Category: IPv6 security

ERNW Compares Penetration Testing Tools IPv6 Support

ERNW December NewsletterWhich network security penetration testing tools support IPv6?  What caveats should you know about the ones that do support IPv6?

Recently the team as security firm ERNW published their December 2014 newsletter with the headline “Penetration Testing Tools that (do not) Support IPv6” where they took a lengthy tour through a wide range of security tools to assess their IPv6 readiness.  As they say in their introduction, their goals were to:

  • Find out which of our favorite penetration testing tools can be used natively using IPv6 as an underlying layer-3 protocol.
  • Find alternative solutions for the rest

They specifically only tested open source or free versions of commercial tools and did not test IPv6-specific tools.  They were seeking to understand which of the commonly available current (IPv4) test tools also worked well with IPv6.

The bulk of the document (pages 9-51) consists of walk-throughs of exploration of each of the various tools in different categories.  They examine the tool, provide screenshots in many cases and then state a conclusion about how well or not the tool supports IPv6.

What I personally found most useful was section 15, the Appendix, starting on page 56 that provided a table view with a list of all the tools tested and a quick summary of how well (or not) the tool supported IPv6.

If you are interested in security testing and specifically for IPv6 networks, this document is definitely worth a read!

And if you are new to IPv6 and want to learn more, please visit our Start Here page to find resources targeted at your role or type of organization.

 

Video: IPv6 Security Myths and Reality by Chris Grundemann (RIPE 68)

What is the reality behind IPv6 security?  What is different (or not) about IPv6 vs IPv4 in terms of security?  What are some of the common myths about IPv6 security?  At the recent RIPE 68 conference in Warsaw, Poland, our Chris Grundemann spoke about common beliefs about IPv6 security and what people should really be thinking about.  His talk, “Security in an IPv6 World: Myth & Reality” is now available for viewing from the RIPE 68 site.  His slides are also available for download.

Chris Grundemann at RIPE68When you are done watching, you may want to check out our page on IPv6 security resources to learn more about how you can secure your installation of IPv6.  And if you don’t have IPv6 in your network yet, what are you waiting for?

 

Watch LIVE NOW – IPv6 Security Session Out of LACNIC 21

lacnic21-promohomeInterested to learn more about IPv6 security? Our Chris Grundemann will be speaking about “Security In An IPv6 World” at LACNIC 21 in Cancun in just a few minutes.  He is the second speaker in a session that is scheduled to start at 9:30am local time (which is 10:30 US EDT and 14:30 UTC)… which is pretty much right now!  You can view the session live at:

http://on.mediastre.am/lacnic

You can view the live stream in Spanish, Portuguese or English… although Chris will be speaking in English! :-)

Chris will also be speaking about the Deploy360 Programme tomorrow, May 7, 2014, at 9:05am local time (14:05 UTC).  (You can read more about what Chris is doing at LACNIC 21 this week.)

Our colleague Mat Ford will be speaking on Friday at 9:15-9:30am local time (14:15-14:30 UTC) about our routing resilience survey.

You can see the full agenda for LACNIC 21 at their website.

RFC 7123 – Security Implications of IPv6 on IPv4 Networks

What are the security issues around IPv6 support and IPv6 transition mechanisms on an IPv4-only network?  Could the unplanned and perhaps even unknown support of IPv6 by operating systems introduce additional security concerns into an enterprise network?

In an Informational RFC 7123 published in February 2014, Fernando Gont and Will Liu explore the security implications of native IPv6 support and also of IPv6 tunneling mechanisms.  They walk through the different transition mechanisms, explain potential security issues and outline ways to potentially mitigate the security concerns.  The document is available at:

http://tools.ietf.org/html/rfc7123

The introduction of the document gives a taste of what the rest of the document covers:

Most general-purpose operating systems implement and enable native IPv6 [RFC2460] support and a number of transition/coexistence technologies by default. Support of IPv6 by all nodes is intended to become best current practice [RFC6540]. Some enterprise networks might, however, choose to delay active use of IPv6.

This document describes operational practices to prevent security exposure in enterprise networks resulting from unplanned use of IPv6 on such networks. This document is only applicable to enterprise networks: networks where the network operator is not providing a general-purpose internet, but rather a business-specific network. The solutions proposed here are not practical for home networks, nor are they appropriate for provider networks such as ISPs, mobile providers, WiFi hotspot providers, or any other public internet service.

In scenarios in which IPv6-enabled devices are deployed on enterprise networks that are intended to be IPv4-only, native IPv6 support and/or IPv6 transition/coexistence technologies could be leveraged by local or remote attackers for a number of (illegitimate) purposes. For example,

  • A Network Intrusion Detection System (NIDS) might be prepared to detect attack patterns for IPv4 traffic, but might be unable to detect the same attack patterns when a transition/coexistence technology is leveraged for that purpose.
  • An IPv4 firewall might enforce a specific security policy in IPv4, but might be unable to enforce the same policy in IPv6.
  • A NIDS or firewall might support both IPv4 and IPv6, but might not be configured to enforce on IPv6 traffic the same controls/policies it enforces on IPv4 traffic.
  • Some transition/coexistence mechanisms could cause an internal host with otherwise limited IPv4 connectivity to become globally reachable over IPv6, therefore resulting in increased (and possibly unexpected) host exposure.
  • IPv6 support could, either inadvertently or as a result of a deliberate attack, result in Virtual Private Network (VPN) traffic leaks if IPv6-unaware VPN software is employed by dual-stacked hosts.

In general, most of the aforementioned security implications can be mitigated by enforcing security controls on native IPv6 traffic and on IPv4-tunneled IPv6 traffic. Among such controls, is the enforcement of filtering policies to block undesirable traffic. While IPv6 widespread/global IPv6 deployment has been slower than expected, it is nevertheless happening; and thus, filtering IPv6 traffic (whether native or transition/coexistence) to mitigate IPv6 security implications on IPv4 networks should (generally) only be considered as a temporary measure until IPv6 is deployed.

Slides: Security In An IPv6 World – Myth & Reality

What are the myths about IPv6 security?  What is the reality? How secure is IPv6 really?  What new security advantages does it offer? What should IT system administrators be thinking about with regard to security as they move into an IPv6 world?

In a talk to the South Asian Network Operators Group (SANOG) today, our Chris Grundemann discussed these questions and many more in a talk titled “Security In An IPv6 World – Myth & Reality“.  His slides are now online for viewing:

If a recording of the presentation becomes available we’ll update this post with more information.

UPDATE: Chris’s slides are now available as a PDF download.

IPv6hackers Group To Meet In Berlin on July 28, 2013

IPv6 hackersInterested in IPv6 security? Want to see presentations by people working in the field? If so the members of the “ipv6hackers” mailing list are planning to hold their first face-to-face meeting in Berlin on July 28, 2013, the Sunday prior to IETF 87 in Berlin, Germany.  From the announcement email:

We’re planning to have our first in-person meeting on July 28th, 2013, in Berlin (most likely in the afternoon, between lunch and the IETF welcome reception). The venue would be either the IETF venue (InterContinental Berlin), or some nearby hotel/room (to be confirmed soon).

We’re planning to have some presentations (which MUST be accompanied with code :-) ), and might also have an IPv6 mini-hackathon (i.e., work on code, test implementations, try stuff).

Fernando Gont has asked people who are interested in attending to complete a short survey so that he can know how many people are planning to attend.

If you are interested in IPv6 security, I have found the IPv6 hackers mailing list to be a useful list to monitor as a good number of IPv6 security researchers do participate in the list.  You can see from the archives some of the topics that are discussed. It is open for anyone to subscribe.  There is also a LinkedIn group but as Fernando notes he created the group to help people connect on LinkedIn not as a discussion forum – discussion happens on the email list.

ISC’s “IPv6 Security Focus Month” Begins

ISC Diary Logo

As we mentioned previously, the handlers at the SANS Institute’s “Internet Storm Center (ISC)” have indicated that March will be their “IPv6 Focus Month”. To that end, they’ve started off the month with a list of IPv6 resources they have previously published at the ISC and their list does include some great content (some of which we’ll probably add links to as “resources” here on the site):

It’s great to see this information coming out of SANS – and we look forward to seeing what other IPv6 security stories and tools they write about during this month.

SANS Seeking IPv6 Security Stories/Tools For “IPv6 Focus Month” In March

ISC Diary LogoGot an IPv6 security problem you’d like to share? A solution to an IPv6 security problem that you want to tell others about? If so, the team behind the Internet Storm Center (ISC) would love to share your stories as part of their IPv6 Focus Month they are planning for March 2013.  Johannes Ullrich of the SANS Technology Institute (the organization behind the ISC) wrote that they are seeking articles about:

  • a security problem you ran into with IPv6
  • a solution to a security problem (even better)
  • a tool that works really well (or not at all) with IPv6
  • a way to solve an IPv4 security problem by switching to IPv6

Articles – or just ideas – can be submitted via the ISC contact form or to handlers@sans.edu.

We applaud this initiative from SANS and we look forward to seeing what IPv6 security stories they highlight in March – and we may do what we can to further help spread the news about tools and services they promote.

If you’ve got an idea, please do send it in to the ISC team – it’s great to get more info about IPv6 security out there!

NIST’s Excellent Guidelines On How To Securely Deploy IPv6

Looking to understand how to securely deploy IPv6? Want a document you can provide to your security team or others concerned about IPv6?

If so, we’ve recently added to our list of resources an excellent “Special Publication” from the U.S. National Institute of Standards and Technology (NIST):

Guidelines for the Secure Deployment of IPv6

Like most of NIST’s special publications, including their excellent guide to DNSSEC, the document begins with a lengthy tutorial and then walks through a number of IPv6 security issues in great depth. It’s a very thorough document and includes detailed sections on the many different IPv4-to-IPv6 transition mechanisms as well as detailed appendices.

While the document naturally includes sections providing guidance for US federal agencies, the majority of the document is very applicable for anyone looking to understand issues of IPv6 security.  Well worth a read… and worth passing along to others who may be asking you questions about IPv6 security.

 

NIST Guidelines for the Secure Deployment of IPv6

The United States National Institute of Standards and Technology (NIST) created an excellent “Special Publication” related to IPv6 security called:

Guidelines for the Secure Deployment of IPv6

Like most of NIST’s special publications, including their excellent guide to DNSSEC, the document begins with a lengthy tutorial about IPv6 and how it compares to IPv4.   The document then walks through a number of IPv6 security issues in great detail.  As the title implies, a large part of the document is focused on how to deploy IPv6 securely, and includes detailed sections on the many different IPv4-to-IPv6 transition mechanisms.

It concludes on the very positive note:

Security risks are inherent during the initial deployment of a new protocol such as IPv6, but mitigation strategies exist and many of the residual risks are no different from those that challenge existing IPv4 networks.

And then goes on to provide lengthy appendices fully of definitions, references and links to learn more.

While written for the audience of US federal agencies, this document is an outstanding reference for anyone seeking to understand how to securely deploy IPv6 within their networks.