Security Implications of IPv6 on IPv4 Networks

Gont, Fernando

doi:10.17487/rfc7123

Cited by 12 publications

(7 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Standards and deployment guides (e.g., [14], [23], [26], [32]) have been urging operators to apply firewall rules and access control lists for IPv6 in parity with IPv4 as part of their deployment of IPv6. Unfortunately, security researchers as well as RFC authors have lamented that in practice: "networks tend to overlook IPv6 security controls: [often] there is no parity in the security controls [between] IPv6 and IPv4" [5], and "in new IPv6 deployments it has been common to see IPv6 traffic enabled but none of the typical access control mechanisms enabled for IPv6" [15].…”

Section: Related Workmentioning

confidence: 99%

Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy

Czyz¹,

Luckie²,

Allman³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

There is growing operational awareness of the challenges in securely operating IPv6 networks. Through a measurement study of 520,000 dual-stack servers and 25,000 dual-stack routers, we examine the extent to which security policy codified in IPv4 has also been deployed in IPv6. We find several high-value target applications with a comparatively open security policy in IPv6 including: (i) SSH, Telnet, SNMP, are more than twice as open on routers in IPv6 as they are in IPv4; (ii) nearly half of routers with BGP open were only open in IPv6; and (iii) in the server dataset, SNMP was twice as open in IPv6 as in IPv4. We conduct a detailed study of where port blocking policy is being applied and find that protocol openness discrepancies are consistent within network boundaries, suggesting a systemic failure in organizations to deploy consistent security policy. We successfully communicate our findings with twelve network operators and all twelve confirm that the relative openness was unintentional. Ten of the twelve immediately moved to deploy a congruent IPv6 security policy, reflecting real operational concern. Finally, we revisit the belief that the security impact of this comparative openness in IPv6 is mitigated by the infeasibility of IPv6 network-wide scanning-we find that, for both of our datasets, host addressing practices make discovering these high-value hosts feasible by scanning alone. To help operators accurately measure their own IPv6 security posture, we make our probing system publicly available. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

Section: Related Workmentioning

confidence: 99%

Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy

Czyz¹,

Luckie²,

Allman³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Fazal et al [59] describe an attack that allows a rogue client to penetrate a VPN, exploiting VPN clients with a dual-NIC (i.e., a WiFi and an Ethernet adapter) in a WiFi LAN. Gont et al [60] describe a number of practices to prevent security exposures in IPv4 enterprise networks resulting from the native IPv6-support of general purpose operating systems. Among them, they show how a rogue client can impersonate an IPv6 router through Router Advertisement messages, and they discuss the potential of VPN traffic leakage on IPv6 [19].…”

Section: Related Workmentioning

confidence: 99%

A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients

Perta

Barbera

Tyson

et al. 2015

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Commercial Virtual Private Network (VPN) services have become a popular and convenient technology for users seeking privacy and anonymity. They have been applied to a wide range of use cases, with commercial providers often making bold claims regarding their ability to fulfil each of these needs, e.g., censorship circumvention, anonymity and protection from monitoring and tracking. However, as of yet, the claims made by these providers have not received a sufficiently detailed scrutiny. This paper thus investigates the claims of privacy and anonymity in commercial VPN services. We analyse 14 of the most popular ones, inspecting their internals and their infrastructures. Despite being a known issue, our experimental study reveals that the majority of VPN services suffer from IPv6 traffic leakage. The work is extended by developing more sophisticated DNS hijacking attacks that allow all traffic to be transparently captured.We conclude discussing a range of best practices and countermeasures that can address these vulnerabilities

show abstract

“…El segundo servicio que busca la implementación hacia IPV6 es el protocolo Secure Shell (SSH), desarrollado por Tatu Ylonen [14] en la Universidad Tecnológica de Helsinki en Finlandia, y OpenSSH [7]- [15] nace del proyecto de un sistema operativo orientado a la seguridad que permite realizar la comunicación y transferencia de información en forma cifrada, proporcionando una fuerte autenticación sobre un medio inseguro. Permite la ejecución de procesos, el inicio de sesiones a servidores, la ejecución de comandos y la copia de archivos remotamente, brindando comunicaciones cifradas entre el cliente y el servidor, evitando así, el robo de información y manteniendo la integridad de los datos que viajan a través de la red [16], como se explica en el RFC de Secure Shell [17]- [18]. Asimismo, proporciona una exhaustiva autenticación y comunicaciones seguras en redes no seguras.…”

Section: Introductionunclassified

Revisión de la seguridad en la implementación de servicios sobre IPv6

et al. 2016

View full text Add to dashboard Cite

Resumen--En la actualidad los sistemas de transmisión e interconexión presentan varias vulnerabilidades, entre ellas, la facilidad de analizar tráfico que permite una tasa alta de ataques propios del protocolo IPv4, por ello se hace necesario que servicios como FTP, DHCP y SSH busquen la migración e implementación de redes IP bajo IPv6, la cual cuenta con características propias de la seguridad informática mediante el protocolo IPsec, sin importar el sistema operativo libre o propietario de los clientes finales. El presente artículo evalúa, mediante pruebas de configuración, la funcionalidad del estándar o protocolo IPv6 y sus características de seguridad en la implementación como opción de configuración en un escenario controlado para mitigar ataques en la autenticación, integridad y confidencialidad de la información, permitiendo determinar que los servicios analizados garantizan un mayor nivel de confiabilidad propio y nativo a través de IPsec por cualquier medio sobre el cual viajen los datos.Palabras claves--DHCP; FTP; SSH; IPv6; IPsec; protocolo; seguridad.Abstract--Actually, transmission and interconnection systems have several vulnerabilities including the facility to analyze traffic that allows a high rate of attacks own IPv4 protocol, therefore it is necessary for services such as FTP, DHCP and SSH seek Migration and Deployment to IPv6 networks. It has characteristics of computer security by IPSEC protocol, regardless of the free operating system or own end customers. This paper analyzes by testing the functionality of the standard settings or IPv6 protocol and its security features in the implementation and setting in a controlled environment to mitigate attacks on authentication, integrity and confidentiality of information, allowing to determine which scenario services analyzed guarantee a higher level of own native IPSEC reliability through regardless of the medium on which data travel.

show abstract

Security Implications of IPv6 on IPv4 Networks

Abstract: This document discusses the security implications of native IPv6 support and IPv6 transition/coexistence technologies on "IPv4-only" networks and describes possible mitigations for the aforementioned issues.

Cited by 12 publications

References 11 publications

Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy

Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy

A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients

Revisión de la seguridad en la implementación de servicios sobre IPv6

Contact Info

Product

Resources

About