Stick to limited IPv6 deployments, businesses warned

Stick to limited IPv6 deployments, businesses warned

Summary: There is no business case for deploying IPv6 on internal networks, particularly as the protocol is still full of vulnerabilities, German security researcher Marc Heuse has claimed.

TOPICS: Security

Companies should only deploy IPv6 for services they provide over the internet, as the protocol is still riddled with security flaws, an expert has urged.

The German researcher Marc Heuse, who has been analysing IPv6 security for almost a decade, said on Wednesday that there is no business case for deploying IPv6 on internal systems.

A researcher has warned of security flaws in IPv6.

"If some network engineer says 'let's make a global company all IPv6', I would fire that guy, because it costs millions and the benefit is zero," Heuse told ZDNet at Telefonica's Campus Party event in Berlin. "Let's say you're Daimler: in what way does it make your network better?"

Heuse said outstanding vulnerabilities in IPv6 provide vectors for man-in-the-middle attacks, password sniffing and packet tampering. However, the protocol's uptake by users — particularly in Asia — mean there is no alternative to rolling it out for many outward-facing services.

"Companies should start with internet connectivity this year, but only the internet connectivity for the service they are offering," he said.

IPv6 is the new version of the internet protocol, and is being keenly pushed by governments and vendors worldwide. Its chief benefit is that IPv6 address strings are about four times as long as those for IPv4, providing trillions of possible addresses, versus IPv4's four billion possible permutations.

This is very useful for devices that are directly connected to the internet, but less so for companies' internal networks. The new protocol officially went live around the world in June, and is by all accounts now seeing tremendous growth.

'It was a political thing'

Heuse believes "the sun is coming up" for IPv6 security, in that vendors have been trying hard to fix the problems with it, particularly in the last year. However, he said fundamental flaws remain — the overall problem being the protocol's sheer complexity.

In a talk he gave earlier at the event, Heuse noted that IPv6 was designed in the mid-'90s, "when the world was still a very safe place".

"That's why they said back then that you don't need to have security locally, because everyone on the local network is trusted, and that if you encrypt everything, nothing can be hacked — yeah sure," he said. "Back then having a firewall filter was considered safe."

Heuse, who said he is finding more flaws with IPv6 each year, highlighted the problem of router advertisement spoofing. He blamed this problem on the keenness of the protocol's designers to move away from DHCP (Dynamic Host Configuration Protocol), which is used to assign IP address information to computers on a network.

"The protocol designers wanted to get the power of the network back to the network teams — it was a political thing," he said. "The routers [keep saying] to the network, 'I am a router'. This is similar to DHCP, but in DHCP the server says 'this is your IPv4 address'."

"In IPv6, the router says: 'this is a network space; choose what [address] you want.' Everybody can pretend they are a router, and every system on the network will think you are a router. This can allow man-in-the-middle attacks, password sniffing, changing data on the fly and so on."

Heuse criticised Microsoft for not fixing an IPv6-related router advertising flooding vulnerability in Windows, but still requiring customers not to deactivate IPv6 in order to let tools such as Exchange work. He said he had disclosed this vulnerability to Microsoft as much as two years ago.

He also pointed out that IPv4 benefited from 20 years of security research, whereas IPv6 was only now being deployed on a scale large enough for flaws to become more readily apparent.

Topic: Security

David Meyer

About David Meyer

David Meyer is a freelance technology journalist. He fell into journalism when he realised his musical career wouldn't pay the bills. David's main focus is on communications, as well as internet technologies, regulation and mobile devices.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Mountains out of Molehills

    Does IPv6 have vulnerabilities? Yes.
    Does IPv4 have vulnerabilities? Yes.

    Are the vulnerabiities in IPv6 different from IPv4? Yes.
    Are we still discovering new IPv6 vulnerabilities? Yes.
    Are we still discovering new IPv4 vulnerabilities? Yes.

    Bottom line, no protocol is ever likely to be 100% secure. However, the attack surface and risks in the IPv6 vulnerabilities are, generally, about equal to the existing known vulnerabilities in IPv4. For example, Marc's vaunted Rogue RA attack is no better and no worse than a rogue DHCP server on an IPv4 network. It offers almost exactly the same effective behaviors. The difference is in how the attack is implemented and in some cases, the detection methods which must be used.

    Interestingly, while there are partial solutions to rogue RA in some vendor code today, rogue DHCP remains largely unaddressed and nobody is doing nearly as much handwaving about that.

    Yes, the vulnerabilities in both protocols need to get addressed. They are getting addressed. However, delaying IPv6 deployment because of them will lead to high-speed panicked deployments later which are far more likely to be vulnerable to a host of problems created by ordinary human error.

    Consider your IPv6 deployment strategy carefully. Don't ignore the security concerns, but do consider the IPv4 risks as well. In most cases, there is really no security benefit to be gained by delaying your IPv6 deployment.
  • Plan now or rush later.

    I have to agree with Owen. Yes, we know about exploits such as spoofing RAs etc but surely the sensible response is to include IPv6 in security policy and PLAN a deployment carefully, including mitigation for known exploits - in exactly the same way as you should for an IPv4 network? Suggesting we try to avoid thinking about IPv6 on internal networks will just lead to more problems later down the line in rushed implementations.

    I guess it's all in the context of what would be entailed in "let's make a global company all IPv6." If it were to mean "let's roll out IPv6 across our entire network without considering why we're doing it", then ok, questions should be asked. However, the time has passed when IPv6 could simply be ignored. It's out there, it's in your own network already and to ignore it is a very bad idea.
    Dominic Roberts
  • Entertaining but misguided

    I vividly remember the risk, challenges and pains of implementing VoIP (just to refer a relatively recent transition). Take any relevant technology shift and you will find it come with a whole new set of challenges and considerations along with the opportunities it offers. IPv6 is no different. While the reiteration of known risks (often presented decoupled from practical considerations or IPv6 specific mitigation solutions) is getting old, particularly if you have been working on IPv6 for 10 years, there is definite value in supporting meaningful conversations on the value, the details and idiosyncrasies of the technology. If for no other reason than to increase the level of awareness and education to the point where exhibitionist statements (and tone) as quoted in this article are classified and taken for their face value.

    Our of context, Marc Heuse comes across as a very dramatic figure. In context his statements are entertaining as much as they are blatantly misguiding. Reminds me of Samuel Shenton, the founder of the Flat Earth Society: "Would sailing round the Isle of Wight prove that it were spherical? It is just the same for those satellites."