1. IPV6: A Tale of Two Protocols
Remember when you installed Windows 7 or 8? Or maybe it was Mac OSX? Well, when you
installed one of those, you received an IPV6 stack for free! Indeed, the IPv6 protocol was installed
and automatically enabled to prepare you for the next generation of IP protocols.
Currently your IPv6 traffic is “tunneled” across an existing IPv4 network because we live in an
IPv4-dominated world. This tunneling creates an entry point for many vulnerabilities yet to be
discovered, although quite a few have already been discovered. The majority of our network traffic
monitoring tools are also based on IPv4 computer networking. Focusing on IPv4 protocols without
an equal emphasis on IPv6 traffic puts us at risk in this mixed-IPv6 world. We may only be seeing
part of the picture.
The truly disquieting aspect of IPv6 is that it is constantly looking for configuration information
from network routers. This information is easily falsified and may be used to auto-configure IPv6
stacks. There are also many opportunities to “fuzz” the IPv6 protocol to find weaknesses specific to
stack implementation. While IPv6 is not currently accessible outside of the local network, this means
that the local network may be vulnerable to attack from within, while IPv4 monitoring tools sit idly
by.
Further, stack-level compromises do not require services to be enabled on a target machine,
exposing a vulnerability at a level below web, ftp, and other network services. Therefore, a machine
with no network services whatsoever may become a victim of an IPv6-based attack. So for those
networks that don’t need IPv6 – disable it! For those that do, consider securing your IPv6
implementation:
• Make sure that IPv6 routing information is authoritative for your IPv6 domain
• Make sure that IPv6 naming services are authoritative for your IPv6 domain
• Ensure that IPv6 parameters applicable to your stack are configured and not open to auto-
configuration
• Ensure that firewalls that support IPv6 are configured properly
• Keep in mind that IPv6 traffic is often tunneled over IPv4
Many broadband networks (cable providers in particular) today support IPv6. These gateway devices
may have filtering rules in their firmware permitting the user to limit and filter IPv6 traffic. Make
sure that you have enabled as much of this as possible to protect your internal network.
While most security companies tend to focus only on the IPv4 network, essentially missing some
vulnerabilities that experienced attackers may use to compromise your network, VIMRO actively
examines IPv6 as a component in our network assessments. Contact VIMRO now for the complete
protocol picture for your networked systems. services@vimro.com (800) 272-0019