IPv6 - The Security Disaster waiting to happen.12 Feb 2017
I will catch a lot of flak for this post, because it goes against the conventional wisdom.
If you haven’t heard of IPv6, now is the time to learn about it. Many Internet providers either have already rolled it out, or are about to.
And now is the time to disable it for the time being.
Here is why: IPv6 can be secured as well as IPv4. But that’s not the question we should be asking.
The real question is if it will be secured as well?
Don’t worry about being left behind. IPv4 will still be around for decades to come.
To make it short, the Internet is running out of traditional, or IPv4, addresses - the style you are familiar with: 192.168.1.1. There are only approximately 4 billion of these addresses (in theory - less in reality) and there are already approximately 10 billion people on the Internet. We actually would have run out of these addresses in the 1990s if it hadn’t been for a number of strategies to extend the supply.
IPv6 expands this number so much that each individual Internet connection will receive at least 295 Quintillion IP addresses (known as a /60). Currently, IPv6 is heavily rolled out in Asia and Europe, and beginning to appear in the USA, as well. Overall, this is good news.
So what’s the problem?
To be clear: IPv6 is overall quite well-designed, but it suffers from a few assumptions that don’t hold true in the real world.
The big problem with IPv6 is that all IP addresses are on the public Internet, and there is no automatic mechanism to protect your network - unlike in IPv4, you cannot use private IP addresses and then expect to browse the Web via NAT.
IPv6 zealots will tell you that NAT is not security. They are wrong. I agree that NAT is not the best security mechanism in the world. But it is better than nothing at all.
IPv6 zealots will also tell you that you can secure IPv6 as well as you can secure IPv4. And they are right - it can be secured. In a data center with a budget for a dedicated IT security staff, securing IPv6 is trivial.
But that’s the wrong question to ask. The Mirai botnet didn’t target Google’s or Amazon’s data centers. It targeted cameras installed in homes and small businesses - places where the owner will balk at spending $500 for a Fortigate device when he can buy a D-Link router for $50. Many D-Link routers (such as my own DIR-615) do not even have a setting to firewall IPv6 traffic. It only allows you to enable or disable IPv6. I retired this router from 2010 a long time ago, but how many people willl still be using them for years to come?
Newer D-Link routers do have some firewall capabilities, but there are frequent reports that the firewall is not working.
This is not limited to home users, either. Even IT professionals often are not even aware of IPv6.
I am member of a couple of great networking groups - some very in-depth technical guys, some specialize in more run-of-the-mill small-business setups setups. At a recent meeting, one member reported that one of his servers was hacked, and he was asking for help identifying the intrusion vector. I asked him what firewall rules he had for IPv6. His answer amounted to I didn’t do anything about IPv6. And are you saying that I have to configure that, too? He didn’t even know how to check if IPv6 is enabled.
I virtually hear people arguing that “he shouldn’t be working in IT”. Even if that was right (actually, this gentleman is one of the most competent IT people I know, his focus is just not networking) - we live in the real world where there are tens of thousands of IT professionals like him serving hundreds of thousands of small businesses all over the country. Unless you implement a manadatory licensing scheme, you can’t expect everybody to be an expert at everything!
Here is the problem:
Currently, IPv6 requires work, expense and expertise to secure it - it is not automatic.
To make matters worth, enabling IPv6 is automatic, thanks to SLAAC, router advertisement and all the other wonderful protocols that make IPv6 a joy to work with.
IPv6 needs a plug-and-play default-secure mode that is enforced across the Internet. Until this is addressed, I cannot in good conscience recommend IPv6 to most of my users. In IPv4, NAT filled exactly this need, even if it was by accident rather than design.
With IPv4, it is impossible to connect to the Internet without at least a minimal firewall in place.
In IPv6, it must be similarly impossible to connect your whole network to the Internet by accident.
This is why my current policy on IPv6 is:
- On my own network, I will happily run it once it becomes available.
- On client networks, I will disable IPv6 at the router.
- On request, I will enable IPv6, as long a the client is willing to pay for the extra security.