Nikogor To include a comma in your tag, surround the tag with double quotes. Defence Science and Technology Group. Scott HoggEric Vyncke. IPv6 Protocol Security Vulnerabilities. Security titles from Cisco Press help networking professionals secure critical data securrity resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Author:Kill Ferr
Language:English (Spanish)
Published (Last):11 March 2007
PDF File Size:19.15 Mb
ePub File Size:8.25 Mb
Price:Free* [*Free Regsitration Required]

But the move to the new protocol opens many questions about security. Eric Vyncke works as a distinguished consulting engineer for Cisco Systems as a technical consultant for security covering the whole Europe.

His area of expertise for 20 years is mainly security from Layer 2 to applications. How is IPv6 already a threat? Scott Hogg: It has to do with the fact that many operating system manufacturers have helped aid the migration to IPv6 by including it in their OSes by default.

These dual-stack operating systems perform DNS lookups, and if they get back both an IPv4 and an IPv6 address in their query they will actually prefer to communicate using IPv6 if they have the option.

Therefore, an attacker can enable IPv6 on those OSes, and if the computer is not protected by a firewall against attacks over IPv6 and if the computer is vulnerable, then the attack will succeed. However, by learning about IPv6 security concepts you can learn about the ways you should secure IPv4.

Because many of the techniques are similar e. LL: Are people lulled into a false sense of security thinking that upgrading their networks to IPv6 would be the answer to their security ills? IPv6 is different than IPv4 in the way that address autoconfiguration occurs.

IPSec is required for every IPv6 node to support but it is not mandated that is be used. IPv4 has IPSec capabilities, but they are not used for all connections. EV: Agreed. LL: What kinds of IPv6 attacks are out there? There are also attacks against the transition mechanisms themselves. There is code available that anyone can download and compile to create tools that automate these attacks.

That is an indication that attackers are learning about IPv6 and starting to use it as IPv6 becomes more prevalent. As IPv6 grows in usage it, will become a larger target. The security of these protocols is difficult because these protocols are essential for normal operation of the network. It is hard to defend against someone who already has access to your internal network.

EV: The IPv6 attacks that I have seen are mainly misconfigured computers sending wrong Router Advertisements a message normally sent by routers only and those messages confused the network. The other attack over IPv6 that I have seen is an application-level attack such as SSH dictionary attack or SQL injection attack or email spam where the attacker was probably not even aware that he used IPv6 to transport the application attack.

LL: What are the security limitations of IPv6 and how should organizations protect against these vulnerabilities? Are they going to have to throw out their existing security tools for IPv6-supported gear?

Therefore organizations must use a diverse set of techniques to secure IPv6. Tools like SEND, Firewalls and IPSes can be used to secure the perimeter. Many of the utilities that organizations already use support both IPv4 and IPv6. It may be as simple as upgrading the software version and configuring the IPv6 protection measures. Organizations should not need to forklift-upgrade their security devices to gain IPv6 support. The same device can even protect both IPv4 and IPv6 at the same time.

If the policies are different in IPv4 and IPv6, then the attackers will discover this difference and will obviously use the less strict security policy to attack your resources. LL: During the transition process, is there any danger of security holes being exposed when organizations move from IPv4 to IPv6? While dual-stack running both protocols simultaneously will be the preferred approach, there will be situations that require tunneling IPv6 in IPv4 packets to help IPv6 bridge across a portion of the network that is IPv4-only.

Those transition mechanisms will be the focus of attackers, and organizations will need to secure those tunnel endpoints. EV:: Agreed; I have nothing to add. LL: What should network professionals know about IPv6 security before embarking on a transition project? Are there security measures that organizations can take now even before they transition to IPv6? Much of what they already know is applicable, but IPv6 has some nuances they should be aware of.

Once they have done this they are ready to secure IPv6 ahead of when they might be deploying it. For example, an organization can disable all outbound IPv6 packets encapsulated in IPv4 packets and the dynamic tunneling techniques until such a point as they have determined if they are needed.

LL: The level of deployment for IPv6 is not the same across the world. Because the public and private IPv4 address space is densely populated, you can guess and IP address and it is probably being used. Therefore, it would be possible for a worm to spread over IPv4 and then leverage IPv6 as a control channel.

EV: Also, several worms propagate over e-mail or instant messaging; and as e-mail can be sent over IPv4 or IPv6, this also means that existing worms will propagate over the IPv4 and IPv6 Internet without noticing any difference. LL: Much of security today has to do with end-user education — teaching users not to open suspicious email attachments or fall for phishing pranks. What are the measures that end users should take to protect themselves in an IPv6 world?

Therefore, if a dual-protocol application has a vulnerability in its software, that vulnerability can be exploited over IPv4 or IPv6. During the period or transition, using dual-stack organizations will bear the burden of having to protect both protocols. Unfortunately, spam, e-mail attachments, and malware-infected web sites will continue to exist in an IPv6 world. The issue is that many of the content filtering protection measures we have today only look for this malware in IPv4 packets.

These products need to be looking for all these infected messages in both IPv4 and IPv6 packets. EV: Exactly. Spam and phishing emails are already being sent over IPv6: this is completely transparent for the users and for the worm. The education is also a key component of every security policy. As Scott said, IPv6 is transparent for the end-user, so no need to educate them, but the network and security staff of enterprises and service providers must absolutely be trained about IPv6 NOW to understand the latent threats that we have just discussed.

What are the security issues and how far have they been resolved in the latest standard? SH: Mobile IPv6 represents one of the protocols that leverage the unique characteristics in IPv6 to make the system operate much better than it did using IPv4.

Mobile IPv6 is being looked at to streamline mobile communications, but it must be secure before it is widely deployed. The standards specifications require that IPSec be used between the mobile node and the home agent. The standard has defined how Mobile IPv6 can be secured using IPSec and the return routability procedure; it is now up to implementers to use those techniques to secure Mobile IPv6 communications. EV: Indeed, mobile IPv4 was not really the most secure and efficient protocol.

Mobile IPv6 was specified to avoid all shortcomings of mobile IPv4, including security. This means that mobile IPv6 is both efficient and secure even if not widely deployed. Have customers been using this facility, and if so, how?

If you read the release notes for Cisco has really put a lot of effort into their IPv6 implementations and it shows. Some customers are using those IPv6 features to proceed with dual-stack deployments in parts of their networks. Cisco is currently in the process of changing the licensing scheme for IPv6 to make it completely free; this means that if a customer buys an advanced services image for IOS, he will get exactly the same features if applicable of course in IPv4 or IPv6.

This allows for a zero-cost deployment of IPv6 assuming that hardware does not need to be replaced or upgraded. How easy is it to transition to IPv6 with Cisco gear? What are the steps that customers should take? It is simple to establish dual-protocol capabilities on a Cisco router or switch. You just need to assign an IPv6 address to an interface and the protocol is immediately activated. That interface will then have both an IPv4 and an IPv6 address.

At that point you are ready to enable dual-protocol applications and go on your way with the migration. I bet you would be surprised how easy it is if you tried it. The most difficult part is to move applications to IPv6, especially applications that directly manipulate or store IP addresses. LL: Final question, what will you be doing at Cisco Live? There are so many deeply technical sessions on a huge variety of technologies that my problem is deciding which sessions to attend.

I will be meeting old friends and meeting new people. Eric on the other hand will be presenting on IPv6 Security like he has for several of the past years. His session seems to draw more and more people each year. Comcast has offered us IPv6 connectivity over a 1Gbps optical fiber. Linda Leung is an independent writer and editor in California. Reach her at leungllh gmail.





Why IT Pros Need to Learn About IPv6 Security Now: An Interview with Scott Hogg and Eric Vyncke



IPv6 Security


Related Articles