IPv6 is not a security issue

| | Comments (9) | TrackBacks (0)

Every now and then, I read an article claiming that IPv6 poses some sort of grave security threat by its mere existence. I had such an encounter this week, which prompted this entry.

IPv6 is not a serious security concern at the moment.

There are a few security arguments against IPv6. I think both are strawmen:

  1. There are security bugs in IPv6 implementations, so we should block IPv6 and disable IPv6 code.

  2. Users can setup IPv6 tunnels and bypass network security devices (firewalls, IDS, etc), so we should block IPv6 and disable IPv6 code.

Of these, I put some credence in argument 2 and discount argument 1 entirely.

As for argument 1, yes, there have been security bugs in IPv6 stacks. There are security bugs in most software, and we deal with them. We promptly patch affected systems. There are far more bugs in web browsers, mail clients and PHP than in an average IPv6 stack. For example, this year, FreeBSD has issued 11 security advisories, only 2 of which were related to IPv6. If you include the ports collection, the statistics look even better. There are similar results for IOS. I'll put those stats up against most other software packages any day. And most of the IPv6 vulnerabilities are far from serious.

If users were seriously concerned about end system security, they'd be wiser to turn off Flash than IPv6.

I have no doubt that as IPv6 is more widely deployed that more bugs will be discovered. We'll deal with them the same way we deal with every other security issue. Nevertheless, IPv6 bugs sure do make the headlines, even if they are relatively minor compared to some other bugs.

Argument two can be dealt with even easier: If you don't want users creating IPv6 tunnels, block the tunneling protocols on your firewall. This is pretty straightforward, but the press loves to hype up the supposed danger. (By the way, much of the tunnels-as-security-hole concern surrounds Teredo, which is only really used on Windows and is disabled by default if Active Directory is used.)

And, so, users are frequently told to turn off IPv6. This is extremely frustrating, since the more places it's turned off, the harder (and hence more expensive) it will be to turn it on when we're out of IPv4, which will happen in a few years. Rather than turning off IPv6 (read: sticking our heads in the sand), we should update security software to support IPv6. There are several relevant standards here:

There has been progress updating security software to handle IPv6. Most OSes come with IPv6-aware firewalls (and some OSes even enable them by default). Snort has very rough IPv6 support, but the next release will significantly improve that. Nessus also supports IPv6.

Of course, the attack toolkits are adding v6 support as well.

But along with software, we also need an education campaign to inform sysadmins about IPv6. Many of the security issues are the same as for IPv4, but there are some significant differences. I think this will be the most difficult part; changing software is a lot easier than changing attitudes.

Let me illustrate this with an example:

OS X comes with two firewalls (ip6fw and the app firewall), both of which support IPv6. Last month, I saw an article in Macworld comparing third-party software firewalls for Mac OS X. I posted a comment asking if anyone had checked these products for IPv6 support. One of the vendors posted a response:

DoorStop X supports ipv6 in what we feel is the safest way possible -- by default it fully disables any access from ipv6 machines. Right now, for almost all users, ipv6 is simply a potential security vulnerability with no real advantages....

This is precisely the attitude I'm discussing. This particular vendor has a history of slamming IPv6 on alleged security grounds. Yet, strangely, they've never recommended that users uninstall Flash or quit using QuickTime, both of which have had far more security holes than IPv6.

As best as I can tell, their product just shells out to ipfw(8). Rather than disable IPv6, why not also shell out to ip6fw(8)? This certainly wouldn't be perfect, but it's a reasonable first step for IPv6 support, and should be trivial to implement.

None of this is to say that there aren't attacks taking place over IPv6. There are. But for the moment, IPv6 is a tiny attack surface compared to IPv4. We should take advantage of this situation to get our ducks in a row.


0 TrackBacks

Listed below are links to blogs that reference this entry: IPv6 is not a security issue.

TrackBack URL for this entry: https://blogs.psu.edu/mt4/mt-tb.cgi/21626

9 Comments

Anybody who is sufficiently savvy to set up an IPv6 tunnel would be able to tunnel IPv4 over some other higher layer protocol (HTTP for example). Stopping a user that's on the "inside" of a firewall from doing something you don't want them to do is probably close to impossible if they're sufficiently technical because they can always disguise traffic as something that's permitted (assuming you permit *any* direct IP connectivity). The only way to stop this completely would be to have a proxy system through which all calls were made and vetted for the proxy's definition of validity (and even that would be difficult).

Derek Morr Author Profile Page said:

Agreed. That's one of the reasons that I think the IPv6-tunnel-as-security-hole issue is overhyped. You can tunnel IPv4 in IPv4, or encrypt the data, or encapsulate the data in many other protocols that a firewall can't analyze.

Alan S said:

My problem with IPv6 is that it is twice as noisy as IPv4 and made a brand new laptop like on dialup, even though it was connected via broadband (please note, this was due to a Third Party program installed after OOBE).

I would have been happier with IPv8 - keep the octets, just include more of them.

Derek Morr Author Profile Page said:

What do you mean by "noisy" ?

How did IPv6 slow down your laptop's connection? Do you have a packet capture?

No one is working on IPv8, and no one wants to. It's taking enough time to get IPv6 deployed.

David jones said:

It's right though, isnt it, that what you have said in the previous comments to this, and in the article affirms fears that it is less secure to run ipv6. Your answers is, if users require security then turn ipv6 off. Which is what people, who said IPv6 is insecure, knew already. You merely confirm what they have said. It might have been better to offer positive examples of where it is more secure. Also to make an analogy between IPv6 and flash is disingenuous since they are not alike. Users main concern with security on IPv6 is that it is harder to control the flow of data into and out of the firewall/router. It makes the task of securing a network very much more difficult. This is not just using IPv6 alongside ipv4 networking but in the nature of IPv6 itself.
Any issues with Flash are of a totally different nature and dealt with differently so are irrelevent

Derek Morr Author Profile Page said:

I never said to turn off IPv6. I said to treat it the say way that we treat IPv4. You can firewall v6, you can filter v6, you can portscap with v6, etc. IPv6 is not any more or less secure than IPv4.

How is it "harder to control the flow of data into and out of the firewall/router" ?

David Jones said:

Well I think this paragraph from the O'Reilly book understanding IPv6 says exactly how people percieve the notion of security related to IPv6
compared to IPv4. It may, or may not, be true but this is the way people percieve things who first hear of IPv6

(quoted from IPv6 Essentials)
End-to-end transparency and security has been lost in many IPv4 networks due to the need to introduce NAT because of the shortage of IPv4 addresses. IPv6 can restore the transparency. However, some people have become used to seeing NAT and private addressing schemes to provide security in enterprise networks by hiding the network topology from the outside. These people may perceive the IPv6 transparency as a threat to their network and may even plan to deploy IPv6 networks with private local addressing schemes and translators only for this reason

Derek Morr Author Profile Page said:

I undertand that there is a perception that end-to-end conenctivity is somehow a security threat. But I find that these claims break down pretty quickly with even minimal scrutiny.

What attacks does topology hiding prevent? What attacks does NAT prevent that woudldn't be blocked by a good firewall? And despite the claims that NAT is a security mechanism, there are many types of attacks that NAT doesn't prevent.

So I thik it's a user education issue, more than anything.

Patrick Gray said:

Hey there -- I see you linked to an old podcast I recorded that featured a discussion around IPv6 bugs.

If you'd like to hear a more recent discussion (that podcast you linked to is OLD) around IPv6, check this one out:

http://itradio.com.au/security/?p=101

At the link above you'll find a podcast interview with Metasploit's H D Moore discussing some nifty things you can do over IPv6... it's not the protocol's fault, but plenty of people don't realise their systems will auto-configure an IPv6 address. That can be fun...

Leave a comment