Tom Olzak

Security note —

In IPSec, Network Security, Uncategorized on September 22, 2009 at 12:06

IPv6 has security issues.  This is no surprise.  What may be a surprise is that you might be vulnerable even if you haven’t rolled it out to your network.

Many organizations believe that not deploying IPv6 shields them from IPv6 security vulnerabilities. This is far from the truth and a major misconception. The likelihood that rogue IPv6 traffic is running on your network (from the desktop to the core) is increasingly high. For starters, most new operating systems are being shipped with IPv6 enabled by default (a simple TCP/IP configuration check should reveal this).

IPv4 based security appliances and network monitoring tools are not able to inspect nor block IPv6 based traffic. The ability to tunnel IPv6 traffic over an IPv4 network using brokers without natively migrating to IPv6 is a great feature. However, this same feature allows hackers to setup rogue IPv6 tunnels on non-IPv6 aware networks and carry malicious attacks at will. Which begs the question, why are so many users routing data across unknown and non-trusted IPv6 tunnel brokers?

Source: IPv6: Not a Security Panacea, AJ Jaghori, CSO, 21 Sep 2009.

For more information about IPv6 security issues, see the article referenced above and,

  1. Above is a link to my slides showing proof that the above comments are true. My newest slides, presented at SANS Network Defense, are the most up-to-date. Sadly, I have polished them over the last 5 years but very little has changed by the product vendors.

  2. We actually have implemented a step that not only disables, but removes the IPv6 protocol from our client devices that come with it by default, for this very reason.

  3. I was about to recommend you look into Joe Klein of Command Information to get a better understanding of just how risky IPv6 is. He did an amazing presentation at DojoSec and this is highly recommended viewing:

    http://blog.saecur.com/2009/07/saecur-dojosec-june-2009-joe-klein.html

Comments are closed.

%d bloggers like this: