IPv6: The End of Security As We Know It
Many people have seen IPv6 as a simple addressing extension to the existing internet and see few changes to the way we secure systems.These people cannot be further from the truth. IPv6 will change the way we think about security. We need to start planning now or we will be left in the dust.This is another topic I will be addressing in the coming weeks and months so many security topics, so little time.IPv6 substantially changes how IP interacts with the link layer, in particular Ethernet. ARP will go away and be replaced by NDP, which is ICMPv6 based and we also need to look to protocols such as SEND to secure NDP or we will fall prey to the same class of attacks we faced in IPv4 over hub shared networks….
via Infosec Island IPv6: The End of Security As We Know It.
IPv6 MITM via fake router advertisements
A recent article [1] describes a rather neat variation on how fake router advertisements can be used with IPv6 capable hosts to intercept traffic, including tricking hosts to use IPv6 to connect to systems that normally are not reachable via IPv6.
First lets start with the “old” part of this attack:
Fake router advertisements. IPv6 relies a lot more on auto configuration then IPv4. While techniques like “zero configuration” can be used in IPv4, we usually find DHCP used to configure IPv4 networks.
In IPv6, routers are typically used to configure a network via “router advertisements”. A router advertises which network it is willing to route, and hosts connected to the router will pick an address within this network.
In short, router advertisements can be considered a “DHCP lite” for IPv6. If I introduce a fake router, I get the same effect as I would get from a fake DHCP server in IPv4. However, as only few networks implement IPv6, a fake IPv6 router is likely to be the only IPv6 router. Hosts which so far had no connectivity to the IPv6 internet will now use this fake router to connect. Fake router advertisement tools are very common, we actually play with one in my IPv6 class (fake_router6 from the THC kit) ….
SANS Internet Storm Center; Cooperative Network Security Community – Internet Security.
Guidelines for the Secure Deployment of IPv6
The deployment of IPv6 can lead to new challenges and types of threats facing an organization. The goals of this document are:
* To educate the reader about IPv6 features and the security impacts of those features
* To provide a comprehensive survey of mechanisms that can be used for the deployment of IPv6
* To provide a suggested deployment strategy for moving to an IPv6 environment
The migration to IPv6 services is inevitable as the IPv4 address space is almost exhausted. IPv6 is not backwards compatible with IPv4, which means organizations will have to change their network infrastructure and systems to deploy IPv6. Organizations should begin now to understand the risks of deploying IPv6, as well as strategies to mitigate such risks. Detailed planning will enable an organization to navigate the process smoothly and securely.