Beware of IPv6 security goblins, IETF warns

[ronjor]

Quote:

By Dan Goodin

With World IPv6 Day just six weeks away, security consultants are once again warning that networks transitioning to the Internet's next-generation addressing scheme face serious risks unless they modify their defenses to accommodate the changes.

In a draft proposal filed Tuesday with the Internet Engineering Task Force, a security consultant warned that IPv6 traffic is often able to bypass firewalls, intrusion detection systems, and other security protections. With the majority of end-user devices now speaking the new language by default, their use may have serious unintended consequences.

http://arstechnica.com/business/news...ietf-warns.ars

[Escalader]

Quote:

Originally Posted by ronjor

http://arstechnica.com/business/news...ietf-warns.ars

So Ron, where do we look for action steps on this one?

Do I need some work in the Firewall? Router?

[ronjor]

There is some info from the link in the article. https://tools.ietf.org/html/draft-go...n-ipv4-nets-00

With some firewalls, when you write a rule for IPv4 they will automatically write the identical rule for IPv6. So you may be covered without knowing it. I would imagine that the documentation for your particular firewall would say.

I haven't started playing with NIDS yet so I don't know, but I wonder if some do the same.

[TheWindBringeth]

This has reminded me there is a pertinent seven-short-parts series on IPv6 multicast/discovery/P2P on my to read list (Windows focus, also touches upon Apple Bonjour). Thought I'd share:

http://www.windowsnetworking.com/art...fic-Part1.html

[chronomatic]

Quote:

Originally Posted by BrandiCandi

With some firewalls, when you write a rule for IPv4 they will automatically write the identical rule for IPv6. So you may be covered without knowing it. I would imagine that the documentation for your particular firewall would say.

I haven't started playing with NIDS yet so I don't know, but I wonder if some do the same.

That's fine if your firewall actually recognizes IPv6. Many do not. For instance, I am using Tomato which is based on Linux kernel 2.4. Since the 2.4 kernel is now ancient, it does not recognize IPv6 at all. This is not really a security issue since if your router doesn't even recognize IPv6 it wont route it in the first place. However, if you need IPv6 support, you should upgrade Tomato to one of the experimental versions with kernel 2.6 or later.

I think DD-WRT has been using kernel 2.6+ for a while now, so it should recognize Ipv6 by default.

[EncryptedBytes]

Quote:

which will offer a virtually unlimited supply of IP addresses as well as improved efficiency and security in the way data is delivered from one endpoint to another.

We said the same thing about ipv4.

There won't be an IPocalypse so to speak. Though the article is right in some regards companies/ISPs typically have a tight grip on the IPv4 side of the network, but less so on IPv6 interfaces, which can introduce dangerous misconfigurations, such as a firewall that has filters set up for IPv4 traffic but accepts all IPv6 traffic. That being said I feel there is a greater awareness of the protocol now in terms of business process owners.

When ipv6 does become widely publically available at the ISP level, in my opinion most of the risk will be in dual-stack environments where you are hacking the network so to speak allowing ipv6 and ipv4 to run over the same architecture. That and malicious users grabbing blocks of addresses in order to circumvent block lists for spamming or malware exploitation.