How Secure Is IPv6?

We recently looked at the Internet’s emerging addressing system, IPv6, along with some of the differences and benefits it offers compared to the traditional IPv4 Internet Layer protocol. One area we didn’t touch on, though, was security.

An IT pro has to remember that the roots of IPv6 stretch back into the ‘90s, long before many of today’s security threats evolved or became widespread. As such, IPv6 has its own share of known—and perhaps still unknown—security holes that deploying businesses need to address.

In our overview article, we mentioned how IPv6 uses Stateless Auto Address Configuration (SLAAC) rather than DHCP to provide endpoints with IP addresses. This is a great system until you realize that many admins use DHCP snooping as a means for knowing which devices are on their networks. LAN switches with DHCP snooping only allow access approved IP or MAC addresses. Plus the feature allows admins to track host locations and prevent rogue DHCP servers from being installed on the network.

However, with IPv6, there’s no DHCP server to query for information on the link between a given IP address and its associated MAC address. Instead, IPv6 uses a feature called secure neighbor discovery (SEND), which can protect hosts and routers through the use of several tactics, including cryptographically generated addresses, RSA key-secured network discovery messages, and message timestamping.

The bad news, according to Pat Calhoun, vice president and general manager of Cisco’s security systems unit, is that many of today’s leading operating systems, including those from Microsoft and Apple, do not support SEND.

There are various ways of dealing with this security gap. The generic approach is to implement an access control list (ACL) on switch ports, a feature supported by most vendors in part because the feature was also present under IPv4. Note, though, that the more complex headers in IPv6 can make ACL implementation trickier than in IPv4. Some vendors implement in-house solutions, such as Cisco with its Router Advertisement Guard. However, even the security plugs can have holes, as evidenced by at least one published method for subverting Cisco’s approach.

Another risk zone is tunneling. As discussed before, tunneling between the IPv4 and IPv6 protocols helps with interoperability between the two networks, but it can also be a risk if tunnel paths aren’t monitored as part of an existing IPv4 security policy.  Through such a tunnel, a malicious connection could leverage an IPv6 stream working within an improperly configured IPv4 system.

Often, the tools for proper security are already included with the IPv6, but it falls to users to learn how to configure and manage the new protocol for maximum benefit.

“IPv6 includes embedded tunneling and IPsec for integrated authentication and data confidentiality services, so you don't need to add an external authentication mechanism,” said Radware security director Ron Meyran to Tom’s IT Pro. “You don't need to rely on external encryptions like SSL.”

“Everything is embedded within the IPv6 protocol. You just need to select the service level that you want to establish with the servers,” Meyran added. “For instance, if it’s general information, then it can be standard sessions, but if it's more sensitive then it will be encrypted and authenticated using IPv6 without the need for the browser to add plug-ins or applets. It’s supposed to make life easier for users and service providers.”