IPv6 insecurity is a clear and present danger
Many have IPv6 enabled but don't know it
INTERNET PROTOCOL version 6 (IPv6) is placing many systems at risk of attack because networking software has IPv6 enabled but users don't know it, warns a security researcher.
Organisations and individuals which aren't yet aware that their networks and computers have IPv6 traffic already enabled won't have configured network protection systems to monitor it, explained Joe Klein of IPv6 integration consultancy Command Information.
"Essentially, we have systems that are wide open to a network," said Klein last Friday evening at the Hackers on Planet Earth (HOPE) conference held in New York City. "It's like having wireless on your network without knowing it."
IPv4 is the Internet's current addressing scheme, which provides for four bytes or 32 bits to uniquely identify every computer system.
IPv4 thus provides 232 or nearly 4.295 billion unique internet addresses. However, it was recognized a few years ago that the Internet will eventually run out of all of the available addresses, and relatively soon. Command Information presents a count-down widget on its web site's home page that shows the number of IPv4 addresses remaining and how many days until they're all assigned. That presently shows that there are only about 600 million addresses remaining and that they will be exhausted in about 900 days, about two and a half years.
IPv6 has been developed to furnish the Internet with a larger numerical addressing space. It provides 16 bytes or 128 bits for each Internet address.
IPv6 thus enables 2128 or about 3.4 X 1038 unique addresses. It's an understatement to say that's a very, very large number. It's a big enough number that it's rather safe to conclude that the Internet won't confront any addressing space shortage again for billions of years.
Networking hardware and software vendors have been preparing their products for the transition to IPv6 for years, and many systems are already shipped with IPv6 enabled by default, even though it's not being widely used yet. Therefore, many systems have IPv6 traffic enabled without network administrators and individual users being aware of that. Most network safeguards like firewalls and intrusion detection systems are not properly set up yet to handle IPv6 traffic.
For networks and systems where this is the case, it can present potential vulnerabilities to malicious Internet traffic that uses IPv6 instead of IPv4. Not only might a remote attacker punch inbound IPv6 packets through IPv4 firewalls and past intrusion detection systems undetected, but an attacker who manages to defeat IPv4 security measures, or an internal user already inside a protected network, might transmit outbound data through firewalls and monitoring systems undetected using IPv6.
Network attacks that used IPv6 were reportedly detected as long as six years ago in 2002.
The US Government's networks appear to be particularly at risk. It required all its agencies to have upgraded their backbone networks to handle IPv6 by June 30. It is also requiring all networking hardware and software vendors to deliver IPv6-capable products. But it has not yet adequately addressed the network security implications and requirements of the transition from IPv4 to IPv6, according to a DoD worker who requested not to be named.
Some mobile phones that have Internet access capabilities have also been discovered to be potentially vulnerable, said Klein. He mentioned that Windows Mobile 5 and 6 users might be especially vulnerable because the software doesn't include a firewall, but he declined to name others until they could be contacted. Klein did say that Blackberries and Iphones are not vulnerable. A Microsoft spokesvole claimed that its Windows Mobile phones are safe.
Command Information provides a list of operating systems and products that it has found to have IPv6 traffic enabled by default:
- Apple Airport Extreme
- Apple MacIntosh OSX
- BSD -- OpenBSD / NetBSD / FreeBSD
- HP-UX 11v2
- IBM AIX 6
- IBM AS/400
- IBM z/OS
- Juniper 5.1
- Linux 2.6 Kernel
- Microsoft Vista
- Microsoft Windows Mobile 5, 6
- Open VMS
- Various Cell Phones
- Sun Solaris 2.8, 2.10
For Linux users who are running the 2.6 kernel – and possibly users of other UNIX based systems such as AIX, the BSDs and Solaris – adding the following keyword entries to the ifcfg-ethn parameters file, which is somewhere under the /etc directory hierarchy, for the Internet facing network interface ethn will disable IPv6:
IPV6INIT=no
IPV6TO4INIT=no
There's also a web page where users can test their systems to see whether IPv6 traffic is enabled.
Klein said that users should check with their firewall software vendors to find out whether they're protected from network attacks that employ IPv6. µ
See Also
Internet
addresses run out in three years
Feds
ready for Ipv6
ICANN
starts migration to IPv6
L'Inq
Wired
Comments
Erm
This the most stupid FUD article ever.It's a long winded way of saying that the whole damn world is finally catching up with IPv6, including all the network hardware, but overpriced silly security software still doesn't know about it.
Linux's iptables and BSD's ipfw work fine with IPv6.
IPv6 insecurity is a clear and present opportunity
I think some diligent research would deliver Covert Networks already dispensing AIdD to Mother and Support Forces. A view fully supported by this BroadBandCast which may or may not have passed nit picking.Added: Monday, 21 July, 2008, 10:13 GMT
"The key fault in the old system is being brought into the new system, and that is if you can get through the employment capacity test... you'll get onto a higher rate of benefit," he said.
The key in the old system is not a fault, it is a Facility which is badly understood.
However, it is easily, fully and clearly explained in a Tale of AI JSA Drugs Champion who has Benefited through the System and Moved Into the Highest Rate of Benefits with a Network of Souls into AI and ITs Shared Wealth Generation ..... for Future InfraStructure Today 42 Create ToMorrows.
A Proposal hereby Posed to SMARter Governance/Minister James Purnell from YT040947C and it would be misleading to Pretend that it was new to them. That Choice of theirs for BroadBandCasting Blockage is just Riddled with Black Holes.
Normally the next cry would be .... "We wuz only following Exective Orders"
"As long as people are paid a fair wage for their work, why shouldn't they work for benefits?" .... Peter Hearty, Southend-on-Sea
PH,
If your Work Generates Wealth, it Benefits All, and when All want to Return a Percentage for Growth and Gratitude [Real SMART] is there always a Limitless Supply of Interest to Create Currency Flow and IP2v6 Controls. MI FareWare, 4PhAIR Ladies2.
And that is Obviously a Hailing Call to Budding Boadicea, XXXXotic and Erotic Flowers of Perfumed Gardens. Whose Silence in Greater Virtualised Space is Deafening ... or at least so, in Hands On Control Scenarios.
Release Germaine Greer/Support Rita ver Donk...... Get HyperRadioProActive Immunity with Virtually Shared Transparent Intentions
http://news.bbc.co.uk/2/hi/uk_news/politics/7516551.stm
<<< Your comment will need to be approved by a moderator before it is added to the ‘Have Your Say’ ... Sorry Please post shorter message. Maximum of 500 characters allowed. >>>
"Have Your Say"? Not there's a larf which aint funny but most peculiar.
IPv4<World Population<IPv6
To put the big numbers in perspective:IPv4=256*256*256*256
= 4 294 967 296
World Population
= 6 828 450 000
IPv6=3 4*10^38 (16 times 256*)
You can uniquely label every single molecule of every human alive about 20 times.
Overkill ?!?
Solaris does *NOT* enable IPv6 by default!
There are a few steps you have to go through in order to enable IPv6 on a Solaris box - it does not set up network interfaces with IPv6 addresses by default.When installing / sys-unconfig'ing the OS, you are also asked if you want IPv6 enabled - and I do believe the default value for this is also "no".
When running the OS, you need to touch a file called hostname6.<interface> (e.g. hostname6.ce0) in order to enable IPv6 on that interface. IPv6 is not used on that interface, otherwise - since IPv4 is still the default!
FUD is a clear and present danger
100% FUD from an ill-informed source!Most current Linux distributions offer IPv6 as an option. Whether you utilize IPv6 or not makes no difference wrt/ security.
Same for all BSD distributions I have seen.
OpenVMS does not enable IPv6 by default either. Even if a system administrator decides to utilize IPv6, it would still be a secure OpenVMS system.
We need IPv6 because the IPv4 address space is far too small for most countries outside the US. The EU and Japan are far ahead with the transition and rather sooner than later there will be only a tiny IPv4 isle left on the North American continent.
As to the US Government's networks, I can assure you that where I work nobody is at risk since our IPv4 network has been crippled over the past years to point that any sidewalk café offers better Internet access. And IPv6 traffic is not being routed here at all, because the surveillance equipment is not ready for IPv6 yet.
Router is dead
With so many hex decimal ipv6 addresses the internet routing table is going to be bumped up which will bur n the routers balls.G.L. to cisco and juniper
Eh?
iz : I think you read it much differently than I did. I believe the point is to get the vendors (platform, network, security, etc.) to escalate their level of support for IPv6.Additionally, it is not just the "overpriced security software" failing to face the problem/possibilities - the blame is shared throughout the industry.
IPTables / IPFW is fine - as long as the admin knows how to use it, and knows they need to be securing IPv6.
(Even IPTables didn't have stateful IPv6 filtering for quite some time ... late support for IPv6 in SNORT ... both are relatively recent upgrades)
Example : How many know the UDP port Teredo uses off the top of their head, and have it included in their filter list today? Are you blocking it already?
/TJ
(disclaimer - I work with Joe)
tcpdump
Venerable tcpdump still doesn't handle IPv6 gracefully. One must make ample use of ugly bitmasking to get at the good stuff.Using UP IPv.4 First.
IPv.6 comes on at early O/S Loading & intergration of support software stage. "You are connected to IPv.6 comes on screen". Yet if You have trouble keeping your partitions running & reload O/S often, IPv.6 comes on & states you are enabled, yet your machine will continue as IPv.4.So you connection chart in control panel shows ipv.4 running/IPv.6 enabled.
Meaning once ALL IPv.4 numeral addresses are used up, thats it & one less problem, so heavy address point users & discarders stay with IPv.4 to use up those silly mere 4 billion locations.One System, One IPv.assignment system result.Old IPv.4 addresses continue with little peepee bit size.
Theres Nothing else going on, If you have Very Stable System, IPv.6 will stay running from Day One.No Problems=No Problems.
Signed:IPv.8 (assignment: Universe)microbes have thoughts too, You Know.
RE: Eh?
Look, some people think that locking up your front door adds security when the thief is already in the house. Others think that building a fence around their house makes sense when the windows and doors aren't locked.My point is, firewalls are overrated and don't add much security at all. In theory. In practice they often do, which is sad. All a firewall does is blocking traffic, basically just hampering and crippling the network, which shouldn't be needed in the first place. They're good for access control though, allowing traffic from certain IP addresses and things like that, but blocking "scary" stuff that might or might not go anywhere is just silly.
Shackling your own network users is another matter. I think that's called censorship.
Sorry, what problem? "IPv6 insecurity"? If IPv6 is insecure, fix it, now it's still possible. Oh, you didn't mean to say that IPv6 itself is insecure? Then don't suggest it. "Look, you got IPv6, watch out, it's daaangeroous!" (spooky voice). Yeah, I call that FUD.
Nice wording here mate:
"I believe the point is to get the vendors (..) to escalate their level of support for IPv6."
I totally agree that was exactly the point. Let me rephrase: "Please buy our finally-IPv6-ready security crap or Bad things might happen." (Or "hire us" variants. Plenty of options for a cynical mind.)
As for stateful IPv6 filtering, if you mean conntrack, which was unfortunately needed to implement horrible NAT: Why the hell do you want that crap? It adds tremendous overhead for not much gain, be glad you're rid of it with IPv6. Or at least could be if people would let NAT go...
Why should I need or want to know Teredo's UDP port number and why the hell would I want to block it?
And Toredo is IPv4 stuff anyway, so not a good example (just another way of tunneling).
Pardon my tone, this isn't my usual style, but this kind of "security" crap just irks me.
Sort of right
Sure, IPv6 can be a problem if there is an IPv6 network running and the user is running a IPv6 stack unknown to the sysadmin. That used to happen quite a lot when unis deployed IPv6.But in response to that mainstream vendors have been pretty good with making their security for IPv6 equivalent to their security IPv4. So when you use the GUI to configure a firewall in Fedora your get both the IPv4 and IPv6 firewalls configured. In this sense Klein is about four years behind the curve.
Nowdays it's the sysadmins and network engineers who are the trouble. They don't use GUI tools, but forget to configure IPv6 when doing manual configuration. Most operation systems have a "secure by default" stance, so we see a lot of services which work for IPv4 but not for IPv6.
Sysadmins also forget that people travel. So we see some laptops from major firms which should know better which have manually crafted firewalls with no mention of IPv6. When they visit our IPv6-enabled site their users comment that "the Internet works so much better from here" is a heads-up. Those corporate users often don't have Administrator access, leading to interesting discussions with their sysadmins.
There are some glaring exceptions to the "secure by default" stance, with some notable firewall vendors leading that list. On a firewall if you think you are not running IPv6, then activate IPv6 then configure denial of all traffic. ISPs will be slowly activating IPv6 on all customer links, so just because you aren't running IPv6 to your ISP today doesn't mean that you won't be tomorrow. In a perfect world the ISP would ask each customer's preference, but in the real world ISPs are cutting it very fine with their IPv6 rollouts and are likely to cut these sort of time-consuming corners.
IPv4
Since when does IPv4 have 3 places on 3rd set? 256.256.256.256. As far as I knew it was 256.256.99.256.Number of IPv6 Addresses Inflated
The article claims that there are 2<sup>128</sup> available addresses for use. That number is way too high since the 2<sup>nd</sup) half of the address represents the MAC address of the connection card (ie: Host address in IPv4 terms). In addition each user gets their own 16 bit block of addresses from the first-half 64 bit block thus making the actual number of "networks" 2<sup>48</sup>.IPv6 Security
All,For the last five years, my research has been focused on IPv6 security. When I began my research, most operating system did not include IPv6 by default. It tools a fair bit of knowledge about IPv6 and programming to get IPv6 to work. But today many systems include:
- IPv6 is installed by default
- Techniques to tunnel IPv6 over IPv4 (6to4, ISATAP, Teredo, many more)
- The tunneling techniques may not be detected and blocked by current security controls
- Security products (Firewalls/IDS/IPS/ACL/etc) , both commercial and open source, may or may not have implemented techniques to detect/block the tunneling techniques
- IPv6 is enabled
The mitigation is not to turn IPv6 off, instead, I recommending:
- Become educated about the risk and opportunities of IPv6. There is where the next killer application will appear!
- Contact your hardware/software vendors and ask if their products passed “IPv6 Ready” testing. This validates that IPv6 was implemented correctly.
- Implement IPv6 alongside of IPv4. Services should include DNS, web servers and e-mail server. This is the easiest way to mitigate the IPv4 over IPv6 tunneling issues.
- Keep up on patches --- enough said.
You are right on the mark! Address the problem, before we see compromises on our networks and systems is important. If you are interested, my HOPE slides can be found at: http://sites.google.com/site/ipv6security/ .
In response to the person stateing Solaris has IPv6 disabled, my I suggest looking at Sun's website. Or even better, perform a few 100 security test on deployed Sun boxes over the last 2 years, and tell me how many you find that have IPv6 disabled. In my case, I found none.
And if any of you are attending Black Hat or DefCon this year, look me up.