igor - Fotolia
The IPv6 protocol is more than 20 years old, and it is celebrating an adoption rate of nearly 30% of United States traffic and almost 11% of global traffic. As available address space in IPv4 is depleted, enterprises and small-midsize businesses and individuals are migrating to IPv6, with its much larger address space, to meet the demands of the ever increasingly connected world and to enable the continued growth of the internet.
But like other networking protocols, vulnerabilities exist in IPv6. These vulnerabilities may originate from flaws in individual implementations of the protocol stack, incorrect configurations of systems using the protocol, or vulnerabilities in the protocol itself. IPv6 vulnerabilities can cause a remote attacker to interrupt, intercept or modify IPv6 assets, resulting in temporary loss of services or a distributed denial-of-service condition.
Some IPv6 vulnerabilities have already been addressed in the Common Vulnerabilities and Exposures database. It's important to note that although IPv6's mandatory support for the IP Security protocol makes it possible to encrypt and authenticate packet streams, IPsec won't stop attackers from discovering and exploiting new IPv6 vulnerabilities anywhere in the network landscape; here's a list of some IPv6-related flaws from the Common Vulnerabilities and Exposures catalog.
Most IPv6 vulnerabilities discovered to date can be fixed through software patches. Yet, remote attackers will continue to find ways to gain visibility into the IPv6 networks and ultimately halt the IPv6 traffic. Here are five IPv6 vulnerabilities that have been reported recently, and how they have been handled to improve IPv6 security.
Older networking gear
Many businesses and enterprises try to save money using the older networking gear, but it is not a good idea in general when it comes to security. They are better off upgrading and replacing the gear with equipment that is not vulnerable to patched security flaws.
Older unpatched networking gear may be vulnerable to a source routing attack using the IPv6 Type 0 Routing Header, which was found to be vulnerable -- in 2007. If devices are left unpatched, this routing header can be exploited "to achieve traffic amplification over a remote path for the purposes of generating denial-of-service traffic," the IETF wrote in 2007 when it was deprecated in RFC 5095. The Type 0 extension header allowed attackers to determine what path the packet is to follow across the network, enabling them to craft IPv6 packets that loop between two routers. Such an attack can rapidly swamp the network and continuously reduce bandwidth until the link is saturated.
IPv6 packet processing outage
A vulnerability that could result in packet processing outage, CVE-2016-1409, affects any IPv6 processing unit that is unable to drop unwanted packets early in the processing stage or in hardware. This vulnerability was observed being exploited in the wild in May 2016.
The IPv6 Neighbor Discovery protocol implementation in IPv6 packet processing functions has been found not to work properly. This vulnerability could let a remote attacker continuously send crafted ND packets to an affected device until the outage occurs. The end result could be a temporary loss of services for traffic or a DoS condition.
As of this writing, Cisco has not patched all vulnerable software, but recommends that customers deny IPv6 ND packets in internet edge router access control lists, "to protect infrastructure devices behind those routers." Other recommendations include limiting IPv6 ND packets to local links and dropping them at the enterprise edge to protect the infrastructure. "It is a commonly accepted best practice to drop these packets at the Internet edge," Cisco stated in its advisory. "Alternatively, configuring static IPv6 neighbors where possible and denying all IPv6 ND packets at the edge will help mitigate this vulnerability."
CVE-2015-6359 describes a configuration vulnerability that could result in memory depletion. The IPv6 stack in Cisco iOS running on Cisco ASR routing devices mishandles internal tables due to insufficient bounds on these tables. An attacker could exploit this vulnerability by sending a large number of crafted ND messages to flood an adjacent IOS XE device. By depleting available memory, an attacker could cause an affected device to crash.
To prevent this from happening, customers should ensure there will be sufficient memory when the devices are upgraded or replaced. Another option is to confirm that latest software releases will support existing or newer hardware and software configurations.
FreeBSD SCTP error processing flaw
An implementation vulnerability in the FreeBSD kernel, CVE-2016-1879, occurs when an unpatched FreeBSD kernel has been configured for IPv6 support. The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3, 10.1 and 10.2 was found to have a vulnerability that allows a remote user to cause a kernel panic by sending a crafted ICMPv6 packet.
FreeBSD issued fixes for this vulnerability in all affected versions, and it is recommended that system administrators stay current with OS patches to avoid this, and other, vulnerabilities.
Improper IPv6 payload length
Another flaw discovered in Cisco products, CVE-2016-1370 describes a flaw in the IPv6 packet decode function of Cisco's Network Analysis Module (NAM). In unpatched systems, the IPv6 payload length of certain IPv6 packets is improperly calculated. A remote, unauthenticated attacker could take advantage of this vulnerability by sending crafted IPv6 packets on the network where the NAM is collecting and monitoring traffic, resulting in a DDoS condition and the NAM ceasing to function for a short time.
Cisco has released software updates to address this vulnerability. There are no workarounds; the only way to avoid it is by updating the software.
What's next for IPv6 security management
Information security professionals tasked with protecting IPv6 deployments can use IPv6 security toolkits, including the THC-IPv6 attack toolkit and SI6 Networks' IPv6 Toolkit, for network assessment and troubleshooting. The interactive packet manipulation program Scapy supports IPv6, as do other traditional network scanning tools like Nmap and WireShark. Security training classes are regularly scheduled to increase awareness of IPv6 security. Risk mitigation techniques have also been used to apply countermeasures to IPv6 assets. Where countermeasures are not cost-effective, insurance can be applied.
IPv6 may have security advantages that make it a more favorable option than IPv4 for organizations, but that doesn't mean it is without issues. However, as with any new technology or standard with rapidly growing adoption, flaws and exploits will be discovered. As enterprises become part of that adoption curve, they will need to familiarize themselves with IPv6 vulnerabilities and the best ways to address and mitigate them.
Expert John Curran discusses the progress of IPv6 connectivity
Read more on evaluating enterprise networks with a free IPv6 Toolkit
Discover the security risks of IPv6 addressing schemes