Non-compliant security equipment

Most vendors today claim to have IPv6-ready security products. Are they? Many offer a special version that supports IPv6 or require a license to operate it. But even if IPv6 support is enabled, one needs to carefully learn how they operate. For example:

• Firewalls may simply forward IPv6 traffic uninspected (instead of dropping it as the non-IPv6 version used to);

• IPv6 traffic may bypass deep packet engines, which are hardware components that may not support IPv6 traffic, resulting in the evasion of attacks;

• IPv6 headers are four times bigger than IPv4, which may slow down the processing of traffic significantly.

IPv6 is complex to administer

Have you ever seen an IPv6 address? Do you have the experience to configure firewall rules to allow or block IPv6 traffic? How do you treat IPv6 traffic tunneled over IPv4? Do you know that the Internet Control Message Protocol (ICMP) is now embedded into the IPv6 protocol? These are only few questions which may determine a company’s ability to effectively protect their network servers.

IPv6 vulnerabilities

Managers of IPv6 networks must be aware of the protocol's vulnerabilities. The designers of IPv6 understood the need for network security and included mandatory IPSec in the basic protocol definition. However, recent experiences with network attacks have shown that IPSec does not address all vulnerabilities of an IPv6 network. Bugs, design flows and protocol weaknesses are inherent to IPv6, which is by far more complex than IPv4. It will take time for application vendors to fix and patch IPv6 vulnerabilities; therefore one needs an IPS vendor which not only supports IPv6 traffic forwarding but also includes stateful signatures set to patch IPv6-based systems.

IPv6 tunnels

IPv6 traffic can be tunneled over IPv4 using several type of tunnels (Teredo, 6to4, ISATAP). Attackers can exploit IPv6 tunnels to infiltrate cloak attacks, knowing that tunneled IPv6 packets look like normal IPv4 traffic. One needs to explicitly verify with firewall and IPS vendors that they can perform Deep Packet Inspection (DPI) into IPv6 tunneled traffic to examine the contents. There is a large gap between IPS and firewalls – those that “support IPv6” and those which really perform DPI of IPv6.

The stateless auto-configuration capabilities that are built into IPv6 allow an attacker to define a rogue device that assigns IP addresses to all other devices on a network. Smart attackers can set up a rogue network device that acts as an IPv6 router to sniff, modify or drop traffic – without the system administrator even knowing about it.

IPv6 encryption

Similar to SSL encryption, IPv6 includes a built-in encryption mechanism. While the encryption was designed to provide authentication and confidentiality to the communications between clients and servers, it also enables attackers to use encrypted tunnels to deliver attacks directly to the server – bypassing inspection by firewalls and IPSs – which cannot inspect encrypted content.

Distributed Denial-of-Service (DDoS) attacks

Network DDoS attacks are designed to overwhelm network equipment and servers with traffic volumes that they cannot handle. IPv6 header is four times larger than IPv4. Filtering traffic based on IPv6 headers and addresses increases CPU utilization of security equipment; forwarding traffic according to IPv6 headers increases CPU utilization of networking equipment. This results in lower traffic volume that can saturate networks.

Amir Peles is Chief Technology Officer at Radware (News - Alert). To read more of his articles, please visit his columnist page.