Yesterday was World IPv6 Day. Many of the major internet companies like Google, Facebook and Microsoft enabled IPv6 versions of their websites. Nearly all major operating systems – that power everything from computing clusters to smart phones and embedded devices – can speak the IPv6 protocol. IPv6 is enabled by default on far more systems than people generally realize. (Just check the networking config on your local system and it is basically assured that you have an active link local IPv6 address assigned to an interface.) Fundamentally, as IPv6 adoption grows and organizations increasingly implement integration layers such as IPv4 to IPv6 gateways, the attack surface that is available to blackhats is rapidly expanding. In terms of network (in) security, IPv6 represents a major emerging exploitation vector.
How pervasive might the attack surface be? Joe Klein, a security researcher who concentrates on IPv6, has done a good job quantifying the security implications of IPv6 in presentations at security conferences such as HOPE and DojoCon. Some of his talks are available here. In addition, a cursory check of the National Vulnerability Database shows an increasing trend in published vulnerabilities that depend on IPv6. For example, CVE-2011-2395 is a vulnerability in Cisco infrastructure that allows an attacker to bypass Cisco’s ICMPv6 router advertisement guard capability.
Beyond quantifying the threat, security professionals are not yet accustomed to checking whether measures have been put in place to harden systems against exploits that are delivered over IPv6. For example, for those who run Linux and deploy a firewall policy via iptables, when was the last time you ran “ip6tables” to check the filtering stance for IPv6 traffic? If your network routes IPv6, the iPhone in your pocket will speak IPv6 too! For commercial security infrastructure, if a system is compromised via IPv6, will this infrastructure help to detect/diagnose/defend/remediate this event?
Enterasys IPS (aka Dragon) anticipated the security importance of IPv6. It has been IPv6-ready for months and today inspects IPv6 traffic for signs of malicious activity. The Enterasys IPS network sensor fully supports the detection (and optional blocking response in inline IPS mode) of application layer threats that are sent over IPv6 traffic. The reporting interface displays IPv6 addresses that have been logged via Enterasys IPS events, and we have internal testing tools that can simulate thousands of attacks over IPv6 in order to validate our detection abilities.