've got to plan, train, and implement IPv6."Sheila Frankel: Computer scientist in the Computer Security Division of the National Institutes of Standards and Technology (NIST) expresses a middle-ground viewpoint:
"Companies need to acquire a minimal level of expertise in IPv6, which will help protect them against threats. The other thing they should do is to take their outward-facing servers, those that are external to the corporation's firewalls, and enable IPv6 on them. That way, customers from Asia with IPv6 addresses will be able to reach these servers and their own people will acquire expertise in IPv6. This will be a first step in the process."
"IPv6 is coming. The best way is to face it head on and to decide you're going to do it in the most secure manner possible."
As soon as I started receiving computers with IPv6 enabled, I turned the protocol off. My rational was why take a chance when it's not necessary. Apparently, my choice is paying off, as my client's computers aren't vulnerable to these new exploit vectors.
That works for me for the time being at least. I don't pretend to think my choice will work for everyone. From the above opinions, the only thing I do know for sure is that getting up-to-speed on IPv6 is important. As that knowledge will help you determine what's in your network and computer systems best interest.How to disable IPv6
Thankfully, disabling IPv6 is quite easy. I've provided links to Web sites that explain the process for several of the operating systems, if you're so inclined:
This is definitely a thorny subject and full of surprises. Just like every new and untested technological change. I can accept that. What's hard to accept is that security once again appears not to be a main consideration. I hope it's just a temporary oversight.
Worried about security issues? Who isn't? Delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!