96

I was reading this article about hardening security on Linux servers, and in point #23, the article says:

#23: Turn Off IPv6

Internet Protocol version 6 (IPv6) provides a new Internet layer of the TCP/IP protocol suite that replaces Internet Protocol version 4 (IPv4) and provides many benefits. If you are NOT using IPv6 disable it:

The article then gives links to different websites which tell how to disable IPv6. Neither the article nor any of the links, however, seem to tell why IPv6 should be disabled if not used.

Since the article was on hardening security on Linux servers, how would disabling IPv6 make a server any more secure?

vakus
  • 3,743
  • 3
  • 20
  • 32
  • 90
    *"If you are NOT using IPv6 disable it"* - In general: the more software you have installed and the more features you have enabled the larger is the attack surface of your system. Thus, don't install software you don't really need and don't enable features you don't need. – Steffen Ullrich Mar 20 '18 at 20:08
  • 1
    @SteffenUllrich I understand overall that less software / features is better, however I fail to see how disabling IPv6 would make the system more secure, this however doesn't mean that I do not agree that disabling IPv6 is making system more secure – vakus Mar 20 '18 at 20:24
  • 30
    I am going to guess that many of the web sites referenced by the OP are dated as well. For a long time, the IPv6 security features in many products was "lacking" in comparison to IPv4. That is generally speaking no longer true. IPv6 is required today if you want to communicate with some Internet hosts without resorting to some sort of intermediate 6to4 tunnel/gateway. Additionally, IPv4 is now often run through CGN/LSN by many carriers, while IPv6 is not. Disabling IPv6 today is probably a bad idea unless you really have a need to do so. – YLearn Mar 20 '18 at 20:31
  • 7
    If you can communicate sufficiently well over IPv6 to be attacked remotely, then by definition you are "using IPv6." – Karl Bielefeldt Mar 21 '18 at 11:11
  • 3
    @vakus The code that implements IPv6 is not the same as that which implements IPv4. Therefore it's possible there's a vulnerability in the former that does not exist in the latter. Disabling something with the potential to introduce an extra vulnerability makes the system more secure. Alternatively, flip it around. Once it's disabled, does it enhance/degrade security to enable it? Bruce Schneier once explained why his security security appliances excluded the `bash` shell under the simple rule: If we don't _need_ something, we don't _want_ it available to be used by an attacker. – Monty Harder Mar 21 '18 at 15:37
  • It saves you time - e.g. you don't have to write any `ip6tables` rules if you know you're not accidentally providing any IPv6 services. – Toby Speight Mar 21 '18 at 18:10
  • 1
    Eventually we all need to know ipv6 :(, ipv4 was so much easier but i understand the need for ipv6 – FreeSoftwareServers Mar 22 '18 at 09:15
  • 1
    If you have two doors, but never use one of them, lock that door. – Martijn Mar 22 '18 at 10:06
  • If you are using NAT: https://security.stackexchange.com/questions/7821/is-ipv6-with-nat-less-secure-than-ipv4/7831#7831 – DougC Mar 22 '18 at 18:23
  • 2
    My first thought when I saw the question was, "Why are you still using IPv4?" Every ISP I've connected to in the last couple of years has IPv6 addressing. The more pressing question, I think, is "Does the vast majority of users even need IPv4 anymore?" – Tracy Cramer Mar 22 '18 at 21:02
  • @FreeSoftwareServers What's easier about it? Is it just shorter addresses? – user253751 Mar 22 '18 at 23:01
  • @immibis because its shorter and not alpha numerical, just numerical. Its clearly easier to remember which is nice. – FreeSoftwareServers Mar 22 '18 at 23:16
  • 1
    It is 2018. Why are security articles not saying, "Disable IPv4"? – Greenstone Walker Mar 23 '18 at 02:38
  • 2
    @GreenstoneWalker because IPv6 is still optional and IPv4 is still not. – user253751 Mar 23 '18 at 03:22
  • Vakus, to address your comment asking why disabling it is more secure with respect to @SteffenUllrich 's comment regarding reducing the attack surface: Reducing attack surface isn't strictly about reducing *known* risk. It's as much, or more, about reducing *unknown* risks. In other words, even if you don't *know* something has a specific risk, disabling it (if not in use) is assumed to reduce your risk profile since you're removing the *chance* that it has a risk you're not aware of. Total risk is the sum of known risk plus an assumed estimation of unknown risk – dwizum Mar 23 '18 at 20:14
  • To further the analogy made by @Martijn - suppose your enemy does not know how to open doors. There is no known risk! However, you should still lock the unused door, to protect against the risk that tomorrow, your enemy learns how to open doors. – dwizum Mar 23 '18 at 20:16
  • 1
    @immibis Wrong. [RFC 6540](https://tools.ietf.org/html/rfc6540) makes IPv6 mandatory. Many consider vintage IP optional, though. – Martin Schröder Mar 24 '18 at 21:13
  • Relevant for all IPv6 haters: https://ipv6bingo.com/ – Martin Schröder Mar 24 '18 at 21:19
  • Because turning off IPv6 makes IPv4 the only stack left and IPv6 is notorious for being used as a covert channel and stack-defenses bypass. – atdre Mar 25 '18 at 17:43
  • @MartinSchröder And here we see the difference between standards and the real world. – user253751 Mar 25 '18 at 23:14
  • @TracyCramer I've never had an IPv6 address except through EC2. My residential ISP does not offer IPv6 (perhaps on demand, I should ask). My office does not have IPv6. My cellphone does not get an IPv6 address. It seems like the entire country of New Zealand is collectively sticking our head in the sand, though I assume the core infrastructure was upgraded to support it. Only new startup ISPs, that can't get IPv4 addresses to start with, are using IPv6. And NZ is not the world's most technologically backwards country (though it probably ranks in the middle). – user253751 Mar 26 '18 at 00:33

10 Answers10

134

From a firewall perspective it is important to realize that both IPv4 and IPv6 (if enabled) are configured on a system and this is not always the case.

In my experience, I have been able to bypass (internal) firewalls. In one scenario, on a Linux machine, iptables was configured however, ip6tables was not, which exposed (vulnerable) services that were not available over IPv4.

Since most services bind to 0.0.0.0 and [::]:[port] (every interface), these services are also available over IPv6.

So, yes it is important to consider disabling IPv6 if you do not use it. If you do use it, you or administrators in general should be made aware that (at least on Linux servers) extra firewall configuration is required.

And before you start that administrators should be aware of this, you are totally correct. However, from experience there is lacking a lot of IPv6 knowledge among system administrators.

CaffeineAddiction
  • 7,517
  • 2
  • 20
  • 40
Jeroen
  • 5,783
  • 2
  • 18
  • 26
  • 15
    Do note that binding to 0.0.0.0 is not all it takes to listen on IPv6. The application must explicitly set it up to use IPv6 sockets. – multithr3at3d Mar 20 '18 at 23:27
  • 6
    @multithr3at3d: That's certainly platform dependent, and even then, only true from a kernel perspective. Many networking libraries will do the work of enabling IPv6 without requiring explicit action by the application programmer. – Ben Voigt Mar 21 '18 at 04:18
  • @multithr3at3d: You are correct, updated my post. – Jeroen Mar 21 '18 at 05:33
  • 14
    `ip6tables`, not `iptables6` – user541686 Mar 21 '18 at 05:55
  • 3
    @BenVoigt: I believe it's usually the opposite: IPv6 (AF_INET6) sockets bound to `[::]` can accept IPv4 connections, but **not** the other way around. _(If an IPv4 socket accepted an IPv6 connection, how would the OS store the peer's IPv6 address in a 4-byte field?)_ – user1686 Mar 21 '18 at 07:35
  • 2
    @grawity: What I'm saying is that the library probably provided a field big enough for AF_ANY addresses, even without the application having to ask for IPv6 support. – Ben Voigt Mar 22 '18 at 01:31
  • Would it be more secure to disable IPv4 and properly configure IPv6 than to properly configure IPv4 and disable IPv6? – Tracy Cramer Mar 22 '18 at 20:55
  • @Tracy that can't be said for sure, but it could certainly reduce exposure from internet scanners and attacks – multithr3at3d Mar 24 '18 at 05:10
  • There is definitely no way a socket bound as ipv4 can accept ipv6 connections without some ugly kind of DNAT, since the API simply has no way to represent an ipv6 source address. I don't think it's plausible to claim that binding a `AF_INET` socket to 0.0.0.0 exposes you to potentially unwanted ipv6 connections. You'd have to really go out of your way with advanced iptables/routing stuff to make that possible. – R.. GitHub STOP HELPING ICE Mar 25 '18 at 01:32
42

There is not specific advantage in disabling IPv6. In particular, IPv6 is not more vulnerable than IPv4, rather I'd say that it is more secure (e.g.: IPv6 suggests to support IPSec).

The point is that while hardening your operating system the general philosophy recommends removing all unused services/tools. This allows a better control on your O.S., improve performance (in a generic way), and reduce the probability that attackers can exploit possible software bugs or misconfigurations and gain (partial) control/access of/to the system. Thus, removing an unused IPv6 is just a generically recommended action to finalize the hardening.

flex
  • 549
  • 3
  • 5
  • 27
    As in the other answer, the specific advantage of disabling IPv6 is it's one less thing to forget when configuring your system. It isn't more vulnerable than IPv4, but it is another entry point that must be properly configured. If you aren't using it, then you're probably not configuring it correctly either, so disabling it is a good idea in that case... – Shadow Mar 21 '18 at 00:07
  • 1
    +1 for reiterating that ipv6 is actually MORE secure, which makes sense but i doubt many people have need for ipv6 beyond ISP's – FreeSoftwareServers Mar 22 '18 at 09:07
  • In addition to the obvious possibilities of lacking firewall rules and exploits being present in independent code, there is also the fact that IPv6 has roughly 40 fewer years of beta- and penetration testing out in the wild than IPv4. Unknown issues with IPv4 are pretty much guaranteed to not exist given its long lifetime. Unknown issues with IPv6 are not just possible but probable. – Damon Mar 24 '18 at 12:18
25

The advice is well-meaning but dated.

IPv6 is specifically designed to be very easy to set up and administer, much easier than IPv4. It has many features meant to cause hosts and entire networks to be autoconfigured or easily centrally configured. In many cases it's possible for entire networks to suddenly gain IPv6 connectivity to the Internet as soon as it's brought to the network edge, which may surprise some people.

This advice was historically meant to protect administrators both from themselves - as they may not be familiar with IPv6 features - and from malicious actors - as when they finally do gain IPv6 connectivity to the Internet, devices will attempt to autoconfigure and sometimes succeed. Further, certain versions of Windows attempt to establish IPv6 tunnels to the Internet out of the box, again surprising some users and administrators. (As an aside, disabling these tunnels is almost always a good idea unless they're specifically desired.)

And as others have mentioned, some ancient firewalls from 5-10 years ago or more did not properly configure themselves to firewall IPv6 in addition to IPv4. This is not as big of an issue today, as such ancient devices become more rare with each passing day.

These days, most people actually are using IPv6 even if they don't have global IPv6 connectivity. Windows 8 and later use IPv6 extensively on home networks, and some Windows features absolutely require IPv6.

From the standpoint of balancing functionality with security, it would be better to advise people to ensure that IPv6 is firewalled correspondingly to IPv4, even if they do not have global IPv6 connectivity. This would preserve IPv6 functionality that already exists while protecting the users when they finally do gain global IPv6 connectivity.

Michael Hampton
  • 3,877
  • 1
  • 22
  • 32
  • 6
    This is Security.SE; sure IPv6 has more automatic features than IPv4, but from a security standpoint, this would be a nightmare. I know plenty of part-time ops guys who configure some networking here and there which would never have any contact with the IPv6 world at all; and I'd rather that the one thing they do with IPv6 would be to disable it, instead of leaving it open with any default settings it may have - on some devices, that may just be barn-door-open with default settings... Obviously configuring/firewalling it correctly would be preferable, but not leaving it at default settings. – AnoE Mar 21 '18 at 10:07
  • 2
    @AnoE This is a good point. If you aren't familiar with a technology, then from a security standpoint you shouldn't enable it until you are familiar enough with it. Of course, not enabling IP makes it hard to use the Internet, and in future, not enabling IPv6 may make it hard to do much of anything. We could go all the way back to the secure computer buried in concrete... – Michael Hampton Mar 21 '18 at 14:41
  • Not at all. I am not talking about disabling an "inactive" component, but about disabling a component which may be (in very conceivable cases) a wide open default configuration. This is, IMO, on the same level to default passwords "admin" in popular routers. I never said to disable IP. If IPv6 becomes required, the administrator will *obviously* notice that and then put his mind to configuring IPv6 correctly. – AnoE Mar 21 '18 at 15:41
  • 2
    `If IPv6 becomes required, the administrator will obviously notice that and then put his mind to configuring IPv6 correctly.` That's a rather generous assumption. I suppose it changes little in regards to this question/answer, but the far more likely scenario is that the administrator (who is also the Wordpress "developer" and IT director) just turns it on, gets hacked, and tells all this PHB colleagues about how IPv6 is so insecure. – HopelessN00b Mar 22 '18 at 14:41
  • @HopelessN00b I think you are giving the administrator too much credit. When IPv6 becomes required I think most administrators will not notice and carry on with business as usual. – kasperd Dec 17 '18 at 10:55
17

Short answer: Yes, but for the best effect you should disable IPv4 as well.

Serious answer: If you do not use a protocol actively but accept packets, you increase the risk. The most obvious thing is the networking stack, as it must process the packets even if there is nothing using IPv6.

But the actual risk is, that you're indeed using IPv6, just not actively. You may not use IPv6, but some of your programs open listening sockets on IPv6 (and IPv4 as well) and will process packets coming in. Again you have additional complexity (do they handle v6 packets as careful as v4 ones?) and you may have a good IPv4 firewall but forgotten the appropriate rules for v6 as you thought you're not using it anyway.

And another "Are you sure you're not using it": You may not actively use it, but programs like your browser will use it if it is available. When you now for example blocked some tracking websites on the IP level, they may be loaded from their IPv6 address and your firewall does not protect you against this until you add the corresponding v6 rules.

Having this said, you should not disable IPv6. More and more of the internet is using it and disabling it will first make your network slower and sooner or later make it impossible for you to reach certain services. Just make sure to adjust your firewall for IPv6 as well when you add rules for IPv4.

allo
  • 3,173
  • 11
  • 24
  • 2
    Short comment: Disabling IPv6 will, especially going forwards, making your system more secure in the same way that disconnecting it from the internet will: Technically, but probably not at a reasonable cost for most purposes. – Williham Totland Mar 21 '18 at 22:28
  • 1
    Good point on not knowing you use IPv6, some programs use it without your knowledge and require it, xbox live for windows comes to mind – FreeSoftwareServers Mar 22 '18 at 09:11
6

Many applications depend on IPv6 support even if they don't use it. They use IPv6 sockets for example. Turning IPv6 off completely by removing the ipv6 kernel module will break stuff.

It's much better to make sure that IPv6 is properly firewalled, taking into account that IPv6 is always present on the local link even when no other IPv6 addresses are configured. Most recent Linux distributions have a decent firewall (usually ufw or firewalld) enabled by default that will filter both IPv4 and IPv6.

In short: it's better to acknowledge the presence of IPv6 and manage/filter it than to try to ignore it or get rid of it and cause other problems.

Sander Steffann
  • 381
  • 1
  • 7
  • I'm not sure that "breaking" the services necessarily makes them more secure. Can you justify that claim? (Or are you actually answering a different question to the one that was asked?) – Toby Speight Mar 21 '18 at 18:06
  • I am saying that yes: disabling an unused protocol might increase security, but at the cost of breaking other things. Therefore disabling might not be a good idea... – Sander Steffann Mar 22 '18 at 02:17
  • 1
    I've just realised that the question in the title is different to the one in the last line of the question - you answered a different one than I read. I really wish askers wouldn't do that... – Toby Speight Mar 22 '18 at 08:05
  • I dont know about saying "many" applications, there are a growing amount but its not that many ATM. Also when I setup servers they are usually for a specific purpose, so my 2 cents would be disable it and test servers functions and reenable if you have troubles. – FreeSoftwareServers Mar 22 '18 at 09:15
4

If you have no legitimate need for it, IPv6 will only serve as another channel for exploits to enter your network and for your data to exfiltrate undetected. The general rule for security is to disable anything you don't require.

Even if you block it at the perimeter firewall, an attacker could compromise one host (perhaps DMZ?) over IPv4 and spread via IPv6 from within.

Most firewall and IDS products have decent IPv6 support now, so the original concerns about poor IPv6 monitoring are mostly outdated.

Regardless, it is better to deny an adversary the opportunity by disabling it. If it cannot be disabled, restrict IPv6 on the local firewall so it only allows local/loopback communication for applications that require IPv6 sockets.

DoubleD
  • 3,862
  • 1
  • 6
  • 14
2

This is basically the same as what's been said, but let's put it this way:

Option 1: use IPv6, and put the same effort into configuring and securing it as you do IPv4.

Option 2: don't use it, and disable it.

Both of these are completely reasonable, and are a much better position to take than Option 3: don't use IPv6, but ignore it in your firewall rules and service configuration, and leave it completely wide open.

In other words, the advice is good, and it is not really recommending against using IPv6 if you specifically want to use it, but it is rather warning people who don't use it against the pitfall of ignoring it, and not giving it the same scrutiny as you do your IPv4 config. Those people would be better off disabling it.

The general principle of disabling anything that you do not want to use stands, but if your service is such that "IPv6 support" is one of your specified/advertised features, that would justify using it but putting in the effort to secure it.

thomasrutter
  • 1,465
  • 11
  • 16
1

It is a general security principal to disable any functionality that is not being used. Also, consider that IPv6 has IPSec built in and may be a better option than IPv4 by default.

firstlastsabbatical
  • 11
  • 1
0

From a security perspective, less is better when it comes to software and applications. IPV6 should be disabled unless you are currently deploying an IPv6 network. Keep in mind, to my understanding all of the IPv4 addresses have been handed out and IPv6 in coming on the scene and others are advising that you leave the IPv6 protocol enabled. I disagree! When you need the protocol enable it. Same is true with applications and ports.

SecurityDoctor
  • 23
  • 6
  • 5
    The world is moving toward IPv6, albeit slowly. I think a far better strategy is to correctly deploy IPv6 than to shut it off. Disabling IPv6 is tantamount to turning off the LTE on your phone so that malware loads more slowly :) – Jim MacKenzie Mar 22 '18 at 17:18
  • Thank you for your comment but I have to both agree and disagree with you at the same time. It is true that world's technology infrastructure with eventually need to migration and deploy iPv6 protocols. However, your example is flawed. I see the situation more in terms of doors. IPv4 is the front and IPv6 is less used back door. Locking them both makes the most sense. – SecurityDoctor May 09 '18 at 17:32
  • 1
    Precisely. Correctly deploy IPv6, don't disable it. It'll soon be needed. – Jim MacKenzie May 09 '18 at 17:35
  • I still say activate the protocols you NEED NOW and nothing else. When I deploy a new server installation only the applications that I am currently in need of are active, IPv6 in not here yet. Many ISP's are not even offering support for the protocol. Why give an attacker an edge by leaving a protocol active that is not needed. – SecurityDoctor May 09 '18 at 17:43
  • 2
    If you can do testing and be 100% certain that things will fail gracefully when IPv6 connectivity becomes needed but isn't present, then there is an argument to be made. But... certainty is required. – Jim MacKenzie May 09 '18 at 17:50
  • Thank you the for the spirited discussion! Entire career tracks are developing due to IPv6 migration. It is true, we are unsure of the attack sectors and patches required to fix the vulnerabilities in this protocol. I just live by the mantra that less is better. – SecurityDoctor May 09 '18 at 17:57
  • I feel you've been unfairly downvoted for this, and you're not actually saying anything different than the upvoted answers except that all IPv4 addresses have been handed out, which is true only in some regions but nonetheless they are scarce. But the advice makes sense. The LTE analogy in the first comment makes no sense to me. – thomasrutter Jan 15 '21 at 01:32
-1

There a different sides to this.

First of all, from a purely statistical point of view, the more access points/doors you open the more vulnerable your system becomes. This is true for most services though.

More specifically, however, IPv6 has not been implemented on a large enough scale yet to be able to fully understand its vulnerabilities and patch them, yet. Even the best IP experts have virtually no concrete field experience when it comes to IPv6.

On top of that, IPv6 handles certain operations in a radically different way than IPv4 does and this has created new opportunities for attackers... A very well known vulnerability, for example, comes from the different way a router sends out IPv6 advertisements, which makes a LAN a very easy IPv6 DOS target, see IPv6 Router Advertisement DOS.

Entire suites of tools, meant for exploiting the vulnerabilities of IPv6, are easily available all over the internet.

I always make sure IPv6 is disabled on all my devices. Why take unnecessary risk, for something which basically nobody uses/supports yet?

fuzzKitty
  • 101
  • 1