The long-promised IPv6 security post. This was a tough one to write, because when I started five months ago I realized that I don’t really know that much about end system security. I don’t know how Borepatch does it every day.
I’ve written before about IPv6 and about how US service providers are starting to dip their toes into the pool. European and Japanese providers have been dealing with this stuff for a while. A lot of the information in this post comes from a breakout session I attended at Cisco Live in June led by Eric Vyncke, a Cisco Distinguished Engineer and all-around security guru who helped roll out IPv6 in France and other places. He also literally wrote the book on IPv6 security. Some of it is also from NANOG47.
You might be thinking, “Wait a minute, IPv6 isn’t widely deployed, and I’m not even using it. Why should I care?” That may not be a correct assumption. If you run Windows Vista or later, MacOS 10.2 or later, or a recent distribution of Linux, then your computer knows how to speak IPv6 and it’s just waiting for network traffic to start talking.
One example Vyncke used at Cisco Live was that the wireless network at the conference was running over IPv6. Most of us had no idea, but run a quick check revealed that all of our laptops had global (as in public) IPv6 addresses and, moreover, could reach IPv6 enabled websites natively. There were over 800 laptops connected to the wireless network at the conference with IPv6 during peak hours. How many people noticed? No one that I asked after I left that session had noticed. The transition from v4 to v6 was completely seamless, as it should be.
Still, this seamless transition is a bit alarming because, as Vyncke pointed out, lots of folks harden their gear against IPv4 threats, but few have considered IPv6 as an attack vector. However, even if you don’t run IPv6 in your network, if your computer speaks IPv6 then there are a few attacks that you should be aware of.
The first one occurs when an attacker sends false Router Advertisement packets to your computer. They have to be on the same broadcast domain as your computer for it to work. In other words, they have to be on your home wired network or a wireless network that you are connected to. The way it works is the attacker tells your computer, “You can get to the internet through me,” by sending a Router Advertisement message. Since Router Advertisements are not authenticated in most implementations of IPv6, your computer will automatically trust the attacker and send all of its IPv6 traffic through their gateway, setting up a man-in-the-middle attack.
Most of the other end-system vulnerabilities come from tunnels. In this case, a tunnel is a way for a host connected to an IPv4-only system to speak IPv6 with another host across the internet. This makes your system vulnerable to IPv6 attacks from whoever is on the other side of that tunnel. One of the most popular types of tunnel is a Teredo tunnel, which carries a couple of risks. Specifically, in Windows Vista Teredo tunnels bypass the Windows firewall. As far as I can tell, this issue is fixed in Windows 7. Also, some applications (most notably utorrent) will setup Teredo tunnels automatically if you let them. This behavior will open potentially unmonitored connections, so if you see this option in your apps don’t turn it on unless you have IPv6-aware security software on your PC.
That’s the bad news, but Don’t Panic. The good news is that most major security vendors, including Kaspersky, McAfee, and Symantec, have had IPv6 support in their software firewalls for years. Commercial hardware firewall vendors also generally have good support for IPv6, but most home routers (such as Linksys, D-Link, and Netgear) have no support for v6. If you’ve purchased or upgraded your security software since 2007, you’re probably protected.
Even so, to prevent any possible attacks, I would recommend disabling IPv6 on your PC if you do not currently use it in your home network. Truthfully, there’s no compelling reason to use IPv6 at home right now, and you can turn it back on when you do make the move. Here are instructions for disabling it:
In Windows Vista/7 – Only do the first four steps unless you are familiar with the Windows Registry. In fact, I wouldn’t do the last steps even so, because they make it a pain to turn the protocol back on when you do need it (and in a couple of years, you will).
In Mac OS X – Predictably, it’s super easy to do on a Mac.