IPv6 Security Links

[Return to Homepage] [Book] [General] [Crypto] [Privacy] [Tools] [Lab] [Dead Links] [Blog]


This page was from research in 2004 on the security of IPv6 setting
aside IPsec. It was updated in January of 2007 to reflect dead links and add
new sites that have sprung up. I'm not working in IPv6 much anymore but the
majority of hits to my website are still looking for this information so I
thought I would update it. The fact that a google search for "ipv6 security"
puts this page in the top five results says more about the investigation into
IPv6 security than it does about the accuracy of this information.

Darrin Miller and I have released a paper comparing IPv6 threats with IPv4
threats. Comments are welcome:

  • IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation, March 2004, S. Convery, D. Miller

    Here's a PPT version of most of the above paper that we gave at Networkers:

  • IPv6 Security Threats, June 2004, S. Convery, D. Miller, Networkers 2004

    Darrin and I also participated in a panel at the Fall 2004 Internet 2 conference,
    the brief presentation can be downloaded here.

    General

  • IPv6 Security Considerations and Recommendations, Microsoft, June 2006
    Discussion of IPv6 on Microsoft products focusing on how to protect various
    aspects of MS OSs running IPv6. Interestingly, 802.1X is recommended as the
    way to protect against unauthorized IPv6 network access (wired or wireless).
  • IPv6 Security, 6NET, May 2003
    Walks through a lot of the attack vectors in the IPv6 stack.
  • IPv6 Port Scanning Options, The Linux Documentation Project, IPv6 HOWTO - March, 2003
    Briefly describes using nmap and strobe to scan an IPv6 host.
  • IPv6 Neighbor Discovery trust models and threats, Nikander et. al., RFC 3756 - May 2004
    Describes why manual keys can't solve the nieghbor discovery (ND) problem
    for IPv6 and goes through in detail how the existing ARP threats translate
    in IPv6 and which new ones are created with address autoconfiguration
    and the like.
  • Security Considerations for 6to4, P. Savola, RFC 3964 - December 2004
    Describes the 6to4 tunneling mechanism and some of the threats
    the mechanism introduces many of which are quite nasty.
  • New IPv6 netfilter matches, Netfilter Extensions HOWTO, F. Marie
    Outlines IPv6 support in netfilter.
  • Mobile IPv6 Security, Y. Mun - March 2002
    Discusses all the various issues with mobile IPv6 security. Provides good info
    but reading this expired threat draft may be a good read before this presentation.
  • Implementing Security for IPv6, Cisco Documentation
    Discusses how to implement ACLs using IPv6 on IOS 12.4
  • Security Implication of Mixed IPv4/IPv6 Network, J Hagino
    Not sure what this doc is all about, it looks like a brainstorming snippet
    from IETF 55.
    Interesting implications here, from the doc: "IPv4 can be NAT'ed, firewalled, whatever",
    "IPv6 should better be end-to-end security", "something better than firewall",
    "Firewall model really needs to be revisited anyways"
    This doc points out some of the thinking going on by the IPv6 advocates:
    I, perhaps incorrectly, interperet this to say let's not do firewalls or
    NAT anymore but rely on the host OS for all security and IPsec for
    transport protection.
  • IETF v6ops WG, IETF Working Group
    From the charter: "Solicit input from network operators and users to identify operational
    or security issues with the IPv4/IPv6 Internet"
  • Mobile security flaw delivers yet another blow to IPv6, C. Marsan, Network World - April 2001
    News article outlining the discovery of flaws in Mobile IPv6.
  • IPv6, >L. Spitzner, email thread - Decmeber 2002
    Thread about an IPv6 tunneled attack against a honeypot.
  • Multiple Vendor IPv4-IPv6 Transition Address Spoofing Vulnerability bugtraq id 5545
  • Possible abuse against IPv6 transition technologies, J. Hagino, IETF Draft - July 2000
  • Transient Addressing for Related Processes: Improved Firewalling by Using IPV6 and Multiple Addresses per Host, Bellovin et. al. - July 2001
  • IPv6 Security, F. Majstor, RSA Conference Paris - October 2002
  • Does IPv6 protocol solve all security problems of IPv4, F. Majstor - October 2003
  • Threat Models introduced by Mobile IPv6 and Requirements for Security, Mankin et. al., IETF Draft - November 2001
    Good discussion of potential attack points with Mobile IPv6.
    The draft is expired and I can't find a more current one on the IETF
    website so I've put the document here mostly so I can find it again.

    Crypto

  • KAME Project
    From their website "The KAME project was a joint effort ... to provide a free stack of IPv6, IPsec, and Mobile IPv6 for BSD variants"
  • Security Features in IPv6, P. Hermann-Seton, SAN - September 2002
  • IPv6: Improvements and Security, R. Buckley (doc)
  • IPv6 Security Considerations, M. Heidari, December 2004
    IPsec focused discussion of IPv6 security.

    Privacy

  • Are There Still Privacy Concerns With IPv6? Slashdot discussion - October 2000
  • Where's All The Outrage About The IPv6 Privacy?, Slashdot discussion - October 1999
  • IPv6 Privacy Issues, P. Loshin, IETF Corner - March 2001
  • Privacy Extensions for Stateless Address Autoconfiguration in IPv6, Narten and Draves, RFC3041 - January 2001
  • Privacy-Enhancing Technologies in the Next Generation Internet: PETng, A. Pascual - December 2001

    Tools

  • Nmap, Fyodor
  • EXPERIMENTAL IPv6 decoder available in Snort, M. Roesch, email thread - December 2002
  • VoodooNet IPv6 Covert Channel Tool, Security Focus - August 2006

    Lab


    We are building out a IPv6 security lab for testing and this section will link to *very* rough documents
    outlining tips or tricks we have identified.
  • Win2K SP4 IPv6 Upgrade Procedure
  • WinXP SP1 IPv6 Upgrade Procedure
  • Debian 3.0 Linux IPv6 Upgrade Procedure
  • Random lab ramblings and ideas

    Dead Links


    Many links since our initial research into IPv6 security are now dead. Here they are.
    Why keep dead links? Because they show at least some of the work that has been done
    as IPv6 has evolved. Also, I didn't try real hard to track these documents down so
    others may have more luck (or time) to hunt for them. If you track one down, drop
    me a line and I'll update the page.
  • Overcoming IPv6 Security Threat, CicleID - September, 2002 -LINK DEAD
  • Firewalling Considerations for IPv6, P. Savola, IETF Draft - March, 2003
    Describes some potential issues with firewalls and the processing of
    unknown extension headers. Also discusses a multicast DoS attack
    unique to IPv6. - LINK DEAD
  • Effects of ICMPv6 on IKE, J. Arkko, IETF Draft - March, 2003
    Describes the pain caused by needing IPsec to secure ICMPv6 messages
    and some potential solutions including using manual keying for multicast
    messages prior to UDP reachability (for IKE). *ouch* - LINK DEAD
  • Access Control Prefix Router Advertisement Option for IPv6, S. Bellovin, IETF Draft - February 2003
    Details a simple mechanism to provision basic access control within
    a network by adding an "allowed prefix" option to router advertisements.
    Not quite sure how this would be different from using ACLs on a router
    but it is good to see non IPsec security options for IPv6. - LINK DEAD
  • Requirements for Plug and Play IPsec for IPv6 applications, Kobayakawa et. al., IETF Draft - October 2002
    Discusses challenges with protecting the initial bootsrap portion of
    IP address configuration. Draft is very short on details though. - LINK DEAD
  • Security of IPv6 Routing Header and Home Address Options, P. Savola, IETF DRAFT - December 2002
    Outlines several problems related to the IPv6 Routing Header and Home
    Address options including the ability to redirect traffic, bypass filtering
    rules on a firewall and hide spoofed DoS attacks. - LINK DEAD
  • IPv6 Enterprise Networks Scenarios, J. Bound et. al. - IETF Draft
    When finished this document seeks to help enterprise network operators
    with the security requirements of their networks. As it stands now
    the document is still in the formative stages and does not yet have a lot
    of useful data. - LINK DEAD
  • Security information for IPv6, Microsoft TechNet
    This site contains a couple of issues MS has identified with IPv6.
    Examples include that v6 can only be used when v4 is also installed
    and the internet firewall included with windows can not filter v6 traffic. - LINK DEAD
  • IPv6: In Search Of Internet Security, J. Baptista, CircleID - October 2002 - LINK DEAD
  • IPv6 Security Mechanisms and Considerations, A. Abdul-Rahman (ppt) - LINK DEAD
  • IPsec and Privacy with IPv6, Jayachandra K, Global IPv6 Summit - May 2002 - LINK DEAD
  • IPv6 Security Improvements, Sun Product Documentation - LINK DEAD
  • Where's All The Outrage About The IPv6 Privacy Threat?, B. Frezza - October 1999 - LINK DEAD
  • Statement on IPv6 Address Privacy, Deering and Hinden - November 1999 - LINK DEAD
  • Privacy in the next generation Internet, A Escudero-Pascual (ppt) - LINK DEAD
  • IPv6 Port scanner - IPv6 DoS, Guilecool - October 2001 - LINK DEAD