Why should I care about IPv6 security in my IPv4-only network?
If you have a large network, IPv6 is probably already being used.
By Eric Vyncke on Mon, 06/15/09 - 6:20am.While I speak about IPv6 security, I often mention the little known fact that IPv6 is probably already in every large network.
How can it be? Simply: because all modern OS (Vista, Windows 7, Mac OS/X, *ix) have IPv6 enabled by default and IPv6 implementation do not require a completely deployed IPv6 network to start communicating. From the link-local address (FE80::...) which allows local communication to several transition mechanisms based on automatic tunnels likes ISATAP, 6to4 or Teredo.
How can I check? Simple again: use a sniffer or better use NetFlow to check for any traffic using IPv4 protocol 41 (to detect ISATAP and 6to4) or UDP traffic to 3544 (the default Teredo port). Using a sniffer: look for Ethernet type 0x86DD.
What is the security impact? If you are sure that all your end-systems are protected against IPv6 attack (i.e. your personal firewall is up and configured for IPv6), this is not an issue at all. Else, you can be attacked over IPv6 even if you think that you run an IPv4-only network...
In short, this is really time now to learn more about IPv6 security (may I recommend 'IPv6 Security' book by Scott Hogg and myself?).
- About IPv6 Security
- Eric Vyncke works as a Distinguished Consulting Engineer for Cisco. Eric wrote the security section of Networks: Internet, Telephony, Multimedia: Convergences and Complementarities (Springler Verlag, 2003), and has a Master Degree in Computer Science Engineering from the University of Liège. Eric has also co-authored several books on LAN security including his latest, IPv6 Security. IPv6 Security has been selected as the Cisco Subnet June book giveaway. Entry forms for the monthly book giveaway can be found on the Cisco Subnet home page. Read a chapter excerpt of IPv6 Security hosted exclusively by Cisco Subnet.
Most Discussed Posts
-
Network World, Inc
The Connected Enterprise