IPv6 Security

IPv6 is already available on all modern operating systems and network devices. It can be used today by those seeking to bypass firewalls, steal data, consume resources or simply eavesdrop. Significant amounts of IPv6 traffic now circulate on global networks, and running IPv4 alone is no protection. IPv6 and IPv4 usually operate independently over the same infrastructure, so additional and separate IPv6 security mechanisms must be implemented. Here are some resources for system and network administrators.

Security References

Introductions to IPv6 Security

• IPv6 Security Issues
  
• IPv6 Packet Security
  
• IPv6 Routing Security
  
• Internet Society: IPv6 Security
  

Configuring Servers Against IPv6-Based Attacks

• Insinuator Security blog: updates and in-depth articles on securing IPv6
• IPv6 Hardening For Windows Servers (source: https://www.ernw.de)
  
• IPv6 Hardening For Linux Servers (source: https://www.ernw.de)
  
• IPv6 Hardening for OS-X (source: https://www.ernw.de)
  
• Evaluation of (Security-related) IPv6 Capabilities of Commercial IPAM Solutions (source: https://www.ernw.de)

Books

IPv6 Security: Protection Measures for the Next Internet Protocol, Scott Hogg, Eric Vyncke.
Reviews potential security issues introduced by IPv6, and today's best solutions.

IPv6 Security Standards

• RFC 7123 - Security Implications of IPv6 on IPv4 Networks, F. Gont, W. Liu.
  
• RFC 5157 - IPv6 Implications for Network Scanning, T. Chown.
  
• RFC 4942 - IPv6 Transition/Co-existence Security Considerations, E. Davies, S. Krishnan, P. Savola.
  
• For other RFCs on IPv6 security, search for the word Security on our IPv6 RFC page.

Security Testing and Monitoring

The tools below are useful for system administrators to audit, test and monitor the security of their IPv6 networks. They can be used for IPv6 troubleshooting, intrusion detection and security audits – or for exploiting IPv6 vulnerabilities. They have been freely available on the Internet for a long time to anyone who wants them, including crackers, spammers, black hats, white hats, and national security services. Please be certain you have the appropriate rights and permissions to access any networks on which you use this software. IPv6Now provides these links as an educational resource and accepts no liability for their use in any way.

Intrusion Detection and Network Monitoring

Security Onion is a Linux distribution for intrusion detection and network security monitoring. It is based on Ubuntu and contains numerous security tools. The Setup wizard builds an army of distributed sensors for an enterprise in minutes. Security Onion provides visibility into network traffic and context around alerts and anomalous events. It seamlessly weaves together three core functions: full packet capture, network-based and host-based intrusion detection systems, and powerful analysis tools.

Network Inventory and Security Auditing

Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing. It uses raw IP packets to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks. Nmap runs on all major computer operating systems.

Firewall Testing

Firewall Tester for IPv6 (FT6) is a tool for examining how firewalls handles IPv6.

• ICMPv6 Filtering: verifies firewall can filter and forward certain ICMPv6 Messages.
• Type 0 Routing Header: Checks for Type 0 Routing Header (RH0).
• Header Chain Inspection: Sends a selection of valid and invalid packets.
• Overlapping Fragments: firewall should be able to drop overlapping fragments.
• Tiny Fragments: no TCP or UDP header in the first fragment, firewall must wait.
• Tiny Fragments Timeout: too many tiny fragments can lead to DoS.
• Excessive Hop-By-Hop Options: should occur only in any IPv6 packet. Tests with duplicates.
• PadN Covert Channel: Padding bytes could be used to send messages covertly.
• Address Scopes: tests multicast and link-local address scopes.

Troubleshooting Toolset

The IPv6 Toolkit is a set of IPv6 security/trouble-shooting tools that can send arbitrary IPv6-based packets. Supported on FreeBSD, NetBSD, OpenBSD, Linux and Mac OS.
Guide to using the IPv6 Toolkit.

• addr6: an IPv6 address analysis and manipulation tool.
• flow6: performs a security assessment of the IPv6 Flow Label.
• frag6: performs and assesses IPv6 fragmentation-based attacks.
• icmp6: performs attacks based on ICMPv6 error messages.
• jumbo6: assesses potential flaws in the handling of IPv6 Jumbograms.
• na6: sends and assesses Neighbor Advertisement messages.
• ni6: sends and assesses ICMPv6 Node Information messages.
• ns6: sends and assesses Neighbor Solicitation messages.
• ra6: sends and assesses Router Advertisement messages.
• rd6: sends and assesses ICMPv6 Redirect messages.
• rs6: sends and assesses Router Solicitation messages.
• tcp6: sends TCP segments and performs TCP-based attacks.
• scan6: An IPv6 address scanning tool.

Penetration Toolset

THC-IPv6 is a complete toolset to attack the inherent protocol weaknesses of IPv6 and ICMP6. Partial list of tools:

• alive6: detects all systems listening to an address.
• detect-new-ip6: detect new ip6 devices which join the network.
• exploit6: known ipv6 vulnerabilities to test against a target.
• denial6: a collection of denial-of-service tests againsts a target.
• firewall6: firewall tester, sends many different types of SYN packets.
• implementation6: performs various implementation checks on ipv6.
• parasite6: icmp neighbor solicitation/advertisement spoofer.
• redir6: redirect traffic with a clever icmp6 redirect spoofer.
• dos-new-ip6: detect new ip6 devices, cause denial-of-service.
• trace6: very fast traceroute6 which supports ICMP6 echo request and TCP-SYN.
• flood_router6: flood a target with random router advertisements.
• flood_advertise6: flood a target with random neighbor advertisements.
• fake_mipv6: steal a mobile IP to yours if IPSEC is not needed for authentication.
• smurf6: local smurfer, icmp flood attack.
• 6to4test - check an ipv4 address for dynamic 6to4 tunnel setup.
• etc. etc.

Penetration Testing

Kali Linux, previously BackTrack, is an open source project that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services. In addition to Kali Linux, Offensive Security also maintains the Exploit Database and the free online course, Metasploit Unleashed.

Packet Scanning and Probing

Scapy is a powerful interactive packet manipulation program for scanning and probing. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery. It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining techniques (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, etc).

Website Security Scanner

Qualsys Website Scan checks websites for vulnerabilities, hidden malware and SSL security errors (requires registration, 10 free checks).

VPN and Security Tool Comparisons

Comparitech VPN, privacy and security tool comparisons help consumers make more savvy decisions when they subscribe to tech services such as VPNs, antivirus and security products, cloud backup, password managers and more.