Internet Protocol version 6 (IPv6) has been around for many years and was first supported in Red Hat Enterprise Linux 6 in 2010. Designed to provide, among other things, additional address space on the ever-growing Internet, IPv6 has only recently become a priority for ISPs and businesses.
On February 3, 2011, ICANN announced that the available pool of unallocated IPv4 addresses had been completely emptied and urged network operators and server owners to implement IPv6 if they had not already done so. Unfortunately, many networks still do not support IPv6 and many system and network administrators don’t understand the security risks associated with not having some sort of IPv6 control within their networks setup even if IPv6 is not supported. The common thought of not having to worry about IPv6 since it’s not supported on a network is a false one.
On many operating systems, Red Hat Enterprise Linux and Fedora included, IPv6 is preferred over IPv4. A DNS lookup will search first for an IPv6 address and then an IPv4 address. A system requesting a DHCP allocation will, by default, attempt to obtain both addresses as well. When a network does not support IPv6 it leaves open the possibility of rouge IPv6 DHCP and DNS servers coming online to redirect traffic either around current network restrictions or through a specific choke point where traffic can be inspected or both. Basically, if you aren’t offering up IPv6 within your network someone else could.
Just like on an IPv4 network, monitoring IPv6 on the internal network is crucial for security, especially if you don’t have IPv6 rolled out. Without proper monitoring, an attacker, or poorly configured server, could start providing a path way out of your network, bypassing all established safety mechanisms to keep your data under control.
There are several methods for protecting systems and networks from attacks revolving around IPv6. The simplest, and most preferred method, is to simply start using IPv6. It becomes much more difficult for rouge DNS and DHCP servers to be implemented on a functioning IPv6 network. Implementing IPv6 isn’t particularly difficult either.
Unfortunately IPv6 isn’t all the simple to implement either. As UNC‘s Dr. Joni Julian spoke about in her SouthEast LinuxFest presentation on IPv6 Security, many of the tools administrators use to manage network connections have been rewritten, and thus renamed, to support IPv6. This adds to the confusion when other tools, such as iptables, require different rules to be written to support IPv6. Carnegie Mellon University’s CERT addresses many different facets of implementing IPv6 including ip6tables rules. There are many resources available to help system and network administrators setup IPv6 on their systems and networks and by doing so networks will automatically be available to IPv6-only networks of the
Blocking and Disabling IPv6
If setting up IPv6 isn’t possible the next best thing is disabling, blocking, and monitoring for IPv6 on the network. This means disabling IPv6 in the network stack and blocking IPv6 in ip6tables.
# Set DROP as default policy to INPUT, OUTPUT, and FORWARD chains. ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP ip6tables -P FORWARD DROP# Set DROP as a rule to INPUT and OUTPUT chains.
ip6tables -I INPUT -p all -j DROP ip6tables -I OUTPUT -p all -j DROP
Because it can never known that every system on a network will be properly locked down, monitoring for IPv6 packets on the network is important. Many IDSs can be configured to alert on such activity but configuration is key.
A few final words
IPv6 doesn’t have to be scary but if you want to maintain a secure network a certain amount of respect is required. With proper monitoring IPv6 can be an easily manageable “threat”. Of course the best way to mitigate the risks is to embrace IPv6. Rolling it out and using it prevents many of the risks already discussed and it could already be an availability issue if serving up information over the Internet is important.