Is IPv6 infiltrating your network? Probably. Here’s what you need to know.
By Mark Mullins
The explosive growth of Internet-enabled devices is rapidly diminishing the supply of IPv4 addresses. In addition to computers, servers, routers, etc., addresses are being allocated to the “Internet of things,” including cameras, HVAC controls, alarm systems and a burgeoning constellation of connected sensors. As a result, in 2011 the Asia-Pacific Network Information Center began rationing its final block of /8 IPv4 address. Other regional registries will likely soon follow suit.
As if that weren’t enough, the widespread use of IPv4 network address translation (NAT) – which maps multiple private addresses to a single public IPv4 address – could ultimately hinder the use of IP-based communications services like VoIP and even degrade the performance of Internet backbone routers as they struggle to cope with increasingly massive routing tables.
So it’s not surprising that most modern operating systems now support dual stack IPv4 and IPv6 architectures; Windows 8, Windows Vista and Mac OS X 10,3 and later have IPv6 enabled by default. IPv6 devices will automatically configure a link local address for each of their interfaces and use router discovery to determine the addresses of IPv6 routers, access configuration parameters and global address prefixes. Even without a stateful configuration protocol such as DHCPv6, an IPv6-capable device can configure an IPv6 address for each of its interfaces.
While you may not be routing IPv6 traffic on your network, you still need to be concerned about IPv6-enabled end devices. Tunneling (which is supported in every OS and automatically enabled with the IPv6 stack) allows IPv6 transport over IPv4 connections and vice versa. IPv6 transport can be encrypted and used with anonymous (privacy addressing), but it does not use the EIU-64 constructed interface identifier that would allow you trace it back to the MAC address of the host. There are a number of tunneling mechanisms (see: NETSCOUT’ IPv6 white paper for a more complete discussion of them). The bottom line is that if you have a local tunnel within your intranet, you needn’t worry. But if you have a local device with a tunnel endpoint outside your network, it could allow access to your internal network that would likely be unprotected by firewalls or intrusion detection devices.
There are other potential vulnerabilities inherent to IPv6, including:
- Rogue router advertisements: Non-routers may advertise subnet addresses that should not exist on your network. This could simply be the result of IPv6 router or host configuration errors or – more concerning – an indication of malicious activity. By sending fake router advertisements, an attacker could fool other hosts on the subnet into sending it traffic (a “man-in-the-middle” attack). DHCPv6 spoofing works in a similar way. So it’s important to sniff out devices offering IPv6 stateful addresses.
- Open Ports: Since it’s less mature than IPv4, operating systems tend to leave more IPv6 ports open. It’s good practice to perform an IPv6 port scan to find open ports. Bear in mind that IPSec support is standard in any IPv6 stack, enabling devices to more easily encrypt end-to-end traffic while preventing firewalls from detecting the packet content.
While using malicious traffic to attack a network isn’t something new, IPv6-enabled devices may make it possible for an attacker to break into your network and extract data undetected using traditional methods through IPv6.
There’s an OptiView XG for that
So, now that you’re sufficiently terrified, what can you do to minimize the risks of IPv6 devices on your network? Fortunately, we’ve got you covered.
NETSCOUT’ OptiView XG portable network analysis tablet has the built-in capability to both passively and actively discover IPv6 devices and services. While other network analysis devices offer only passive discovery by monitoring IPv6 traffic and capturing IP and MAC addresses, they can’t categorize the devices based on the identified protocols. The OptiView XG, by contrast, transmits router solicitation requests in order to identify all IPv6 prefixes for the subnet and transmits neighbor solicitations to provide information on other IPv6 devices. It also provides visibility into router IPv6 Net-to-Media tables (the equivalent of an IPv4 ARP table) to discover link-local addresses off the attached subnet. And it can access Cisco router prefix tables that provide information on other subnets.
Of course, the OptiView XG also provides many other advanced capabilities to detect and diagnose potential security problems, such as downloads of restricted files and documents, the use of prohibited applications and risky P2P traffic. It can also help to identify and locate rogue or unsecured devices. Click here to see all that the OptiView XG offers.
Ready or not, IPv6 is coming
While it’s hard to say exactly when IPv6 will supplant IPv4, it’s only a matter of time. But right now, you need to be aware of the IPv6 enabled devices on your network and potential security risks they pose. Addressing those risks today will help you be ready when it’s time for the inevitable migration of your entire network to IPv6.
Дополнительный ресурсы по информационным сетям
Continue to our The Decoder Blog for more on network troubleshooting