By Samuel Greengard
For years, Internet denizens have viewed IPv6 as a way to improve traffic flow and tackle the looming problem of address exhaustion. Although many enterprise IT executives have tracked the technology—and some organizations have already adopted IPv6— many others are not prepared to deal with new security issues emanating from the transition, notes Scott Behrens, director of Neohapsis Labs, the research arm of Neohapsis.
“We see a lot of organizations that want to adopt IPv6,” he said. What’s more, “Every modern Windows host comes with IPv6 enabled.”
Unfortunately, many IT departments haven’t established a strategy and set up systems to adequately deal with this issue. Many still have IPv4 monitoring and defenses in place. This makes it possible for a malicious attacker to establish a fake IPv6 address on top of an existing IPv4 network and trick clients into sending information to the IPv6 network tunnel.
In the past, this attack method, known as a Stateless Address Auto Configuration (SLAAC) Attack, was more theoretical than real. However, with the adoption of Windows 8, “It is now a problem that must be addressed—there is a very real threat,” Behrens warns.
The problem centers on the so-called Man in the Middle attack. “Disgruntled employees could use this flaw to snoop on Web traffic and understand what others inside the organization are doing,” he explains. “In a more lethal scenario, they could alter or spoof sites to launch attacks.” In fact, a perpetrator could succeed with only a shell site in place.
The problem could conceivably take place outside an internal enterprise network. For instance, a user might log into a Website or social media site from a public WiFi hotspot. A person with malicious intent could reroute traffic from the intended site to his or her system.
These could include phishing attacks, client-side attacks and other methods to capture log-in credentials, as well as personal identity information, including credit card numbers. In the end, “An organization could wind up with someone who has access to highly sensitive files and data,” Behrens says.
The most extreme way to mitigate the risk and eliminate any chance of an attack is to switch off IPv6 entirely, he says. Unfortunately, for some organizations, this could hinder adoption of a desired technology.
A more realistic approach for most organizations, Behrens says, is to adopt a number of protections recommended by the Internet Engineering Task Force (IETF). For instance, it’s possible to minimize risk by segmenting and logically separating internal networks.
“This approach could limit the risk across an enterprise,” he explains. “If I’m not on a particular server network segment, I’m not going to be able to conduct the attack against those server networks.”
In addition, some higher-end Cisco switches now feature a technology known as an RA Guard. When the RA Guard is enabled and configured correctly, the attack method fails. The downside is that these are relatively new and expensive switches, Behrens says.
Although there are currently no documented cases of a SLAAC attack occurring in the wild, Behrens and other security researchers say it’s only a matter of time until it happens. Over the long term, organizations should build out and configure their networks for IPv6.
“The attacks aren’t successful in environments where the infrastructure is completely built out,” he concludes. “The problem exists in environments where it’s possible to take advantage of host networks that have IPv6 enabled but not configured.”