IPv6 Security Impact
Many security issues in IPv6 remain the same as in IPv4, but v6 also has new
features that affect system and network security, as well as potentially
impacting on policies and procedures. IPv6 and IPv4 usually operate completely
independently over the same Layer 2 infrastructure, so additional and separate
IPv6 security mechanisms must be implemented. Many areas will need overhauling,
such as firewalls, monitoring and accounting. It is important to keep in mind
that IPv6 is young operationally and may have issues not yet encountered, or
Many enterprises solely using IPv4 assume IPv6 intrusion cannot happen on their
systems. This is quite incorrect – see IPv6 Security Myth No. 1. All sites should now firewall and
monitor both IPv4 and IPv6.
If IPv6 traffic is not monitored then it is impossible to know how much IPv6
traffic is on networks, and it is almost a certainty that some IPv6 traffic is
being carried. At the user level, IPv6 can be accidentally or deliberately
employed to bypass usage and security policies. See here for a list of IPv6 monitoring and testing software.
Moving To an IPv6 Frame of Mind
For decades, system and network admins have learnt to conserve and apportion
scant IPv4 allocations. To deal with the astonishing abundance of IPv6
addresses takes a complete change of mindset. The standard IPv6 allocation for
a single subnet or small enterprise is a /64 prefix, which contains four
billion times the total of possible addresses in today's IPv4 Internet. An
entirely new approach to addressing must be adopted to use IPv6 optimally,
focused on well-designed layouts that reflect service location or function,
network growth or potential mergers, or other relevant parameters.
An example of IPv4 thinking that must radically change in an IPv6 setting
concerns ICMP (the ping protocol). In IPv6, routers do not fragment too-large
packets, which greatly improves throughput. If a packet is too large to
forward, the router discards the packet and sends the host an ICMPv6 Packet Too
Big message, which includes the MTU of the next hop. The host now uses the
lower MTU and successfully retransmits the packet. Many IPv4-experienced admins
firmly believe blocking ICMP is a good security practice, but in IPv6 this will
cause severe, difficult-to-diagnose problems.
ICMP and Multicast
The common IPv4 practice of blocking ICMP packets as a supposed security
measure (see above) should not occur, as IPv6 functioning depends on ICMPv6 for
error messages, path MTU discovery, multicast group management and Neighbour
Discovery. IPv6 also relies upon multicast availability, which will impact on
firewalls, intrusion detection and access control rules.
Dual stacking means devices have both IPv4 and IPv6 protocol capabilities. It
is usually seen as an essential transition method for staged deployment of
IPv6, but it means two protocols are in play: security must be maintained for
both. This is expensive in terms of time and effort, so some large
organisations, e.g. Facebook, are now adopting IPv6 entirely on their internal
networks, and using conversion techniques at the network borders.
Tunnelling means packets of one protocol are encapsulated by packets of a
second protocol, for transport across a network of the second type. Tunnels are
an essential IPv6 transition technique. However, some operating systems out of
the box will automatically establish an IPv6 network when a client is connected
to a server, e.g. various Windows releases. Potentially unwanted new paths to
hosts can be set up, and firewalls may be unprepared.
Autoconfiguration in IPv6 is an efficient and economic process, but has
potential vulnerabilities. SLAAC (Stateless Address Autoconfiguration) is the
process by which a host configures its own address based on its hardware (MAC)
address. But the exposure of MAC addresses may permit host identification via
interface ID, NIC vendor, or host vendor. Addresses generated by random,
temporary, or cryptographic means can tackle this problem. DHCPv6 (Dynamic
Host Configuration Protocol) allows a server to supply addresses to hosts. DHCP
in IPv4 needed external support, but in IPv6 it requires nothing but a working
router for the connected host to be immediately reachable.
Hosts with Multiple Addresses
In IPv4, multiple addresses are always possible, but rare. But in IPv6 they are
very common, arising from SLAAC, temporary DHCPv6, link-local addresses,
multiple prefixes, overlapping lifetimes, as well as IPv4 addresses. Admins
must be aware of all possible interface addresses and the capacity of network
devices to create their own addresses, e.g. in conjunction with radvd, the
Router Advertisement Daemon.
Scans and IPv6
With 18 billion billion addresses in a /64 subnet, sequential scanning is
pointless. It would take 500,000 years to scan a single /64 at a million probes
per second. However, hinted scanning (using other sources to gain information
on address ranges) may still be possible. This can leverage facilities such as
Neighbor Discovery, routing table, whois, or reverse DNS to locate vulnerable