Monday, February 19, 2007

How IPv6 is already creating security problems

Computer Associates CEO John Swainson, the keynote speaker at last week's CA Expo '07 conference in Sydney, Australia, spoke about how the deployment of IPv6 will bring unavoidable and unknown security threats. He was quoted in SC Magazine:
“I don’t know what they will be but I can predict with a high degree of probability that it will happen,” he said.

"This is not something you can test in the lab, it’s something that emerges through practice.”

Swainson’s comments on IPv6 were part of a broader theme addressing the emerging complexities in IT infrastructure and their more complex insecurities.

“We’re talking about new complexities on top of existing complexities. As networks expand to include remote device types and additional applications [they] produce a wide variety of security threats,” he said.
The new Apple AirPort Extreme for 802.11n wireless networks demonstrates Swainson's point quite vividly. The device supports IPv6, and the default setting is for the device to set up an IPv6 tunnel over the IPv4 Internet and to provide IPv6 addresses to hosts on the local network with IPv6 enabled. For those using the device as their local firewall (which I'd argue is not a great idea--it's not really adequate to the task), while it will reject most incoming IPv4 connections, it will allow all IPv6 connections through. For those not using it as a firewall, if their actual firewall allows the IPv6 tunnel (and most firewalls allow all inbound connections out, which would allow the tunnel to be established), the tunnel then becomes a path through the firewall.

That is, if you put this device on your network in its default configuration, you've just completely opened up your internal systems to connections from any IPv6 host--your firewall may as well not be there, from an IPv6 perspective.

There is no "disable IPv6" option, but if you set the device to "Link Local" mode instead of "Tunnel" mode, it will only talk IPv6 to your internal network, not to the outside world.

My own home network runs IPv4 and IPv6, including wirelessly, but I have my wireless network as a separate network off my firewall, and have IPv6 firewall rules in place. It's my firewall that provides the tunnel to the IPv6 Internet. This means that any machines connected to my wireless network that want to communicate with machines on my wired network (like servers) need to pass traffic through the firewall to get to them. Also, as my firewall is an OpenBSD machine, it will not route (for security reasons) the 6to4 packets the Apple AirPort is using to create automatic IPv6 tunneling (though this makes IPv4-to-v6 migration even more difficult).

Note that in the comments on the Apple AirPort article at Ars Technica, one commenter says "The primary reason why the situation is so bad with IPv4, is that almost the entire address space is populated. Worms and virii can easily guess neighboring addresses, and since most of those are windows machines, they make great targets." This gives a false sense of safety to IPv6, as security researchers have already pointed out numerous ways in which worms can locate other IPv6 hosts despite the sparsely populated IP space (PDF).

No comments: