IPv6 Security Issues

There’s a lot of talk about IPv6 having a number of security flaws. I thought I’d summarize some of them and address them accordingly. What follows is an enthusiasts’ view of the issues at stake gained by reading up on the issue through various sources.

Security Concerns

1) The argument that federal and state law enforcement will be hard pressed to be able to track criminals over the internet is also a benefit for those preaching anonymity online. Since IPv6 addressing is considerably more complex than their IPv4 counterparts, spanning multiple subnets, some security experts warn users against it entirely.

IPv6, currently being favored for use over on the popular uTorrret Bit Torrent client serves as a proponent to IPv6, saying Teredo tunneling enables a more effective means of sharing data between older operating systems (Teredo = backward compatibility between 6 and 4).

Could the prospect of anonymity have been a driving force in the adoption of IPv6 for torrent use? Possibly but not likely considering there are net tools available for IPv6 (such as SubnetOnline and many others, makes you wonder why the FBI is so concerned if tools are available, even if not so widespread yet).

Source: IPv6 good for criminals, says FBI and DEA | Digital Trends
Source: Teredo tunneling – Wikipedia, the free encyclopedia
Source: IPv6 – Wikipedia, the free encyclopedia

2) IPv6 may or may not be more susceptible to mass DDoS attacks and MITM attacks or at least ones which are not presently protected against by common routers and/or firewalls, the debate is still up in the air. If interested, there is a white paper that I’ve found that discusses the effects of DDoS with IPv6’s new IPSec protection configured and without it (covers TCP, UDP, ICMP flooding and Smurf attacks; check it here).

One exploit toolkit known as THC-IPV6 (THC-IPV6 – attacking the IPV6 protocol suite) has been particularly problematic as it contains ICMP flood tools, network listeners, ARP poisoning tool which actually fakes the network into believing you are a router, MITM traffic redistribution tools, DOS detection, IDS, ICMP6/TCP-SYN traceroute, network fuzzers, smurfers and countless other tools. The only safety users have against this is a really strong modern firewall and/or network policy. (Source of Note: thc-ipv6 Toolkit – Attacking the IPV6 Protocol | Darknet – The Darkside)

To summarize but counter the concerns, ZDNet said the following on their blog:

True, IPv6 incorporates Internet Protocol Security (IPsec), but by itself that doesn’t buy you any more security. IPv6’s header design also lends itself to better security since it can be used to provide to a cleaner division between encryption meta-data and the encrypted payload. In addition IPv6’s huge address space can be deployed to scanning attacks harder by allocating random addresses within subnets. But, those are all matters on how you deploy IPv6. In and of itself, IPv6 won’t make you any more secure than your childhood blue blanket.

First IPv6 Distibuted Denial of Service Attacks Seen, ZDNet

So although attacks can be larger spread if the implementation of IPv6 is handled improperly (across entire subnets), this is a deployment problem not a problem inherent in the protocol itself. Furthermore, on an individual level, as more firewalls support IPv6 so too will we see a decline in the attacks available to those using IPv6 on their network.

3) Route Header Security Concerns – a packet’s route header can be used to specify where and how to strike a particular target. This concern is mentioned in the following presentation: http://meetings.ripe.net/ripe-54/presentations/IPv6_Routing_Header.pdf Possible solutions is better packet routing by ISPs as they become more equipped to handle IPv6 as well as more advanced firewalls and security schemes.

Conclusion

So essentially what we see is a growing technology, still very much in its infancy, becoming more predominant by the day. Hopefully as IPv6 is adopted so to will public awareness of the security risks increase. It’s also my belief that software vendors and internet service providers alike should work together to better address such issues.

IPv6 may have started slow but it may be here to stay.

Comments are closed.