Skip Links

Network World

Eric Vyncke

Why should I care about IPv6 security in my IPv4-only network?

If you have a large network, IPv6 is probably already being used.

By Eric Vyncke on Mon, 06/15/09 - 6:20am.

While I speak about IPv6 security, I often mention the little known fact that IPv6 is probably already in every large network.

How can it be? Simply: because all modern OS (Vista, Windows 7, Mac OS/X, *ix) have IPv6 enabled by default and IPv6 implementation do not require a completely deployed IPv6 network to start communicating. From the link-local address (FE80::...) which allows local communication to several transition mechanisms based on automatic tunnels likes ISATAP, 6to4 or Teredo.

How can I check? Simple again: use a sniffer or better use NetFlow to check for any traffic using IPv4 protocol 41 (to detect ISATAP and 6to4) or UDP traffic to 3544 (the default Teredo port). Using a sniffer: look for Ethernet type 0x86DD.

What is the security impact? If you are sure that all your end-systems are protected against IPv6 attack (i.e. your personal firewall is up and configured for IPv6), this is not an issue at all. Else, you can be attacked over IPv6 even if you think that you run an IPv4-only network...

In short, this is really time now to learn more about IPv6 security (may I recommend 'IPv6 Security' book by Scott Hogg and myself?).

Don't forget about Red Hat and your firewalls

0

Red Hat began enabling IPv6 by default with Enterprise Server 4. There is no indication this is happening in the installer. I caught it when I was building a Snort sensor which is not supposed to have an IP address on the sniffing interface. "ifconfig" showed it had an IPv6 address assigned but no IPv4 address.

Some vendor's firewalls, notably Microsoft's ISA product, must not have IPv6 enabled on the server. The ISA firewall will let IPv6 pass right through if someone enabled it manually.

See http://blogs.technet.com/isablog/archive/2006/04/27/426532.aspx for the details.

Miredo makes it worse..

0

What's worse is when someone installs a Teredo server using the open source tool, Miredo, using a UDP port other than 3544.. Let's say port 53.. Then my Windows XP client can manually setup this tunnel using port 53.. What then?

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You can use BBCode tags in the text.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <p> <strong> <i> <br /> <br> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Welcome, visitor. Register Log in
About IPv6 Security
Eric Vyncke works as a Distinguished Consulting Engineer for Cisco. Eric wrote the security section of Networks: Internet, Telephony, Multimedia: Convergences and Complementarities (Springler Verlag, 2003), and has a Master Degree in Computer Science Engineering from the University of Liège. Eric has also co-authored several books on LAN security including his latest, IPv6 Security. IPv6 Security has been selected as the Cisco Subnet June book giveaway. Entry forms for the monthly book giveaway can be found on the Cisco Subnet home page. Read a chapter excerpt of IPv6 Security hosted exclusively by Cisco Subnet.