• Like


Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

IPv6 Can No Longer Be Ignored


While IPv6 has been a defined standard since 1998, the end-user adoption of this standard is minimal. Less than 1% of Internet peers utilize IPv6 in the course of normal operation. However, IPv6 …

While IPv6 has been a defined standard since 1998, the end-user adoption of this standard is minimal. Less than 1% of Internet peers utilize IPv6 in the course of normal operation. However, IPv6 support within operating systems and network routers is becoming commonplace. While IT personnel continue to be focused on IPv4, IPv6 capabilities may already be active by default on many Internet connected systems within an IT professional's environment. These IPv6 interfaces generate traffic which can bypass traditional controls based on IPv4 technology. Although IPv6 is likely to eclipse IPv4 as the dominant Internet protocol, the path to this state is disorganized and unclear. This state indicates that as IPv6 gains inertia as a legitimate Internet protocol, IT administrators need to be aware of and manage IPv6 traffic on their network with as much vigilance as they would apply to the more commonplace IPv4.

Kevin D. Wilkins, CISSP, Senior Network Engineer, iSecure LLC

After coursework at the Rochester Institute of Technology, Kevin’s professional experience includes ISP and VOIP operations. Kevin has 10 years of industry experience in system and network engineering and platform management. In the last few years, a focus on information security has brought his experiences together into a consolidated viewpoint of enterprise-wide security policy and implementation.

Peter Rounds, Senior Network Engineer, Syracuse University

Peter has been a Sr. Network Engineer at Syracuse University for 11 years. He is responsible for maintaining core network infrastructure consisting of Internet edge traffic identification/management, Internet BGP routing and security profile management, campus OSPF and security profile management, and data center network and security profile management. He is responsible for numerous security technologies for the University.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. IPv6 Can No Longer Be Ignored
    Copyright 2010 - ISecure LLC
    Prepared for Attendees
    of the
    2010 ISSA Rochester Security Summit
  • 2. Presenters
    Kevin Wilkins, CISSP – Sr. Network Engineer, iSecure LLC
    My professional experience includes 12 years of ISP and VOIP operations. In the last few years, a focus on information security at iSecure has brought my experiences together into a consolidated viewpoint of enterprise-wide security policy and implementation.
  • 3. Presenters
    Peter Rounds – Sr. Network Engineer, Syracuse University
    Senior network engineer at Syracuse University for 11 years. Responsible for maintaining core network infrastructure, including Internet traffic management implementation and security profiles.
  • 4. Synopsis
    Hidden risks to enterprise network resources may exist through unmonitored use of IPv6 and IPv4-to-IPv6 transition mechanisms like encapsulated IPv6 protocols 6to4, Intrasite Automatic Tunnel Addressing Protocol (ISATAP or IP Protocol 41) , and Teredo. This discussion includes an introduction to IPv6, the identification of encapsulated IPv6 protocols, their potential threats to enterprise resources, and mitigation strategies designed to protect enterprise resources from these potential threats.
  • 5. What is IPv6?
    IPv6 is a revised IP protocol intended to supplement and replace IPv4.
    IPv6 was ratified in 1998 as RFC 2460.
    IPv6 addresses use a 128 bit value, vs. IPv4's 32 bits. This provides an address space on the order of 3.4x10^38 addresses. (Nearly a "duodecillion"!!)
  • 6. What is IPv6 for?
    IPv6 has this large address space as a necessary enhancement to IPv4's much more limited 4.29X10^9 possible addresses. (4.29 billion)
    The Internet Engineering Task Force (IETF) has foreseen an eventual depletion of available IPv4 addresses, thus IPv6 was designed.
  • 7. Projected IPv4 Exhaustion
    Projected IANA Unallocated Address Pool Exhaustion:
    INTEC Systems Institute "IPv4 Exhaustion Counter“
  • 8. IPv4 Example…
    IPv4 address range: -> = 4,294,967,296 possible addresses
    An IPv4 address: "”
  • 9. IPv6 Example…
    IPv6 address range: 0000:0000:0000:0000:0000:0000:0000:0000 -> ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff = 340,282,366,920,938,463,463,374,607,431,768,211,456 possible addresses!
    An IPv6 address:
  • 10. Where is IPv6?
    As a commonly accepted protocol, IPv6 has seen difficulty gaining momentum. Almost the entire IT industry is perfectly happy with IPv4, and converting an established network to use IPv6 addresses is a monumental task.
    Most use of IPv6 today is found in research, dedicated networks, and by an inquisitive few.
  • 11. Where is IPv6... Really?
    Since 2008, the US Government has mandated that new purchases of computer and network equipment must support certain minimum standards for IPv6. See NIST Special Publication 500-267.
    IPv6 is becoming generally supported in network devices, operating systems, remote management protocols, and other networked applications.
    Microsoft Windows XP/Server 2003 offered optional support for IPv6. Microsoft Windows Vista/Server 2008 and beyond have nearly complete IPv6 support, and the protocol is enabled by default. Linux and Cisco also support IPv6.
    Recent versions of Microsoft Windows also include utilities which will encapsulate IPv6 traffic within an IPv4 tunnel.
  • 12. So I might be running IPv6 now?
    Yes! And this new IPv6 capability in contemporary systems represents an unknown security risk.
    The IT industries' propensity to ignore IPv6 in favor of IPv4 means that local administrators might be unaware of the potential IPv6 traffic traversing their network and interacting with their information systems.
    Furthermore, support for IPv6 on contemporary network security devices seems to be lagging behind IPv6 support in operating systems and routers. Network based Content Inspection, Intrusion Prevention, and Antivirus may be ineffective at scanning native or encapsulated IPv6 traffic.
  • 13. IPv6 Interfaces in Windows Vista
  • 14. IPv6 Routes in Windows Vista
  • 15. Windows Vista is Listening on IPv6
  • 16. DNS: “A” record and “AAAA” Record
  • 17. Wait, what was this about encapsulated IPv6?
    Encapsulation technologies such as Teredo, 6to4 and IP Protocol 41 (ISATAP) were developed to aid in the transition to IPv6.
    These transition aids are necessary, as both IPv4 and IPv6 will coexist for quite some time.
    RFC 5211 “An Internet Transition Plan” describes the use of these IPv6 encapsulation mechanisms as the IPv4 address space becomes depleted and organizations are forced to migrate to IPv6.
    Network security devices might not be able to "peel the onion" to discover what applications and threats might be utilizing IPv6 resources within the IPv4 encapsulation.
  • 18. Teredo and Windows
    Windows Vista and Windows 7 have an IPv6 encapsulation service called Teredo, which is enabled by default.
    Teredo will automatically seek out a Teredo gateway
    ( teredo.ipv6.microsoft.com ), assign an IPv6 address to the Teredo interface, and attempt to route IPv6 traffic.
    Teredo is intended for tunneling IPv6 traffic via an IPv4 NAT router.
  • 19. Pinging Via Teredo
  • 20. Example: IPv6/Teredo in Wireshark
  • 21. 6to4 and Windows
    6to4 is intended for tunneling IPv6 traffic via non-NAT IPv4 transport.
    A host or router intending to use 6to4 must have inherent IPv6 support and a routable (non-NAT) IPv4 address.
    IPv6 traffic is encapsulated and tunneled via an IPv4 network from one IPv6 network to another IPv6 network on the remote end.
  • 22. ISATAP and Windows
    ISATAP traffic is another transition mechanism where IPv6 traffic is tunneled via IPv4
    ISATAP packets use IPv4 with the IP Protocol field set to 41
    ISATAP is typically seen on an Intranet for host to host communications, but host to router communication is also possible.
  • 23. How do I control this IPv6 traffic?
    First - awareness is the key. Check your networked systems to see which components offer IPv6 support, and if IPv6 support is enabled. Run packet captures and analyze your systems to see if native or encapsulated IPv6 traffic traverses your network.
    In a server farm or corporate environment where there is no need for IPv6 at this time, consider establishing a policy to disable the IPv6 interfaces on computer systems and block or null-route IPv6 traffic in the network.
  • 24. How do I control this IPv6 traffic?
    In ISP, government, higher education, or research environments, the use of IPv6 might be legitimate. In this case, monitoring and granular control is warranted.
    Check your network security equipment to see how it handles IPv6. The integrated Proxies and Application Layer Gateways might not yet handle IPv6 traffic.
    Network security devices might not be able to "peel the onion" to discover what applications and threats might be utilizing IPv6 resources within the IPv4 encapsulation.
  • 25. This Removes the Native IPv6 Interface
  • 26. Also shut off the tunnel interfaces…
  • 27. Control IPv6 at Internet Edge
    IPv6 related Protocol types and Descriptions
    41 ISATAP
    43 IPv6-Route Routing Header for IPv6
    44 IPv6-Frag Fragment Header for IPv6
    58 IPv6-ICMP ICMP for IPv6
    59 IPv6-NoNxt No Next Header for IPv6
    60 IPv6-Opts Destination Options for IPv6
    Inbound ACL:
    deny 41 any any
    deny 43 any any
    deny 44 any any
    deny 58 any any
    deny 59 any any
    deny 60 any any
    Outbound ACL:
    deny udp any any eq 3544 - used by Teredo to reach Internet locations
    deny ip any host - is the 6 to 4 relay anycast address
  • 28. Story Time with Peter Rounds
    In the spring, an SU Sys-admin came to Peter Rounds with a concern – he was able to bypass the datacenter firewall and open an RDP connection to datacenter servers via IPv6.
    Teredo was tunneling through their datacenter firewall and presenting itself to the public Internet via IPv6.
    In the interim, SU has implemented firewall policies to block ISATAP, IPv6, and Teredo negotiation protocols in their router ACLs.
  • 29. Story Time with Peter Rounds
    Disabling IPv6 and tunneling mechanisms represents a stopgap measure which break the transition technologies designed to aid in the general deployment of IPv6.
    Transition is coming very soon! Verizon Business Solutions has said that the “last drop of oil” will be tapped in a matter of months. Verizon will be unable to provide IPv4 blocks and will instead be assigning IPv6 address space.
  • 30. Conclusions
    • IPv6 isn’t "bad", and may represent the future for a lot of networks. Some say that IPv4 will never go away, but in the meantime, IPv6 is here.
    • 31. IT Administrators need to be aware of IPv6 as a protocol which is gaining legitimacy and is actually supported on a wide number of systems.
    • 32. IPv4 to IPv6 encapsulation mechanisms exist as a tool to aid in the migration from a predominantly IPv4 environment to an IPv6 environment.
    • 33. With this awareness comes the requirement to control IPv6 with the same attention to detail that they would apply to controlling the more commonplace IPv4 traffic.
  • References – Transitional Security Issues
    Security Concerns With IP Tunneling
    Support for IPv6 in Windows Server 2008 R2 and Windows 7
    IPv6 Security Considerations and Recommendations
  • 34. References – Threat Mitigation
    • How to prevent ipv6 tunneling across firewalls and routers
    • Disable all IPv6 in Windows
    • Wiki - IPv6 Firewalls
    • IPv6 firewalling knows no middle ground
  • 35. References – Guidelines for IPv6 Adoption
    An Internet Transition Plan
    Hurricane Electric IPv6 Certification Project
    NIST Special Publication 800-119 - Guidelines for the Secure Deployment of IPv6 (Draft)
    Microsoft Windows Server 2008 Whitepaper - IPv6 Transition Technologies
  • 36. References – Guidelines for IPv6 Adoption
    Tier 1 for IPv4! = Tier 1 for IPv6
    BT Diamond IP IPv6 Address Management Guide
    Google, Microsoft, Netflix in talks to create shared list of IPv6 users