By Ivan Pepelnjak, chief technology advisor, NIL Data Communications SearchTelecom.com
Common IPv6 security issues that can surface during implementations All of the discussion above leads us to the fact that the differences in IPv4 and IPv6 security are mostly implementation-dependent, and we can expect IPv6 to be less secure than IPv4 initially.
Here are some of the main IPv6 security issues that require awareness as IPv6 is deployed:
•IPv6 protocol stacks in end-hosts and network devices haven’t been as thoroughly tested (and exposed to hackers) as their IPv4 counterparts. Expect flaws to be uncovered (probably including a few zero-day attacks that exploit vulnerabilities unknown to developers) as IPv6 gains wider acceptance.
•Network and security engineers lack IPv6 exposure and operational experience, so expect deployment hiccups and occasional security lapses, though that happens with every new technology.
•IPv6-related intrusions and other security incidents will happen due to the unintentional connectivity to protected parts of enterprise networks because of various IPv6-over-IPv4 tunneling mechanisms. There are numerous ways to get yourself connected to the IPv6 world through an IPv4 infrastructure, and public (sometimes even free) tunnel brokers allow you to get IPv6 connectivity in a matter of minutes. Unless your firewalls implement very strict security policies, some of your more audacious users might be able to establish IPv6-over-IPv4 tunnels and unknowingly expose their workstations, or even whole subnets, to the outside world.
•Last but definitely not least, IPv6 implementations from networking vendors still lack some security features needed to make IPv6 networks as secure as today’s IPv4 networks. Similar to the IPv4 world, numerous well-known first-hop attacks are available to hackers trying to break into IPv6 networks:
•Spoofing router advertisements (RA) and attracting end-user traffic for inspection and modification (similar to ARP spoofing in IPv4).
•Spoofing neighbor discovery (ND) to attract end-user traffic.
•Spoofing DHCPv6 messages to propagate bogus DNS server address to end stations.
Cisco has implemented the RA Guard feature to protect router advertisements on switched networks, and some vendors allow you to implement Secure Neighbor Discovery (SEND), which adds cryptographic measures simpler than full-blown IPsec to protect the ND mechanism. None of these tools approaches the simplicity we had with ARP inspection and DHCP snooping in the IPv4 world, however.