One of the main selling points of IPv6, according to the early IPv6 evangelists, was that it had better security
than IPv4, supposedly because IPv6 includes mandatory support for end-to-end encryption with IPsec (Internet Protocol Security). But that’s just a myth, because IPv4 supports IPsec as well.
We need to move past the IPv6 security myths and consider the hard practical questions: How secure is IPv6 compared to IPv4?
Ivan Pepelnjak, NIL Data Communications
You can be IPv6-compliant without implementing any of the IPsec encryption algorithms, and the key distribution (or remote endpoint authentication) problems remain as difficult as ever.
To understand IPv6 security issues, we need to move past the IPv6 security myths and consider the hard practical questions: How secure is IPv6 compared to IPv4? (After all, the last IPv4 blocks allocated by the Internet Assigned Numbers Authority (IANA) could be gone in days).
The IPv4 and IPv6 protocols are very similar architecturally. IPv6 is really just IPv4 with longer addresses, revamped and more complex headers, and a few extra protocols (the Address Resolution Protocol, or ARP, has been replaced by ICMP Neighbor Discovery, for example).
The security mechanisms we’ll use in the IPv6 world are almost the same as the ones we’re using in IPv4, which include:
- Endpoint security with firewalls embedded in the operating systems;
- Standalone firewalls performing either layer-4 packet filtering or deep packet inspection;
- Access lists (packet filters) on routers and switches;
- Intra-subnet security mechanisms (DHCP snooping).
- IPv6 doesn’t change anything above the network layer. TCP and UDP haven’t been changed, and the protocols run over IPv6 as well as they did over IPv4. The only major difference is the glue between network and transport layer:
- IPv4 includes Layer 4 protocol identifier in the Layer 3 header (TCP = 6, UDP = 17; for other protocols, check out this IANA protocol numbers document).
IPv6 allows a chain of extension headers, making Layer 4 inspection potentially more complex. Long chains of extension headers can even reduce the forwarding performance of devices that implement packet filters in hardware (Cisco has an excellent white paper describing IPv6 extension headers and related performance issues.)
Common IPv6 security issues that can surface during implementations
All of the discussion above leads us to the fact that the differences in IPv4 and IPv6 security are mostly implementation-dependent, and we can expect IPv6 to be less secure than IPv4 initially.
Here are some of the main IPv6 security issues that require awareness as IPv6 is deployed.
- IPv6 protocol stacks in end-hosts and network devices haven’t been as thoroughly tested (and exposed to hackers) as their IPv4 counterparts. Expect flaws to be uncovered (probably including a few zero-day attacks that exploit vulnerabilities unknown to developers) as IPv6 gains wider acceptance.
- Network and security engineers lack IPv6 exposure and operational experience, so expect deployment hiccups and occasional security lapses, though that happens with every new technology.
- IPv6-related intrusions and other security incidents will happen due to the unintentional connectivity to protected parts of enterprise networks because of various IPv6-over-IPv4 tunneling mechanisms. There are numerous ways to get yourself connected to the IPv6 world through an IPv4 infrastructure, and public (sometimes even free) tunnel brokers allow you to get IPv6 connectivity in a matter of minutes. Unless your firewalls implement very strict security policies, some of your more audacious users might be able to establish IPv6-over-IPv4 tunnels and unknowingly expose their workstations, or even whole subnets, to the outside world.
- Last but definitely not least, IPv6 implementations from networking vendors still lack some first-hop security features needed to make IPv6 networks as secure as today’s IPv4 networks. Similar to the IPv4 world, numerous well-known first-hop attacks are available to hackers trying to break into IPv6 networks:
- Spoofing router advertisements (RA) and attracting end-user traffic for inspection and modification (similar to ARP spoofing in IPv4).
- Spoofing neighbor discovery (ND) to attract end-user traffic.
- Spoofing DHCPv6 messages to propagate bogus DNS server address to end stations.
Cisco has implemented the RA Guard feature to protect router advertisements on switched networks, and some vendors allow you to implement Secure Neighbor Discovery (SEND), which adds cryptographic measures simpler than full-blown IPsec to protect the ND mechanism. None of these tools approaches the simplicity we had with ARP inspection and DHCP snooping in the IPv4 world, however.
Until equipment vendors fill in the gaps and offer true feature parity between IPv4 and IPv6 security features, we can expect the IPv6 networks to be less secure that today’s IPv4 networks -- not because IPv6 is insecure, but because today’s IPv6 implementations still lag behind their IPv4 counterparts.
About the author: Ivan Pepelnjak, CCIE No. 1354, is a 25-year veteran of the networking industry. He has more than 10 years of experience in designing, installing, troubleshooting and operating large service provider and enterprise WAN and LAN networks and is currently chief technology advisor at NIL Data Communications, focusing on advanced IP-based networks and Web technologies. His books include MPLS and VPN Architectures and EIGRP Network Design. Check out his IOS Hints blog, and ask him your IPv6 questions at SearchTelecom.com's Ask the Expert.