IPv6 insecurity is a clear and present danger
Many have IPv6 enabled but don't know it
By Egan Orion: Monday, 21 July 2008, 12:30 PM
INTERNET PROTOCOL version 6 (IPv6) is placing many systems at risk of attack because networking software has IPv6 enabled but users don't know it, warns a security researcher.
Organisations and individuals which aren't yet aware that their networks and computers have IPv6 traffic already enabled won't have configured network protection systems to monitor it, explained Joe Klein of IPv6 integration consultancy Command Information.
"Essentially, we have systems that are wide open to a network," said Klein last Friday evening at the Hackers on Planet Earth (HOPE) conference held in New York City. "It's like having wireless on your network without knowing it."
IPv4 is the Internet's current addressing scheme, which provides for four bytes or 32 bits to uniquely identify every computer system.
IPv4 thus provides 232 or nearly 4.295 billion unique internet addresses. However, it was recognized a few years ago that the Internet will eventually run out of all of the available addresses, and relatively soon. Command Information presents a count-down widget on its web site's home page that shows the number of IPv4 addresses remaining and how many days until they're all assigned. That presently shows that there are only about 600 million addresses remaining and that they will be exhausted in about 900 days, about two and a half years.
IPv6 has been developed to furnish the Internet with a larger numerical addressing space. It provides 16 bytes or 128 bits for each Internet address.
IPv6 thus enables 2128 or about 3.4 X 1038 unique addresses. It's an understatement to say that's a very, very large number. It's a big enough number that it's rather safe to conclude that the Internet won't confront any addressing space shortage again for billions of years.
Networking hardware and software vendors have been preparing their products for the transition to IPv6 for years, and many systems are already shipped with IPv6 enabled by default, even though it's not being widely used yet. Therefore, many systems have IPv6 traffic enabled without network administrators and individual users being aware of that. Most network safeguards like firewalls and intrusion detection systems are not properly set up yet to handle IPv6 traffic.
For networks and systems where this is the case, it can present potential vulnerabilities to malicious Internet traffic that uses IPv6 instead of IPv4. Not only might a remote attacker punch inbound IPv6 packets through IPv4 firewalls and past intrusion detection systems undetected, but an attacker who manages to defeat IPv4 security measures, or an internal user already inside a protected network, might transmit outbound data through firewalls and monitoring systems undetected using IPv6.
Network attacks that used IPv6 were reportedly detected as long as six years ago in 2002.
The US Government's networks appear to be particularly at risk. It required all its agencies to have upgraded their backbone networks to handle IPv6 by June 30. It is also requiring all networking hardware and software vendors to deliver IPv6-capable products. But it has not yet adequately addressed the network security implications and requirements of the transition from IPv4 to IPv6, according to a DoD worker who requested not to be named.
Some mobile phones that have Internet access capabilities have also been discovered to be potentially vulnerable, said Klein. He mentioned that Windows Mobile 5 and 6 users might be especially vulnerable because the software doesn't include a firewall, but he declined to name others until they could be contacted. Klein did say that Blackberries and Iphones are not vulnerable. A Microsoft spokesvole claimed that its Windows Mobile phones are safe.
Command Information provides a list of operating systems and products that it has found to have IPv6 traffic enabled by default:
* Apple Airport Extreme
* Apple MacIntosh OSX
* BSD -- OpenBSD / NetBSD / FreeBSD
* HP-UX 11v2
* IBM AIX 6
* IBM AS/400
* IBM z/OS
* Juniper 5.1
* Linux 2.6 Kernel
* Microsoft Vista
* Microsoft Windows Mobile 5, 6
* Open VMS
* Various Cell Phones
* Sun Solaris 2.8, 2.10
For Linux users who are running the 2.6 kernel – and possibly users of other UNIX based systems such as AIX, the BSDs and Solaris – adding the following keyword entries to the ifcfg-ethn parameters file, which is somewhere under the /etc directory hierarchy, for the Internet facing network interface ethn will disable IPv6:
There's also a web page where users can test their systems to see whether IPv6 traffic is enabled.
Klein said that users should check with their firewall software vendors to find out whether they're protected from network attacks that employ IPv6.