Misconceptions are dangerous, but when it comes to network security, they can be downright catastrophic. One such commonly misunderstood term is IPv6 security.
For example, many people assume IPv6 is more secure than IPv4. It isn’t. It’s also not less secure than IPv4. From a security standpoint, IPv6 and IPv4 are very similar. But there are aspects where the security terms differ in both subtle and drastic ways. And this is just one way IPv6 is commonly misunderstood.
This Nira article will focus on IPv6 network security and cover common IPv6 security risks to help you understand and combat lingering threats to your network’s security.
What Is IPv6?
IPv6 (Internet Protocol version 6) is an advanced Internet Protocol (IP) address standard that’s meant to supplement and eventually replace IPv4, the protocol many internet services still use to date.
Let’s take a step back and understand the history of IPv4 and why IPv6 was created.
Experts have always known that IPv4 couldn’t scale to meet the demands of the globalized world we live in today. Containing only 4.3 billion possible addresses, IPv4 can provide just under two unique addresses per person, which is a huge problem considering the average consumer owns dozens of devices, each needing its own address for connectivity.
It was clear a new protocol suite was the only solution.
The Internet Engineering Task Force (IETF), the standards body responsible for developing the internet protocol, established a new set of protocols that not only supported a limitless number of virtual addresses but also changed a few fundamental mechanics of how the protocol suite worked.
For example, a single interface in IPv6 can have multiple addresses for different purposes as opposed to a single address per interface in IPv4.
How IPv6 Works
IPv6 uses 128-bit internet addresses, meaning it can support 2^128 internet addresses, which is a lot (we’re talking well over billions of addresses). For context, the number of IPv6 addresses is 1028 times larger than the number of IPv4 addresses, giving the former more than enough addresses to allow internet devices to expand for a long, long period of time.
The other key benefits of IPv6 include:
- No more private address collisions
- True quality of service (QoS), also called “flow labeling”
- Built-in authentication and privacy support
- Simpler header format
- Better multicast routing
- Simplified, more efficient routing
- Flexible options and extensions
- Easier administration (no more DHCP)
- No more NAT (Network Address Translation)
Your computers, switches, routers, and other devices can run both protocols with dual-IP stacks, but IPv6 is the more preferred protocol.
IPv6 vs. IPv4 Security Concerns
As mentioned, the IPv6 protocol suite isn’t any more or less secure than IPv4 in the traditional sense. In the case of IPv4, the majority of security incidents stem from design and implementation problems. This means there is no weak underlying technology to worry about, but instead, the security concerns are the results of human error.
The human factor also plays a critical role when it comes to IPv6 security. We have extensive knowledge and experience working with IPv4, with many of us still viewing our networks from an IPv6-only perspective. But there is no denying that this is a risky perspective, especially when all modern operating systems and devices are IPv6 and IPv4-enabled.
This means we’re still in uncharted territory that can result in dangerous blindspots. A primary example is companies hardening a server’s IPv4 attack surface but leaving the IPv6 ports vulnerable.
What’s more, IPv6 traffic also receives less scrutiny from security tools and security operations teams. Malicious agents can take advantage of this in a variety of ways to steal information and gain unauthorized access, such as exfiltrating data with a lower chance of detection or using an IPv6 proxy server to move laterally across a network.
Understanding the Biggest IPv6 Security Risks
To elaborate further on IPv6 security risks, here are a few ways the protocol can make your organization less secure.
1. Inadequate IPv6 Security Training and Education
The biggest IPv6 risk is the lack of IPv6 security knowledge.
Organizations today prioritize deployment instead of investing time and money in upfront IPv6 security training. What they fail to understand is that network security is more effective as part of the planning stage than deployment. Ultimately, this leads to risk compromise or companies find themselves spending more time and money to fill in any knowledge gaps.
Therefore, leaders should focus on making security practitioners more aware of IPv6 and give them training so they understand how to secure IPv6-compatible systems.
2. Ineffective Rate Limiting Tactic
Rate limiting is a popular security tactic used by companies to protect networks from automated attack tools. This was very effective on IPv4 networks, where it forced malicious agents to deliberately slow down their automated attack tools or use multiple hosts to launch attacks on your networks, making automated attacks unlikely to succeed or harder to launch.
Unfortunately, this tactic doesn’t work well on IPv6 networks. Why? IPv6 networks are incredibly vast, and applying rate limiting at the 128-bit address level is simply impractical. Hackers can be allotted millions—even billions—of IPv6 addresses, which means you’ll need to limit addresses at the 48-bit or 64-bit level to rate limit effectively.
3. Lack of IPv6 Support at ISPs and Vendors
Until IPv6 security functionality and stability are at the same level as IPv4, companies will need to prioritize thorough testing.
Every network is unique, which is why each one requires a unit test plan. Experts recommend devising a test network and a test plan for all protocols involved to test equipment, especially when working with new security tech from vendors.
Not having a native IPv6 connection from your provider can further complicate things. Connecting a tunnel to your interface can increase security complexity, creating an opening for man-in-the-middle and denial-of-service attacks.
4. Logging Systems and SIEM Systems May Not Work Properly
We’ve already mentioned IPv6 uses 128-bit addresses, which are stored as a 39-digit string. Contrarily, IPv4 addresses are written in the form 192.168.211.255 and can therefore be stored in a 15-character field.
If your login systems expect a 15-character IP address, the systems may crash when they encounter the 39-digit IPv6 addresses. If they do, this can create buffer overflow error-related security problems. It’s also possible that the systems will only store the first 15 characters, rendering the logged information useless.
SIEM systems not working properly is another problem with IPv6. Each host, be it inside or outside the network perimeter, can have multiple IPv6 addresses simultaneously, which is unusual in an IPv4 world and can lead to serious problems. Currently, no SIEM system fully supports IPv6—yes, it may support it at a network level, but the correlation engine may still not.
5. Bugs in New Code
New code nearly always comes with bugs, and in the case of IPv6 security, they can be found in the code around TCP/UDP, NICS, and networking software libraries that don’t fully support IPv6 yet. To make matters worse, technologies like virtualization, SIP, and VoIP can also be vulnerable.
Bugs are usually not taken as a huge security risk, but at their worst, they can introduce new vulnerabilities into your network. Luckily, you can control the negative impact through testing. The test network and test plan we mentioned above can also come in handy here to expose and isolate defects, enabling you to find workarounds or shut down deployment altogether until they’re repaired to avoid compromising your network’s security.
6. IPv6 May Run By Default
Many organization leaders think they’re running an IPv4-only data center, with IPv4-only IDS and monitoring. But IPv6 can get activated and start running by default while owners remain in the dark about this change.
This happens because in some circumstances (eg: a cybercriminal on your network sending router advertisements), the devices connected to your network start communicating with each other by default over IPv6 via link-local addresses. It’s why security experts recommend companies upgrade to IPv6 and ensure their IT teams are well-trained to use the protocol.
7. Absence of Network Address Translation (NAT)
Let’s be clear: the absence of NAT in IPv6 doesn’t necessarily imply it’s a top security risk. Of course, having NARs in v6 environments is comforting. But they don’t really offer any additional security—it’s the statefulness of the firewall that assures security and not the translation of network addresses.
IPv6 security is also not a straightforward clone to be a replacement for IPv6. Staff still needs training, new tech still needs to be introduced, and policies still need to be extended to ward off new cyberthreats.
It’s this transition from a homogeneous v4 network and the network of networks to a heterogeneous v4/v6 network that brings along with it new traffic sources and equipment that leaders will have to take into account to avoid exposing their networks. What’s more, IPv6 security products are still not as robust as they should be, but this is expected since v6 is relatively new and its market is just getting started.
As the v6 environment matures, there’s no doubt that operators will eventually gain the same level of experience as they currently have with IPv4. But we still have a long way to go. Company leaders need to play a more proactive role by taking the necessary measures to protect their networks and devices.