27

We are considering enabling ipv6 on our webservers, so that we are reachable with both ipv4 and ipv6. Are there any security issues we should consider when enabling ipv6?

Jeff
  • 487
  • 4
  • 9
Peter Smit
  • 2,699
  • 3
  • 22
  • 25

3 Answers3

18

IPv6 only:

  • Unlimited size of header chain can make filtering difficult.
  • IPsec is not a panacea:
    • IPv6 mandates the implementation of IPsec
    • IPv6 does not require the use of IPsec
    • Some organizations believe that IPsec should be used to secure all flows:
      • Interesting scalability issue
      • Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS, no ACL, no firewall
      • Network telemetry is blinded
      • Network services hindered
  • I recommend not using IPsec end to end in an administrative domain but for residential, hostile environment, or high profile targets.

IPv6 Attacks With Strong IPv4 Similarities:

  • Sniffing
    • Without IPSec, IPWithout IPSec, IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4
  • Application layer attacks
    • Even with IPSec, the majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent
  • Rogue devices
    • Rogue devices will be as easy to insert into an IPv6 network as in IPv4
  • Man-in-the-Middle Attacks (MITM)
    • Without IPSec, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4
  • Flooding
    • Flooding attacks are identical between IPv4 and IPv6

IPv4 and IPv6 dual stack (as you mentioned):

  • Applications can be subject to attack on both IPv6 and IPv4 (weakest link)
  • Security controls should block and inspect traffic from both IP versions
Jeff
  • 487
  • 4
  • 9
  • MITM attacks are harder even without IPSec now with the SeND extension of NDP introducing router authorization, and cryptographically generated addresses. – Shou Sep 24 '15 at 01:22
11

Many sites use private addressing inside their network, and the router runs NAT so that outgoing connections are feasible. The NAT thing implies, by construction, the same effect than a firewall which would prevent any incoming connection from the outer world to one of the machines in the inner network.

When you enable IPv6, inner machines become externally visible. So you'd better setup baseline filtering rules on the firewall before enabling IPv6. Think about an unpatched old Windows system, full of remotely exploitable holes, which was harmless as long as it simply sat in the inner network without doing any network activity with the Internet at large (e.g. a workstation used only to connect to some intranet).

This is not really IPv6's fault. It is that IPv6 was designed so that there is no address shortage, making NAT unnecessary. I believe that most security issues which will occur with IPv6 deployment will follow that pattern: IPv6 nullifies the "inherent firewall" effect of NAT, uncovering many vulnerable hosts. To some extent, this is the same story than the advent of WiFi, which nullifies the inherent physical security of plain wires.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
3

I ran across a recent paper on the subject: CPNI VIEWPOINT - SECURITY IMPLICATIONS OF IPv6 - MARCH 2011. The main points it makes are risks shared by many new technologies:

  • less mature than IPv4, so probably more bugs
  • less support in security products
  • more complex => bigger attack surface, especially for dual-stack environments
  • less familiarity by support staff

So before deploying IPv6, you should take the time to become familiar with the technology, work with savvy suppliers, and have a plan to address these issues.

The report goes into a bit more discussion of e.g. the NAT-free option.

Sounds like a good market developing out there for IPv6-savvy security folks. (As if there weren't other opportunities out there....)

nealmcb
  • 20,544
  • 6
  • 69
  • 116