IPv6 – A Stealthy Threat within the World’s Most Secure Networks?
The adoption of IPv6 among federal agencies is happening at a faster clip than among commercial sectors. This adoption is fueled by federal mandates that agencies use IPv6 for all public-facing Internet websites and applications. Despite these mandates, overall adoption of IPv6 is tepid and has not kept pace with IPv6 capabilities vendors build into new products. Herein lies a problem. It’s precisely this mismatch among IPv6 capabilities found in new gear and IT’s lagging embrace of IPv6 that can result in unmanaged IPv6 “shadow networks.” This post examines the risks of an IPv6 shadow network and provides recommendations for how to detect and manage IPv6-enabled devices in use.
Lurking in the Shadows
You may be operating a shadow IPv6 network unawares because many of the new devices you’ve added to your network are IPv6-capable and enabled by default. Not a huge concern, you admit, given that you have not “configured” IPv6 services with an IP address and how-to route. However, IPv6 is more intelligent than IPv4, and it can “auto-configure.” As a result, there could be a covert route operating in and out of your network. Let’s take a closer look at some of the potential security risks inherent to unmanaged IPv6 usage.
IPv6 does not use IPv4-style “broadcast” addresses. Rather, it expands the use of multicast to request and acknowledge service solicitation and address resolution. This means that a well-known multicast address could be exploited to reveal unpublished network resources. Once identified, these resources can become targets. To prevent this, you must enable IPv6 multicast configurations and associated protocols and services as needed and managed.
IPv6 Stateless Address Auto-configuration (SLAAC)
IPv6-enabled devices have a new and automated method for obtaining an IP address without any manual configuration or interaction with DHCP. Using SLAAC, an IPv6 host can generate its own address using a combination of information available locally and advertised by routers. This means it’s possible for a device to operate stealthily on a network. One way to manage this risk is to disable SLAAC and use DHCPv6.
IPv6 Security Controls
Another concern, not directly tied to IPv6 architecture, is whether your current security controls (e.g., firewalls, filters, NIDS, etc.) are effective with IPv6. Ineffective security controls can open a revolving door for IPv6 traffic to travel in and out of your network undetected and unmonitored. There is an abundance of incidents in which malicious tools are used to detect IPv6-capable hosts, take control of IPv6 auto-configuration, and begin stealthily tunneling IPv6 traffic in and out of an IPv4 network. To combat this scenario, verify that your security controls are equipped with IPv6 controls to filter or block IPv6 traffic at the firewall as needed.
Many vendors have supported IPv6 for years. However, the process of solidifying these implementations is ongoing. As a result, new vulnerabilities will inevitably surface, and when exploited will lead to lost system confidentiality, integrity, and availability. It’s important that you identify at-risk hosts and actively manage security updates—especially as they relate to IPv6.
To actively manage these risks (and others not covered in this post) organizations must adopt a comprehensive IP management strategy. One helpful resource is this NIST publication, which provides specific recommendations for addressing interim IPv6 security and the transition from IPv4 to IPv6.
Another valuable resource is a DDI solution. An integrated DHCP, DNS, and IP address management (DDI) tool that simplifies IP address management for both IPv4 and IPv6 by helping network administrators identify IPv6-enabled hosts and subsequently manage them with regards to:
- Creating subnets and executing IPv4 transition tasks
- Identifying IPv6 hosts and tracking IPv6 addresses
- Provisioning IPv6 addresses and DHCP and DNS settings
- Monitoring IP conflicts, DHCP scopes, and DNS errors
- Maintaining event logs and operational histories
IPv6 is here to stay. While the transition to IPv6 will occur over time, you cannot procrastinate IPv6 management. Chances are you have IPv6 gear operating on your network right now. So the question is not when you should begin managing IPV6, but what should you be doing right now!