IPv6 Security Myths

I’ve been reading an article on Linux.com on various IPv6 security myths. IPv6 was originally proposed with several in-built security features.

Expectations have expanded over time to IPv6 to be the most secure protocol ever. But in reality things are different.

The article covers some of the security fallacies that built up around IPv6 and why you will still need to beef up security with firewalls. Some of the myths and debunking are from the earlier IPv6 Security Myth series by the Internet Society‘s Deploy360 group.

IPSec

The article reminds you that the in-built IPSec covers just the end-point to end-point communications at the network layer. There is still the management headache of providing and managing the encryption keys.

The original RFC mandates using IPSec . In 2011 a revised RFC made it optional. Optional implementation isn’t the same as ensuring implementation. Similarly IPSec provides parity with the same IPSec within IPv4. There are no new features or additions in the IPv6 version.

There is still a need to consider the application layer. Using TLS/SSL transport layer protocols protects the application layer. Applications using either IPv4 or IPv6 should already implement these for security.

NAT

NAT is not a security mechanism. It is a way of hiding IPv4 addresses behind another. The fact that most NAT implementations are one-way does not imply security. Hiding behind a NAT boundary only protects you from threats outside the boundary. It does not protect you from threats inside the boundary. So NAT is not an option to provide full security.

The NAT boundary provides a single point of weakness. Compromising the boundary provides access to the whole of the inside network. Similarly Denial of Service attacks are focused on a single outside address, and these will take down all the devices hiding inside.

There are also the challenges of (badly-designed) protocols that carry information within payloads that requires translation across the NAT boundary.

IPv6 Size

Security by obscurity is not security at all. A fox looking for rabbits in an acre has an easier job than looking for the same number of rabbits in 10000 acres. But the rabbits are still there, and some are found and eaten.

The IPv6 address space is considerably larger (64 orders of magnitude) than the IPv4 space. IPv6 devices are going to grow in number, creating more rabbits for the fox to find. And humans have a habit of clustering things together. If the fox finds a rabbit, it may be close to warren and find many more rabbits.

Hardware today is more powerful, so scanning a larger space is not a challenge anymore. The new efficient computerised foxes find those hypothetical rabbits.

Other vectors

The techniques applied today by miscreants adapt equally to IPv6 as to IPv4. Social engineering attacks, application and operating system vulnerabilities, tracking and data collection are applicable to both versions of the IP protocol and target the most important target.

You should use the extra protection that IPv6 provides. But you still need to use all the other protection tools in your arsenal.