IPv6 enabled on many systems but not secure

[twilyth]

Does anyone know how much of a problem this is?

IPv6 insecurity is a clear and present danger

Many have IPv6 enabled but don't know it

By Egan Orion: Monday, 21 July 2008, 12:30 PM

INTERNET PROTOCOL version 6 (IPv6) is placing many systems at risk of attack because networking software has IPv6 enabled but users don't know it, warns a security researcher.

Organisations and individuals which aren't yet aware that their networks and computers have IPv6 traffic already enabled won't have configured network protection systems to monitor it, explained Joe Klein of IPv6 integration consultancy Command Information.

"Essentially, we have systems that are wide open to a network," said Klein last Friday evening at the Hackers on Planet Earth (HOPE) conference held in New York City. "It's like having wireless on your network without knowing it."

IPv4 is the Internet's current addressing scheme, which provides for four bytes or 32 bits to uniquely identify every computer system.

IPv4 thus provides 232 or nearly 4.295 billion unique internet addresses. However, it was recognized a few years ago that the Internet will eventually run out of all of the available addresses, and relatively soon. Command Information presents a count-down widget on its web site's home page that shows the number of IPv4 addresses remaining and how many days until they're all assigned. That presently shows that there are only about 600 million addresses remaining and that they will be exhausted in about 900 days, about two and a half years.

IPv6 has been developed to furnish the Internet with a larger numerical addressing space. It provides 16 bytes or 128 bits for each Internet address.

IPv6 thus enables 2128 or about 3.4 X 1038 unique addresses. It's an understatement to say that's a very, very large number. It's a big enough number that it's rather safe to conclude that the Internet won't confront any addressing space shortage again for billions of years.

Networking hardware and software vendors have been preparing their products for the transition to IPv6 for years, and many systems are already shipped with IPv6 enabled by default, even though it's not being widely used yet. Therefore, many systems have IPv6 traffic enabled without network administrators and individual users being aware of that. Most network safeguards like firewalls and intrusion detection systems are not properly set up yet to handle IPv6 traffic.

For networks and systems where this is the case, it can present potential vulnerabilities to malicious Internet traffic that uses IPv6 instead of IPv4. Not only might a remote attacker punch inbound IPv6 packets through IPv4 firewalls and past intrusion detection systems undetected, but an attacker who manages to defeat IPv4 security measures, or an internal user already inside a protected network, might transmit outbound data through firewalls and monitoring systems undetected using IPv6.

Network attacks that used IPv6 were reportedly detected as long as six years ago in 2002.

The US Government's networks appear to be particularly at risk. It required all its agencies to have upgraded their backbone networks to handle IPv6 by June 30. It is also requiring all networking hardware and software vendors to deliver IPv6-capable products. But it has not yet adequately addressed the network security implications and requirements of the transition from IPv4 to IPv6, according to a DoD worker who requested not to be named.

Some mobile phones that have Internet access capabilities have also been discovered to be potentially vulnerable, said Klein. He mentioned that Windows Mobile 5 and 6 users might be especially vulnerable because the software doesn't include a firewall, but he declined to name others until they could be contacted. Klein did say that Blackberries and Iphones are not vulnerable. A Microsoft spokesvole claimed that its Windows Mobile phones are safe.

Command Information provides a list of operating systems and products that it has found to have IPv6 traffic enabled by default:

* Apple Airport Extreme
* Apple MacIntosh OSX
* BSD -- OpenBSD / NetBSD / FreeBSD
* HP-UX 11v2
* IBM AIX 6
* IBM AS/400
* IBM z/OS
* Juniper 5.1
* Linux 2.6 Kernel
* Microsoft Vista
* Microsoft Windows Mobile 5, 6
* Open VMS
* Various Cell Phones
* Sun Solaris 2.8, 2.10

For Linux users who are running the 2.6 kernel – and possibly users of other UNIX based systems such as AIX, the BSDs and Solaris – adding the following keyword entries to the ifcfg-ethn parameters file, which is somewhere under the /etc directory hierarchy, for the Internet facing network interface ethn will disable IPv6:

IPV6INIT=no
IPV6TO4INIT=no

There's also a web page where users can test their systems to see whether IPv6 traffic is enabled.

Klein said that users should check with their firewall software vendors to find out whether they're protected from network attacks that employ IPv6.

[YMAA]

Well, that's interesting.

[Logos]

yeah you ever got IPV6 related attacks on your machine The topic is often related in Linux forums but no one's ever been able to say whether there was a risk or not...you can always disable it if you don't like it, or you can run a firewall (Comodo 3.0 in Windows, or a small modification in Linux) that protects IPV6 traffic. Not much to worry about really; just as serious as the UPNP debate...

[enteon]

as long as my NAT device doesn't know IPv6 AND my isp doesn't offer an IPv6 connection, i don't have to worry about a single package from an IPv6 address

anyway, i deactivated it ^^

[dannyboy321]

this should be sorted out very soon as the move to ipv6 is ahead of us ipv4 will be a thing of the past due to it been almost used up and ipv6 will be the last gen for ip adress networking as far as i know

[twilyth]

this should be sorted out very soon as the move to ipv6 is ahead of us ipv4 will be a thing of the past due to it been almost used up and ipv6 will be the last gen for ip adress networking as far as i know

[imitation=Carl Sagan] BILLIONS and BILLIONS of IP addresses!!!![/imitation]

[dannyboy321]

dont know what yu are trying to imply but by what i know about 70 or so percent of ipv4 is alrady used and is estimated to be gone by 2011

[Bobsama]

IPv4 was estimated to be gone a decade ago. Every time we start to approach the maximum usable, they find a bunch of old addresses to reassign to new people and keep it going. They've done quite a bit as it is--though yes eventually IPv4 will have to die. It can't keep going as it is, and if the number of computers on the internet keeps increasing we'll have no choice but widespread IPv6. As it is, not enough hardware supports it to start implementing it. As that list of OS kernels that properly support it shows, most people are still on Windows XP and will remain on that OS for some time to come. Also routers and switches need the compatibility as well--most people won't replace their old routers that they paid $___ anywhere from today to a decade ago. If it aien't broke, don't fix it.

[zanzabar]

most enterprise routers/switches can be upgrade to do it, and on a home network u would just need a new modem or a firmware upgrade on the modem

[Brother Esau]

Yes I have Time Warner Cable in NC and I just found out that the IPV6 Protocol is implemented and in Place on the ISP after many , Many Frustrating Hours and hours of troubleshooting and wondering why my other Computers would not get on the Internet via the Gigabit Switch or Wireless Access Point (Rips Hair Out!) ......S now I have to configure My Cisco ASA 5510 all over again ...Now thats a pain in the Ass to say the least

[dannyboy321]

yep it might be hard but it will have to be done as the ips are being used much faster than ever before but this will not be a problem to move to ipv6 just be expesive thats all, i dont know about componys like google i thought they are using ipv4 if so wont they have major hardware change to get ipv6