[menog] Invisible IPv6 traffic poses serious network threat

Richard Barnes richard.barnes at gmail.com
Wed Jul 15 20:06:23 GMT 2009


Hey Baher,

Indeed, interesting article.  But it seems a little overblown to me --
it's not that IPv6 is being used as a mechanism for an attack, it's
that v4/v6 tunnels are being used to tunnel traffic through the
network in a way that the firewalls don't pick up.  As far as I know,
the same thing works for other types of tunnels, e.g., v4/v4 tunnels,
GRE tunnels, AH-only IPsec tunnels, or even just OpenVPN tunnels over
TLS.  The real message is "If you don't want people tunneling out of
your network, block tunnels."

Blocking the tunnels that the article is talking about seems pretty
straightforward.  E.g., if you're using iptables,
iptables -I INPUT -j DROP -i $INTERFACE -p ipv6   # 6to4
iptables -I INPUT -j DROP -i $INTERFECE -p udp --sport 3544 --dport
3544 # Teredo
(For native IPv6, see ip6tables:
<http://www.tin.org/bin/man.cgi?section=8&topic=ip6tables>)

Worth considering, possibly a reason to accelerate you v6 deployment,
but certainly no reason to be scared of v6.

--Richard

On Tue, Jul 14, 2009 at 3:38 AM, Baher Esmat<baher.esmat at icann.org> wrote:
> Interesting article about IPv6 security threats:
> http://www.networkworld.com/news/2009/071309-rogue-ipv6.html?page=1
>
> Experts admit that blocking IPv6 traffic is a temporary solution because a
> growing number of your customers and business partners will be supporting
> IPv6. "If you're not prepared for IPv6, then the prudent thing to do is not
> to allow it into your network," LeMaster says. "But you shouldn't be
> blocking all IPv6 traffic for the next five years. You should only block it
> until you have a policy and understand the threats." Long term, the better
> solution is to start running IPv6 so you can gain visibility into your IPv6
> traffic and experience with the new protocol, experts say.
>
> Regards,
> Baher


More information about the Menog mailing list