Attacking IPv6

Verisign Masters of Internet Infrastructure

Transition to IPv6 is inevitable, since that will sooner or later become the only game in town for new address spaces. The transition will be prolonged in part by the ability to do NAT in order to run large numbers of Internet nodes behind a single address, and by the reassignment or resale of IPv4 addresses currently lying fallow—huge numbers of addresses, at least by IPv4 standards, are stranded within Class B and C spaces assigned early on. Many a college and university got in early, got a B, and currently use very little of it. Nemertes finds that 78% of companies have no transition plans yet; the 22% with plans are aiming for a coexistence strategy of some sort—dual stack, enterprise-grade NAT—and expect coexistence to be the status quo for quite a while. Unfortunately, the long transition is going to present malefactors huge opportunities for attacking IPv6 nodes in predominantly IPv4 networks. It’s easy to go to a place like and download a basic attack toolkit for exploring, identifying, and exploiting known vulnerabilities in v6 implementations. The tools help in establishing v6 man-in-the-middle attacks and provide for several flavors of denial of service, ranging from using fake address collisions to prevent a node from picking up an address at boot, to router flooding, to our old friend smurf. There are even tools that circumvent first-gen defenses against router-announcement exploits. Clearly, part of the planning for an extended period of transition has to be planning to secure the sanctioned use of IPv6 in the network with security tools that bring at least the same level of security to the new protocol space that tools already in place provide under v4. Plans should also include actively seeking out and disabling non-sanctioned uses of v6, to prevent vulnerabilities like these being exploited while IT still has significant blind spots.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.