Wednesday 26 November 2014

IPv6



Why is there a need to move to IPv6?  Simply because we are running out of public IPv4 addresses.  IPv4 uses 32 bits to represent an IP address and thus can support 4,294,97,296 addresses, or approximately one public address for every 2 people on earth.  With the connected world we live in now, this is clearly not enough, even with NAT to lump a pile of private IP addresses into single public addresses.
IPv6 uses 128 bits to represent addresses, and thus can support about 42 octillion addresses per person.  Because of this complete overabundance in addressing, there is no NAT in IPv6 at all; all addresses are considered public addresses.  Hosts are able to assign addresses to themselves; however addresses can also be assigned similarly DHCP.  There is a wealth of information online about the differences between IPv4 and IPv6, they are well worth a read, eventually we will all be making the move to IPv6.

Potential Risks with IPv6


•    Network Discovery Protocol – A rogue router could send incorrect information to clients, leading to a potential man in the middle attack.
•    DHCPv6 – Similar to above, a rogue router could send incorrect DHCP information to a client
•    Hop-by-hop extension headers – with IPv6 it is possible in the header of a packet to specify the intermediary hops to take in the path to the destination, so it’s possible for a rogue router to dictate the path and redirect through a man in the middle attack.
•    Packet amplification attacks – using multicast addressing it is possible to trick entire networks into responding to requests.
•    ICMPv6
•    Tunnelling – Tunnelling IPv6 through IPv4 may mean some IPv4 filtering in the network may work incorrectly.
•    Autoconfiguration – Rogue routers can cause end devices to autoconfigure themselves incorrectly.
•    Dual stacks – A device can become compromised if it is running IPv4 and IPv6 simultaneously but one more frequently than the other.

IPv6 Best Practices


•    Filter bogus addresses
•    Filter non-local multicast addresses
•    Filter ICMPv traffic that is not required
•    Drop routing header type 0 – stop hop-by-hop extension headers.
•    Use manual tunnels
•    Protect against rogue devices – Secure Neighbor Discovery (SEND) and router advertisement guard (RA guard) can help to stop rogue devices.
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)