Internet Protocol version 6 (IPv6) and its Security

René Pfeiffer/ February 3, 2015/ Internet, Security

Internet Protocol version 6 (IPv6) is not new. Its history goes back to 1992 when several proposals for expanding the address scheme of the Internet were discussed (then know by the name of IP Next Generation or IPng). A lot has happened since RFC 1883 has been published in 1996. Due to the deployment of IPv6 we see now implications for information security. Several vulnerabilities in the protocol suite have already been discussed. DeepSec 2014 features a whole training session and three presentations about the future protocol of the Internet.

First Johanna Ullrich talked about a publication called IPv6 Security: Attacks and Countermeasures in a Nutshell. The paper gives you a very good view on the state of affairs regarding security and privacy weaknesses. It is strongly recommended for anyone dealing with the deployment of IPv6-enabled applications and systems.

When it comes to attacks, you probably want to do intrusion detection as well. Once you use new protocols in production environments, you have to make sure that your security infrastructure can cope with them. Martin Schütte introduced his IPv6 plugin for the Snort intrusion detection engine. The plugin contains a preprocessor for neighbour discovery messages and several rule options to evaluate IPv6 specific protocol fields. The code has its own project web site where you can find more information and links to the code itself.

Lastly a team from ERNW consisting of Enno Rey, Antonios Atlasis & Jayson Salazar presented weaknesses in the Multicast Listener Discovery (MLD) and its successor MLDv2. It is used to discover locally connected multicast listeners, similar to IGMP for IPv4. Their work features an overview of the subprotocol, OS fingerprinting on the local-link by sniffing the wire passively, amplification of DoS attacks, potential security issues related with the design of MLD and how they can be exploited by attackers. Since all operating system come with a variety of IPv6 components enabled, make sure what you already have to deal with.

We recommend these talks to anyone connected to the Internet.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

6 Comments

Comments are closed.