Tuesday, July 22nd 2008

IPv6 Protection by OSes Inadequate, Potential Vulnerabilities Surface

Rudimentary software-level protection for IPv6 (Internet Protocol Version 6), a network protocol which comes pre-installed with several operating systems (OS) but poorly implemented in the real-world makes it a protocol ignored by security providers, and effectively a soft-target for hackers to compromise a system.

Several OSes including Linux 2.6 upwards, Windows Vista, Solaris, Mac OS X and mobile OSes such as Windows Mobile 5 and 6 come with IPv6 enabled by default, though the user would probably not use the protocol in a year 2008 setting where the networks haven't embraced the protocol to level that makes it an explicit requirement for all internet-enabled computers the way IPv4 is. Keeping this in mind, software level protection for IPv6 is close to non-existent, having strong intrusion detection-enabled protection might keep you safe at an IPv4 level that's still standard, but with IPv6 enabled and with protection that doesn't cover IPv6, the PC is as vulnerable as one without any firewall at all. With IPv6 'listeners' (programs that open ports and allow incoming connections) in place the PC becomes vulnerable to intrusions. All it takes is for a hacker to create an IPv6 listener program (malware) and plant it on a PC.

Security Reasercher Joe Klein of Command Information says that the internet has no dearth for computers with IPv6 enabled without users' knowledge. Administrators who don’t keep tabs of their systems face a huge risk, said Klein. Operational dangers aside, administrators who work for organizations that have to comply with regulations like HIPAA or Sarbanes-Oxley risk non-compliance if they don’t secure their IPv6 implementations – whether they realize they have one or not. Perhaps the biggest threat is that of hackers tunneling IPv6 traffic through an IPv4 system. Tunneling often circumvents firewalls, even over IPv4.

Command Information predicts that we will run out of IPv4 addresses in about two and a half years' time. The continuity of the internet's expansion depends on how quickly IPv6 is implemented globally. Apparently security isn't able to catch up with the pace of network technologies' advancements.Source: DailyTech
Add your own comment

9 Comments on IPv6 Protection by OSes Inadequate, Potential Vulnerabilities Surface

Editor & Senior Moderator
PrudentPrincess said:
lol another reason not to upgrade to Vista. :D
Windows XP SP2+ included. It just wasn't mentioned in the source article, so didn't mention it. WinXP SP2 and above does come with IPv6.
Posted on Reply
I'm the only one
Better uninstall xp sp2 then too eh :p

Is it a problem then bta?
Posted on Reply
Senior Monkey Moderator
Just shut it off if you don't use it. Not to terribly difficult.
Posted on Reply
Reading the heading of the article I thought it was another one of Kaspersky antics.
From what I understand of the article a firewall software hasn't been designed for IPv6 and this researcher is lamenting about it. One can't expect companies to come out with a software which no one uses. Companies need to make money and they will wait till IPv6 is started to be used or a few days before the switch is made.
Posted on Reply
Editor & Senior Moderator
tigger69 said:
Better uninstall xp sp2 then too eh :p

Is it a problem then bta?
Unchek this box, save settings, reboot:

See if your internet/local network/NAS work properly. If so, keep it that way.
Posted on Reply
not upgrading to IPV6 is just like ignoring global warming... :shadedshu
Posted on Reply
Odd, I just checked several of my work computers. A couple of them even have SP3 installed. Not one has IPv6 installed. I go to install a new protocal and it is available but not one machine has it installed. Did XP Pro not auto install it?
Posted on Reply
The original XP already had ipv6 support if I recall correctly, and certainly XP-SP1 did.

I'd like to point out also that at some point with SP2 I started to notice my computer contacted microsoft a lot, even while I have automatic updates disabled, and I traced it to the IPv6 service that was running, so in privacy respect, and in wasted resources until IPv6 comes to the masses respect, I'd advise to disable the IPv6 service if it's running on your system.
Right now AFAIK IPv6 is only used on backbones and by fervent enthusiast as an experiment in cooperation with their ISP, which is actually a pretty weird thing because one ISP for instance had that option and if you did they assigned you 32000 IP's!!! instead of the normal one or two.
Once they roll it out it'll be hard to block unwanted people I guess.
Posted on Reply