IPv6 Security Brief
Last Updated: October 2011
Introduction
This brief paper summarizes the known threats and mitigation techniques for IPv6. Little explanation is given as it is assumed that the reader is familiar with IPv6 and with network security. A couple of "security myths" are debunked: reconnaissance is impossible and IPv6 is more secure thanks to IP Security (IPSec). IPv6 is shown as being roughly as secure as IPv4 (some aspects being more secure, some less secure) with a short-term temporary issue: the lack of IPv6 knowledge by network architects and security officers and lack of experience of running multiple protocols (IPv6 and IPv4) in parallel in the same network.
This document has three parts:
●
Why IPv6 security is similar to IPv4 security
●
What the security differences are between IPv6 and IPv4
●
How to operate an IPv6 network in a secure way
IPv6 Is Similar to IPv4
IPSec Is Not the Savior
IPSec is considered an integral part of IPv6. Therefore, a common myth of IPv6 is that IPv6 is secure because
IPsec is mandated. However, this is not really true:
●
Although the IETF mandates that all IPv6 nodes have IPsec available, the actual use of IPsec is optional.
●
If all communications between two IPv6 nodes are encrypted then the network (which is usually trusted because it is centrally managed) becomes blind and cannot inspect the traffic or enforce a security policy.
In short, IPsec on IPv6 should be reserved for the same cases as in IPv4: remote access virtual private networks
(VPNs) or site-to-site VPNs.
Layer 2 Issues
Neighbor Discovery (ND), including stateless address autoconfiguration, suffers from the same lack of authentication as Address Resolution Protocol (ARP) and Dynamic Host Configuration Protocol (DHCP) on IPv4 networks. On IPv6 networks, ND spoofing attacks are real. The latter is often seen in IPv6 networks due to a misconfigured IPv6 host.
The mitigation techniques include:
●
Using the network switches to block invalid ND packets (as done in IPv4 with DHCP snooping and dynamic
ARP inspection). The solution from Cisco is called First Hop Security and is delivered in several phases, the first phase (RA-guard to protect against rogue Router Advertisement messages) is available since
Summer 2010 and the other phases (including NDP inspection) is expected end of 2011 early 2012
(depending on the platform).
© 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 1 of 5
●
Using a cryptographically improved ND protocol (secure neighbor discovery = SEND), which is
®
implemented in Cisco IOS routers but is not implemented in any popular host operating systems.
Therefore, SEND is only useful to secure interrouter traffic. Cisco is working on a solution for switches using SEND even for non-SEND hosts.
Layer 3 Issues
Spoofing
Spoofing IPv6 addresses is as easy as spoofing IPv4 addresses (assuming that IPsec Authentication Header [AH] is not used in either of the protocol families). The mitigation technique is also identical: bogon filters (dropping obviously wrong source/destination addresses) and unicast reverse path forwarding checks. As the address space of IPv6 is larger, a purely random source address has a small probability of having a recognized prefix and hence a high probability of being dropped by the first router.
Source Routing
Since December 2007, source routing with routing header type 0 (RH0) is disabled by default in IPv6, it is therefore identical to IPv4. Source routing cannot be used by an attacker to bypass some security policies or to mount an amplification attack.
Routing header type 2 (RH2) is used by mobile IPv6 and cannot be used by attackers for any malevolent purpose.
Layer 4 and Above
Routing Protocols
Routing protocols used by IPv6 are either identical to the IPv4 ones or an improvement of those. This includes also the authentication mechanism that should be configured to prevent route hijacking.