Software vendors’ proactive approach to IPv6 has created a glaring security hole for companies that think they haven’t activated the next-generation Internet addressing protocol yet, Cisco Systems consulting security engineer Stefan Avgoustakis has warned.
Speaking to attendees at AusCERT 2013 security conference, Avgoustakis said many companies believed that because they hadn’t explicitly enabled IPv6 across their network infrastructure, that they were free from security risks from the protocol.
However, with all modern desktop and mobile operating systems already running dual IPv4 and IPv6 stacks capable of tunneling IPv6 packets across IPv4 networks, companies could inadvertently fall victim to hacks targeting IPv6 and not even realise it.
“In conversations with customers a lot of them are focusing on the readiness of their infrastructure to run both IPv6 and IPv4,” he told CSO Australia. “But a lot of these organisations are already running IPv6 without knowing it. And if the infrastructure and security controls you have in place are not able to detect that – and enforce policy on that – it is creating potential security risks.”
Even in organisations that have spelled out their IPv6 migration strategies – such as federal government agencies, most of which laid down IPv6 plans last year under an Australian Government Information Management Office (AGIMO) mandate—many “are missing out on the obvious things, and the things that are not really known to them. We try to get them focused on those, too.”
A lot of these organisations are already running IPv6 without knowing it. And if the infrastructure and security controls you have in place are not able to detect that – and enforce policy on that – it is creating potential security risks
While IPv6-enabled devices may send out feelers to see if the infrastructure has IPv6-enabled DNS and other services running, they will generally fall back to IPv4 when there is no response. If a malicious hacker were able to infiltrate the network through other means and insert an IPv6-capable listener or gateway on the network, it could spoof an in situ IPv6 implementation and create an unmonitored subchannel from which to probe other IPv6 and IPv4-enabled devices on the network.
“You can have all sorts of security risks,” Avgoustakis said, “such as having a fake gateway or redirecting traffic to a fake DNS server— and all of the security implications that follow out of that.” Another common myth about IPv6 was that spoofing would be impossible because the fact that IPSec (IP Security) encryption and authentication was mandated as part of the protocol. However, Avgoustakis said, while IPv6-capable devices are required to have the ability to support IPSec where requested, they are not required to use it at all times.
“If you are not enabling IPSec, IPv6 will just run over an HTTP or UDP route,” he explained. “We are seeing hackers becoming much more intelligent when it comes to reconnaissance. They target, for example, multicast— because therein lies information that they need as to which devices are on the network.”
The revelation that IPv6 is quietly waiting to be exploited comes as a shock to many customers—but existing solutions are able to remediate the risk. For example, Windows 7’s built-in firewall can inspect and block IPv6 traffic. “It’s just a matter of knowing that, and enabling that security mechanism,” Avgoustakis said.
“Some of these myths live out there, and we try to debunk them by showing customers they still have to do what they were doing in IPv4, but in a different way. They want to know how they can not only secure it, but how they can then transition to IPv6 at the point where they need to do this. This all creates awareness and helps to fuel the conversation. But we can only do so much.”