The transition from IPv4 to IPv6 can open your organization to security risks and threats. With awareness of these potential issues, you can prepare and protect your business accordingly. Educate yourself about the following vulnerabilities to safeguard your organization.
Routing Header Type 0 Vulnerability
One of the IPv6 security issues involves the Routing Header Type 0 (RH0) extension header. This allows additional information to be placed behind the IP header and extends IPv6’s functionality. However, as ICLOAK explains, “This particular extension header facilitates source routing, meaning that the sender has the power to determine the path that the packet is to follow across the network, instead of allowing the routers to route the packet naturally. This fundamental flaw in IPv6 is a gold mine for potential denial-of-service (DoS) attackers because they can program a packet, or a set of packets, to circle in a loop between two routers in a network, which will potentially exhaust the available bandwidth.” Be aware that older or unpatched networking solutions can still pose a threat as a result of this vulnerability.
IPv6 Neighbor Discovery Vulnerability
In the fall of 2016, a vulnerability was discovered that allows the router to accept rather than discard an IPv6 Neighbor Discovery (ND) packet, which the routing engine would then process. A network-based packet flood can then cause the routing engine CPU to spike or engage the policing solution, which will then begin dropping legitimate IPv6 neighbors. As a result of the routable crafted IPv6 ND packet, an attacker can launch this type of attack from outside the local broadcast domain. Although no current solution exists, following security best practices and filtering all ND traffic from reaching network infrastructure equipment can limit your risk.
IPv6 and VPN Vulnerability
Researchers from the University of London and University of Rome conducted a study of 14 of the most popular VPN services. Their results highlighted an IPv6 VPN leakage vulnerability that greatly concerned the researchers. “The vulnerability is driven by the fact that, whereas all VPN clients manipulate the IPv4 routing table, they tend to ignore the IPv6 routing table. No rules are added to redirect IPv6 traffic into the tunnel. This can result in all IPv6 traffic bypassing the VPN's virtual interface.” One solution is to disable IPv6 while using commercial VPN services.
Prepare for IPv6
IPv6 offers features and functionality not available in its predecessors; however, these benefits come at the cost of potential new security holes. Perform your due diligence to ensure any migration to IPv6 includes a thorough investigation into new vulnerabilities and threats introduced by this new version.