Why should I care about IPv6 security in my IPv4-only network?

If you have a large network, IPv6 is probably already being used.

While I speak about IPv6 security, I often mention the little known fact that IPv6 is probably already in every large network. How can it be? Simply: because all modern OS (Vista, Windows 7, Mac OS/X, *ix) have IPv6 enabled by default and IPv6 implementation do not require a completely deployed IPv6 network to start communicating. From the link-local address (FE80::...) which allows local communication to several transition mechanisms based on automatic tunnels likes ISATAP, 6to4 or Teredo. How can I check? Simple again: use a sniffer or better use NetFlow to check for any traffic using IPv4 protocol 41 (to detect ISATAP and 6to4) or UDP traffic to 3544 (the default Teredo port). Using a sniffer: look for Ethernet type 0x86DD. What is the security impact? If you are sure that all your end-systems are protected against IPv6 attack (i.e. your personal firewall is up and configured for IPv6), this is not an issue at all. Else, you can be attacked over IPv6 even if you think that you run an IPv4-only network... In short, this is really time now to learn more about IPv6 security (may I recommend 'IPv6 Security' book by Scott Hogg and myself?).

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.