IPv6 Security Guide: Do you Have a Blindspot?

IPv6, the most recent iteration of the ubiquitous Internet Protocol, promises to solve a forthcoming shortfall of available IP addresses. But the latest generation of IP will also have profound impacts on network security. IPv4 and IPv6 will co-exist for years to come, but the sooner we start thinking about IPv6 security the better.

That’s what this piece covers, in the following sections:

• IPv6: A History Lesson
• IPv4 vs IPv6 Security Concerns
• IPv6 Security Misconceptions
• IPv6 Security Best Practices

IPv4 and IPv6: A Brief History

While it’s been the foundation of the Internet for decades, we’ve known since the late 1980s that IPv4 simply couldn’t scale to meet the demands of a globally connected world. With only 4.3 billion possible addresses, IPv4 can provide just under 2 unique addresses per person. That’s a problem when the average consumer owns dozens of devices, each of which needs an address for connectivity. Technologies like Network Address Translation (NAT) have considerably extended the life of IPv4, but a new protocol suite is ultimately the only solution.

While the Intertrunet Engineering Task Force (IETF), the standards body in charge of developing the Internet Protocol, could have solved the problem by simply creating a larger address space in IPv6, they chose to go a step farther. The new set of protocols would not only support a virtually limitless number of addresses, it would also change some of the fundamental mechanics of how the protocol suite worked. For example, instead of a single address per interface as in v4, a single interface in IPv6 often has multiple addresses with different purposes.

These changes have vast implications for IPv6 security. We’ll look at some of the most important considerations in this blog post.

IPv4 vs IPv6 Security Concerns

First, the good news: IPv6 as a protocol suite isn’t inherently more or less secure than its predecessor. Just as with IPv4, the vast majority of security incidents arise from design and implementation issues rather than weaknesses in the underlying technology. In other words, it largely boils down to human error.

The human factor is key when it comes to IPv6 security. We have decades of knowledge and experience working with IPv4, and many of us are used to thinking about our networks from an IPv4-only perspective. That’s a dangerous mindset when all modern operating systems and devices have both IPv4 and IPv6 enabled by default. Our lack of awareness can lead to dangerous blind spots, such as hardening a server’s IPv4 attack surface while leaving IPv6 ports wide open.

That lack of awareness extends beyond network engineers and sysadmins. Security tools, as well as security operations teams, also tend to give less scrutiny to IPv6 traffic. Hackers can take advantage of this in many ways, such as using an IPv6 proxy server to move laterally throughout an organization’s network or exfiltrate data with a lower chance of detection.

Common IPv6 Security Misconceptions

1. IPv6 Security is distinct from IPv4 Security

As already stated, every modern device and operating system has IPv6 enabled by default, so unless you’ve explicitly disabled IPv6 on every node in your network, you’ve likely got a dual-stack environment. This means thinking about IPv4 vs IPv6 security is a moot point; you’re probably already running IPv4 and IPv6, so you’ve got to think about the security risks of both. Whatever defenses and mitigations you’re applying to your IPv4 hosts and routers should equally be applied to the IPv6 portion of the network.

Note that this doesn’t mean implementing IPv6 security won’t require additional configuration, however. In many cases, you will need to explicitly configure IPv6 settings on your firewalls, ACLS, etc.

It’s also vital to remember that many attacks happen completely above the network layer. A phishing email laced with ransomware, for instance, poses the same threat whether it’s delivered over an IPv4 or IPv6 link.

2. IPSec Solves Everything

One of the fundamental changes the IETF made with IPv6 was to include support for IPSec, providing encryption and authentication right in the protocol suite itself, rather than being bolted-on after the fact as with IPv4. There was initial speculation that this protocol-level support would enhance IPv6 security. But in practice, there’s not much difference for several reasons. First, IPSec is already widely employed in IPv4 networks. Second, while the initial versions of the IPv6 standard mandated support for IPSec, it didn’t mandate the use of IPSec. It’s still up to users to turn the feature on. The IETF also watered down the requirement in 2011, saying that IPv6 implementations SHOULD support IPSec, but could still conform with the standard if they did not.

3. Network Reconnaissance is Impossible on IPv6 Subnets

IPv4 subnets in an Enterprise network contain at most a few hundred to a few thousand possible addresses. Attackers can quickly scan this entire address space and discover which addresses belong to live hosts. The standard size of an IPv6 subnet is 264 hosts. In other words, each IPv6 subnet contains roughly 4 billion times as many addresses as the entire address space of IPv4. Scanning all those addresses would take hundreds of years, so the traditional reconnaissance attacks typical in IPv4 networks aren’t feasible in an IPv6 world.

Attackers, though, have no need for nostalgia and were quick to abandon their long-used ping sweeps in favor of new techniques that would work in the 128-bit world of IPv6. New tools like scan6 take a targeted approach, seizing on research that shows IPv6 addresses are often assigned based on predictable patterns. For servers, reverse DNS lookups are a frequently used technique. Security researchers and malicious actors alike are actively developing new, more effective techniques to fingerprint IPv6 networks.

4. Spoofing is Impossible

The current IPv6 stack does include several features designed to address Layer 2 and Layer 3 spoofing attacks, but they’re not widely used or supported. The Secure Neighbor Discovery (SEND), for instance, was introduced in 2005 to provide a secure mechanism for neighbor discovery in IPv6 networks. Host operating systems, however, have been slow to add support for SEND, leaving the older, insecure Neighbor Discovery Protocol (NDP) as the dominant player. NDP is susceptible to a variety of attacks similar to ARP spoofing or poisoning in IPv4 networks.

IPSec Authentication Headers can be used to prove the authenticity of an IPv6 address, but IPSec support must be explicitly enabled for this to happen. In its absence, spoofing an IPv6 address is as trivial as spoofing an IPv4 address.

Fortunately, many of the techniques we’ve long used to defend our IPv4 networks are equally effective in enhancing our IPv6 security. All major router manufacturers support filtering functionality similar to DHCP Snooping and Dynamic ARP Inspection for Neighbor Discovery Attacks. Bogon filters and Unicast Reverse Path Forwarding Checks work equally as well for IPv4 and IPv6 traffic.

5. NAT makes IPv4 more Secure

It’s true that Network Address Translation (NAT) can hide the internal structure of a network, but this was never its intended purpose. In fact, NAT breaks one of the original goals of the Internet Protocol: end-to-end host reachability. IPv6’s globally unique addresses (GUAs) restore this functionality, but it doesn’t have to come at the cost of security or privacy. The multiple types of addresses available in IPv6 provide enhanced flexibility for network design: Link-local addresses, for example, are valid only within a broadcast domain and aren’t routable. Where a routable address is desired, IPv6-enabled firewalls can provide the same benefits of NAT.

IPv6 Security Best Practices

1. Learn IPv6

The most important thing you can do to boost your organization’s IPv6 security is to learn the protocol. IPv4 and IPv6 are in many ways very different beasts, and successfully defending your network requires at least a foundational level of knowledge on how both operate, as well as the differences between the two. IPv6 changes everything from address syntax to how addresses are assigned.

It’s important to become familiar with not only how the protocol works, but how it’s implemented on different systems. On Linux systems, for instance, the widely used iptables firewall won’t automatically filter IPv6 traffic. It’s up to users to explicitly configure the companion ip6tables in order to lock down their machines. Lack of this type of knowledge can easily lead to backdoors that hackers can exploit.

2. Know Your Attack Surface

With multiple address types, IPv6 can have a wider attack surface than IPv4. Unlike IPv4, IPv6 has wide support for address autoconfiguration, meaning your endpoints may be accepting IPv6 traffic without you even realizing it. Link-local addresses are also typically configured on any endpoint that has IPv6 enabled. It’s quite likely you’ve got IPv6 in your network, even if you don’t know it.

Finding and securing your IPv6 endpoints is as critical as finding and securing IPv4 hosts. You can use many of the same tools leveraged by attackers, such as scan6, to discover hosts you may not be aware of.

3. Pay Close Attention To Tunnels

IPv4 and IPv6 aren’t natively compatible, so a variety of mechanisms have been created to handle mixed networks. Tunnels are one such mechanism, allowing IPv6 traffic to be carried over an IPv4 native network. Tunnels have security drawbacks, however, as they can reduce visibility into traffic traversing them and bypass firewalls. It’s also possible for an attacker to abuse auto-tunneling mechanisms to manipulate the flow of traffic.

For these reasons, it’s recommended that tunnels be treated with caution. Static tunnels are generally preferred to dynamic, and they should only be enabled where explicitly desired. Filtering at the firewall level can also provide granular control over which hosts can act as tunnel endpoints.

4. Don’t Use A Predictable Addressing Scheme

As already stated, reconnaissance attacks against IPv6 subnets have proven successful in large part because hosts tend to have predictable addresses. This can aid network administration but greatly hinders IPv6 security. Using random addresses wherever possible, especially for static assignments, can mitigate many of these attacks.

Where autoconfiguration is used, it was once common for operating systems to derive a Layer 3 IPv6 address in part from the Layer 2 MAC address. This can simplify the process of host discovery for attackers. Most operating systems now have the capability of generating random or pseudo-random addresses, and it’s worth checking to see if this feature is enabled on your endpoints if autoconfiguration is being used.

5. Don’t Ditch What Works

Many of the existing best practices from IPv4 have equivalents in IPv6 security. Enabling authentication for your routing protocols, turning on bogon filters, and configuring host-based firewalls to prevent lateral movement inside your network perimeter are all recommended in both IPv4 and IPv6 environments.  IPv6 routers also typically support a variety of First Hop security features that are similar to, but distinct from, those used in IPv4 environments. These include RA Guard, ND Inspection, and Source Guard.

As always, it’s important to think of IPv6 security as part of a comprehensive information security program. As any experienced Pen Tester will tell you, there are flaws and weaknesses in every network. Use of good “cyber hygiene”, as well as judicious use of firewalls, anti-virus software, and a solution such as the Varonis Data Protection Platform, can help keep your organization mitigate and respond to risks.