Results 1 to 11 of 11

Thread: IPv6 enabled on many systems but not secure

  1. #1
    I am Xtreme
    Join Date
    Sep 2007
    Location
    New Jersey, U.S.
    Posts
    2,332

    IPv6 enabled on many systems but not secure

    Does anyone know how much of a problem this is?

    IPv6 insecurity is a clear and present danger

    Many have IPv6 enabled but don't know it

    By Egan Orion: Monday, 21 July 2008, 12:30 PM

    INTERNET PROTOCOL version 6 (IPv6) is placing many systems at risk of attack because networking software has IPv6 enabled but users don't know it, warns a security researcher.

    Organisations and individuals which aren't yet aware that their networks and computers have IPv6 traffic already enabled won't have configured network protection systems to monitor it, explained Joe Klein of IPv6 integration consultancy Command Information.

    "Essentially, we have systems that are wide open to a network," said Klein last Friday evening at the Hackers on Planet Earth (HOPE) conference held in New York City. "It's like having wireless on your network without knowing it."

    IPv4 is the Internet's current addressing scheme, which provides for four bytes or 32 bits to uniquely identify every computer system.

    IPv4 thus provides 232 or nearly 4.295 billion unique internet addresses. However, it was recognized a few years ago that the Internet will eventually run out of all of the available addresses, and relatively soon. Command Information presents a count-down widget on its web site's home page that shows the number of IPv4 addresses remaining and how many days until they're all assigned. That presently shows that there are only about 600 million addresses remaining and that they will be exhausted in about 900 days, about two and a half years.

    IPv6 has been developed to furnish the Internet with a larger numerical addressing space. It provides 16 bytes or 128 bits for each Internet address.

    IPv6 thus enables 2128 or about 3.4 X 1038 unique addresses. It's an understatement to say that's a very, very large number. It's a big enough number that it's rather safe to conclude that the Internet won't confront any addressing space shortage again for billions of years.

    Networking hardware and software vendors have been preparing their products for the transition to IPv6 for years, and many systems are already shipped with IPv6 enabled by default, even though it's not being widely used yet. Therefore, many systems have IPv6 traffic enabled without network administrators and individual users being aware of that. Most network safeguards like firewalls and intrusion detection systems are not properly set up yet to handle IPv6 traffic.

    For networks and systems where this is the case, it can present potential vulnerabilities to malicious Internet traffic that uses IPv6 instead of IPv4. Not only might a remote attacker punch inbound IPv6 packets through IPv4 firewalls and past intrusion detection systems undetected, but an attacker who manages to defeat IPv4 security measures, or an internal user already inside a protected network, might transmit outbound data through firewalls and monitoring systems undetected using IPv6.

    Network attacks that used IPv6 were reportedly detected as long as six years ago in 2002.

    The US Government's networks appear to be particularly at risk. It required all its agencies to have upgraded their backbone networks to handle IPv6 by June 30. It is also requiring all networking hardware and software vendors to deliver IPv6-capable products. But it has not yet adequately addressed the network security implications and requirements of the transition from IPv4 to IPv6, according to a DoD worker who requested not to be named.

    Some mobile phones that have Internet access capabilities have also been discovered to be potentially vulnerable, said Klein. He mentioned that Windows Mobile 5 and 6 users might be especially vulnerable because the software doesn't include a firewall, but he declined to name others until they could be contacted. Klein did say that Blackberries and Iphones are not vulnerable. A Microsoft spokesvole claimed that its Windows Mobile phones are safe.

    Command Information provides a list of operating systems and products that it has found to have IPv6 traffic enabled by default:

    * Apple Airport Extreme
    * Apple MacIntosh OSX
    * BSD -- OpenBSD / NetBSD / FreeBSD
    * HP-UX 11v2
    * IBM AIX 6
    * IBM AS/400
    * IBM z/OS
    * Juniper 5.1
    * Linux 2.6 Kernel
    * Microsoft Vista
    * Microsoft Windows Mobile 5, 6
    * Open VMS
    * Various Cell Phones
    * Sun Solaris 2.8, 2.10

    For Linux users who are running the 2.6 kernel – and possibly users of other UNIX based systems such as AIX, the BSDs and Solaris – adding the following keyword entries to the ifcfg-ethn parameters file, which is somewhere under the /etc directory hierarchy, for the Internet facing network interface ethn will disable IPv6:

    IPV6INIT=no
    IPV6TO4INIT=no

    There's also a web page where users can test their systems to see whether IPv6 traffic is enabled.

    Klein said that users should check with their firewall software vendors to find out whether they're protected from network attacks that employ IPv6.

  2. #2
    Xtreme Enthusiast YMAA's Avatar
    Join Date
    Apr 2008
    Posts
    849
    Well, that's interesting.

    • i7 920 D0 // eVGA X58 SLI // 12GB G.Skill Ripjaws // HD6950 (6970 BIOS)
    • Apogee XT // MCP655 // Thermochill PA120.3 // CM HAF 932
    • OCZ Vertex 3 MI edition // ASUS Xonar DX // Corsair TX850
    • HTC Incredible - Uber Kingdom Revolution ROM


  3. #3
    Xtreme Addict Logos's Avatar
    Join Date
    Apr 2008
    Location
    France
    Posts
    1,210
    yeah you ever got IPV6 related attacks on your machine The topic is often related in Linux forums but no one's ever been able to say whether there was a risk or not...you can always disable it if you don't like it, or you can run a firewall (Comodo 3.0 in Windows, or a small modification in Linux) that protects IPV6 traffic. Not much to worry about really; just as serious as the UPNP debate...

  4. #4
    Xtreme Member enteon's Avatar
    Join Date
    Feb 2008
    Location
    enteon@jabber.ccc.de
    Posts
    292
    as long as my NAT device doesn't know IPv6 AND my isp doesn't offer an IPv6 connection, i don't have to worry about a single package from an IPv6 address

    anyway, i deactivated it ^^

  5. #5
    Xtreme Member
    Join Date
    Jun 2008
    Location
    New Zealand
    Posts
    104
    this should be sorted out very soon as the move to ipv6 is ahead of us ipv4 will be a thing of the past due to it been almost used up and ipv6 will be the last gen for ip adress networking as far as i know

  6. #6
    I am Xtreme
    Join Date
    Sep 2007
    Location
    New Jersey, U.S.
    Posts
    2,332
    Quote Originally Posted by dannyboy321 View Post
    this should be sorted out very soon as the move to ipv6 is ahead of us ipv4 will be a thing of the past due to it been almost used up and ipv6 will be the last gen for ip adress networking as far as i know
    [imitation=Carl Sagan] BILLIONS and BILLIONS of IP addresses!!!![/imitation]

  7. #7
    Xtreme Member
    Join Date
    Jun 2008
    Location
    New Zealand
    Posts
    104

    Arrow

    dont know what yu are trying to imply but by what i know about 70 or so percent of ipv4 is alrady used and is estimated to be gone by 2011

  8. #8
    Xtremely Hot Sauce Bobsama's Avatar
    Join Date
    Sep 2007
    Location
    New York
    Posts
    3,586
    IPv4 was estimated to be gone a decade ago. Every time we start to approach the maximum usable, they find a bunch of old addresses to reassign to new people and keep it going. They've done quite a bit as it is--though yes eventually IPv4 will have to die. It can't keep going as it is, and if the number of computers on the internet keeps increasing we'll have no choice but widespread IPv6. As it is, not enough hardware supports it to start implementing it. As that list of OS kernels that properly support it shows, most people are still on Windows XP and will remain on that OS for some time to come. Also routers and switches need the compatibility as well--most people won't replace their old routers that they paid $___ anywhere from today to a decade ago. If it aien't broke, don't fix it.

    My toys:
    Asus Sabertooth X58 | Core i7-950 (D0) | CM Hyper 212+ | G.Skill Sniper LV 12GB DDR3-1600 CL9 | GeForce GTX 670-2048MB | OCZ Agility 4 512GB, WD Raptor 150GB x 3 (RAID0), WD Black 1TB x 2 (RAID0) | XFX 650W CAH9 | Lian-Li PC-9F | Win 7 Pro x86-64
    Gigabyte EX58-UD3R | Core i7-920 (D0) | Stock HSF | G.Skill Sniper LV 4GB DDR3-1600 CL9 | Radeon HD 2600 Pro 512MB | WD Caviar 80GB IDE, 4TB x 2 (RAID5) | Corsair TX750 | XClio 188AF | Win 7 Pro x86-64
    Dell Dimension 8400 | Pentium 4 530 HT (E0) | Stock HSF | 1.5GB DDR2-400 CL3 | GeForce 8800 GT 256MB | WD Caviar 160GB SATA | Stock PSU | (Broken) Stock Case | Win Vista HP x86
    Little Dot DAC_I | Little Dot MK IV | Beyerdynamic DT-880 Premium (600 Ω) | TEAC AG-H300 MkIII | Polk Audio Monitor 5 Series 2's

  9. #9
    I am Xtreme zanzabar's Avatar
    Join Date
    Jul 2007
    Location
    SF bay area, CA
    Posts
    15,143
    most enterprise routers/switches can be upgrade to do it, and on a home network u would just need a new modem or a firmware upgrade on the modem
    3770k, M5E, kingston 2x4GB cfr
    samsung 2TB F4EG, samsung 840 250GB , CM690II, corsair 750tx

  10. #10
    D.F.I Pimp Daddy Brother Esau's Avatar
    Join Date
    Jan 2007
    Location
    Still Lost At The Dead Show Parking Lot
    Posts
    5,188
    Yes I have Time Warner Cable in NC and I just found out that the IPV6 Protocol is implemented and in Place on the ISP after many , Many Frustrating Hours and hours of troubleshooting and wondering why my other Computers would not get on the Internet via the Gigabit Switch or Wireless Access Point (Rips Hair Out!) ......S now I have to configure My Cisco ASA 5510 all over again ...Now thats a pain in the Ass to say the least
    SuperMicro X8SAX
    Xeon 5620
    12GB - Crucial ECC DDR3 1333
    Intel 520 180GB Cherryville
    Areca 1231ML ~ 2~ 250GB Seagate ES.2 ~ Raid 0 ~ 4~ Hitachi 5K3000 2TB ~ Raid 6 ~

  11. #11
    Xtreme Member
    Join Date
    Jun 2008
    Location
    New Zealand
    Posts
    104
    yep it might be hard but it will have to be done as the ips are being used much faster than ever before but this will not be a problem to move to ipv6 just be expesive thats all, i dont know about componys like google i thought they are using ipv4 if so wont they have major hardware change to get ipv6

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •