IPv6 is not a security issue
Every now and then, I read an article claiming that IPv6 poses some sort of grave security threat by its mere existence. I had such an encounter this week, which prompted this entry.
IPv6 is not a serious security concern at the moment.
There are a few security arguments against IPv6. I think both are strawmen:
- There are security bugs in IPv6 implementations, so we should block IPv6 and disable IPv6 code.
- Users can setup IPv6 tunnels and bypass network security devices (firewalls, IDS, etc), so we should block IPv6 and disable IPv6 code.
Of these, I put some credence in argument 2 and discount argument 1 entirely.
As for argument 1, yes, there have been security bugs in IPv6 stacks. There are security bugs in most software, and we deal with them. We promptly patch affected systems. There are far more bugs in web browsers, mail clients and PHP than in an average IPv6 stack. For example, this year, FreeBSD has issued 11 security advisories, only 2 of which were related to IPv6. If you include the ports collection, the statistics look even better. There are similar results for IOS. I'll put those stats up against most other software packages any day. And most of the IPv6 vulnerabilities are far from serious.
If users were seriously concerned about end system security, they'd be wiser to turn off Flash than IPv6.
I have no doubt that as IPv6 is more widely deployed that more bugs will be discovered. We'll deal with them the same way we deal with every other security issue. Nevertheless, IPv6 bugs sure do make the headlines, even if they are relatively minor compared to some other bugs.
Argument two can be dealt with even easier: If you don't want users creating IPv6 tunnels, block the tunneling protocols on your firewall. This is pretty straightforward, but the press loves to hype up the supposed danger. (By the way, much of the tunnels-as-security-hole concern surrounds Teredo, which is only really used on Windows and is disabled by default if Active Directory is used.)
And, so, users are frequently told to turn off IPv6. This is extremely frustrating, since the more places it's turned off, the harder (and hence more expensive) it will be to turn it on when we're out of IPv4, which will happen in a few years. Rather than turning off IPv6 (read: sticking our heads in the sand), we should update security software to support IPv6. There are several relevant standards here:
- RFC 4890: Recommendations for Filtering ICMPv6 Messages in Firewalls
- RFC 4942: IPv6 Transition/Coexistence Security Considerations
- Recommended Simple Security Capabilities in Customer Premises Equipment for Providing Residential IPv6 Internet Service (IETF draft).
- NSA Firewall Design Considerations for IPv6
- NSA Router Security Configuration Guide Supplement - Security for IPv6
There has been progress updating security software to handle IPv6. Most OSes come with IPv6-aware firewalls (and some OSes even enable them by default). Snort has very rough IPv6 support, but the next release will significantly improve that. Nessus also supports IPv6.
But along with software, we also need an education campaign to inform sysadmins about IPv6. Many of the security issues are the same as for IPv4, but there are some significant differences. I think this will be the most difficult part; changing software is a lot easier than changing attitudes.
Let me illustrate this with an example:
OS X comes with two firewalls (ip6fw and the app firewall), both of which support IPv6. Last month, I saw an article in Macworld comparing third-party software firewalls for Mac OS X. I posted a comment asking if anyone had checked these products for IPv6 support. One of the vendors posted a response:
DoorStop X supports ipv6 in what we feel is the safest way possible -- by default it fully disables any access from ipv6 machines. Right now, for almost all users, ipv6 is simply a potential security vulnerability with no real advantages....
This is precisely the attitude I'm discussing. This particular vendor has a history of slamming IPv6 on alleged security grounds. Yet, strangely, they've never recommended that users uninstall Flash or quit using QuickTime, both of which have had far more security holes than IPv6.
As best as I can tell, their product just shells out to ipfw(8). Rather than disable IPv6, why not also shell out to ip6fw(8)? This certainly wouldn't be perfect, but it's a reasonable first step for IPv6 support, and should be trivial to implement.
None of this is to say that there aren't attacks taking place over IPv6. There are. But for the moment, IPv6 is a tiny attack surface compared to IPv4. We should take advantage of this situation to get our ducks in a row.
Listed below are links to blogs that reference this entry: IPv6 is not a security issue.
TrackBack URL for this entry: