Four IPv6 misunderstandings that enterprises must know when upgrading their IP addresses

ISP and Web companies have been setting up World IPv6 Launch Day for one year. Akamai reported that IPv6 traffic on the IPv6 content transmission platform has increased by 250%, the number of requests sent every day reaches 10 billion. Although this traffic is still far behind IPv4, it continues to grow. At the same time, the misunderstanding of IPv6 has always affected the deployment of this Protocol and the security of the enterprise network.

After talking with multiple security and Network experts, Network Computing lists four common IPv6 Security misunderstandings.

1. IPv6 defense is not required for networks that only support IPv4.

The first misunderstanding related to IPv6 actually has a better relationship with IPv4. organizations related to IPv4 networks may think they will not be attacked based on IPv6, but experts say this is not the case, "IPv6 has been around for several years, and the latest operating systems and mobile devices are ready to accept IPv6 networks," said Ron Gula, CEO of Tenable Network Security. "This means that if you want to run or review an IPv4 network, there will be many systems that want to talk to you through IPv6. This provides many opportunities for hackers and malware ."

Every modern operating system, including Windows, Mac OS X, Ubuntu Linux, iOS, and Android, uses IPv6 by default, said HD Moore, Chief Researcher of Rapid 7, "Windows Homegroup features dedicated to using TCP for local network management. Each IPv6-enabled system has a 'link-local' address that can be connected by other machines on the local network ". In this way, intruders can access the local network-directly access or through the damaged IPv4 system connection-to access or attack the IPv6 interface.

Johannes Ullrich said that IPv6 was not controlled when it was enabled, and enterprises were exposing themselves to threats. He was the research director of the SANS society. Recently, I have been trying a Special attack, which is a headache for a company system that uses VPN to connect to enterprise resources from a trusted network, "Ullrich said. "For example, an employee on a business trip connects to the Internet from the hotel's wireless network and creates a VPN tunnel to connect to the company's network. This type of VPN only forwards IPv4 data streams. Attackers can create an IPv6 router in the hotel network to specify an IPv6 address for the host and provide a DNS server that supports the IPv6 protocol. In this way, attackers can block data through VPN for deciphering ."

2. IPv6 with forced IPSec is safer than IPv4

It is widely believed that one of the advantages of IPv6 is its support for IPSec, but they are actually different. Although IPv6 supports IPSec for transmission encryption, it is not mandatory and is not the default setting, Moore said: "Even if it is enabled, IPSec also requires the security of a large number of configurations ,"

3. IPv6 can prevent man-in-the-middle attacks

Because IPv6 does not apply to the Address Resolution Protocol, it can prevent man-in-the-middle attacks. In fact, IPv6 uses ICMPv6 to deploy the Neighbor Discovery Protocol, which can replace ARP with local addresses, like ARP, the Neighbor disbor protocol is vulnerable to man-in-the-middle attacks.

Moore said, "a corrupted internal node may expose all local devices to the Global IPv6 network through a simple routing announcement ,".

4. IPv6 does not have IPv4 Security

Some people mistakenly think that IPv6 is very secure, while some people think that IPv6 is less secure than IPv4 due to lack of NAT, "Network Address Translation (RFC 1918) is an IPv4 address that allows organizations to allocate private and non-routable IPv4 addresses to each device, and then provide network connections for these devices through the limited number of public IPv4 addresses, "said Neohapsis's joint security consultant.

"Despite this, private site selection is mistaken for a security feature, and its omission is often seen as a reason not to deploy IPv6," he added. "The IPv6 extended address library solves the NAT problem. The real security of NAT deployment is to use static detection of internal traffic at the same time. As long as access control is well performed, the security protection performance of IPv6 does not actually change much compared to NAT ."