IPv4 was released in 1982 and all publicly routable IPv4 network address blocks have been issued since 2011. IPv6 solves network address space allocation problems, provides cleaner routing, and now makes up over 30% of the Internet backbone traffic according to Google’s IPv6 adoption statistics track (Google IPv6, 2021). However, many organizations are ignoring IPv6 architectural security issues while adopting it, which can result in a costly security mistake.
Any operating system released in the past 10 years residing on modern corporate networks is likely deployed as “dual-stack”, meaning that the system can use an IPv4 or IPv6 IP address for routing. This can create asset management and security operations challenges due to a larger network footprint to protect.
Organizations should have a strategy for managing IPV6 risk that compensates for the added complexity IPV6 brings. We’ve identified key problem areas of IPv6 architecture and provided suggestions to enable organizations to plan accordingly as they inevitably transition to explicit use of IPv6:
Problem: IPv6 network vulnerability scanning is challenging and largely different than IPv4
The process for actively scanning IPv6 networks for host discovery is fundamentally different than scanning IPv4 networks. IPv4 style end-to-end ping sweeps are not possible on IPv6 networks given the sheer size of the subnets. Each IPv6 IP address is 128 bits as opposed to 32 bits in IPv4 and each IPv6 subnet can have up to 18+ quintillion addresses.
The Fix: IPv6 discovery scanning requires the use of multicast addresses to query subnets in order to perform local host discovery. Determine your network vulnerability scanners can perform this type of scanning with or without custom configuration.
Problem: IPv6 has robust network tunneling options that can evade filtering and detection
IPv6 tunneling is when IPv6 traffic is carried through encapsulation or (IP protocol 41) via an IPv4 network tunnel. There are many forms of IPv6 via IPv4 tunnels which can carry TCP and UDP-based traffic. Tunnels make evasion or bypass very easy, particularly if an adversary who has internal network access attempts to exfiltrate data out or pivot from a compromised IPv4 machine to a system with an IPv6 address – breaking network flow data to timeline the intrusion.
The Fix: Implement a signature in your intrusion detection system to drop traffic when the use of IP protocol:41 is detected in network packets in order to stop these types of tunnels from being instantiated.
Problem: Router Advertisement attacks internally
Router (neighbor) advertisements are how IPv6 addresses are assigned to systems. A router advertisement attack is when an adversary has compromised an internal system and sends out IPv6 router advertisements to the local systems. All local systems will automatically assign themselves IPv6 global unicast addresses to route out to the Internet using the prefix created by the adversary’s “rogue” IPv6 router; creating a Man-in-the-middle where the adversary has visibility on all IPv6 traffic to/from the Internet from any host that has responded to the advertisement. This attack also exposes the host directly to the IPv6 Internet since the traffic is not routed through a firewall, but through the adversary’s compromised, host.
The Fix: Implement Rogue Advertisement Guard at a layer 3 device to reject or block unwanted or rogue router advertisement messages.
Transitioning to IPV6 is not an option but with the right approach that goes beyond baseline implementation, organizations can successfully manage the additional risk that accompanies this technology and take advantage of IPV6’s business benefits.
