Lead Image © foottoo, 123RF.com

Lead Image © foottoo, 123RF.com

IPv6 security on IPv4-only networks

Slippery Floor

Article from ADMIN 27/2015
By
Even though corporations are looking to move to IPv6, in some situations networks still rely exclusively on IPv4. We discuss ways to minimize delays and unsatisfactory behavior in mixed IPv4/IPv6 IT environments.

Even though IPv6 is not establishing itself as expected, it is still making progress. More and more systems on the Internet, as well as on enterprise networks, can communicate and are accessible via IPv6. Mechanisms such as auto-configuration and automatic tunneling mean that IPv6-capable nodes will attempt to establish connections using IPv6. Filtering of IPv6 traffic or the lack of end-to-end connectivity can cause the connection to fail. In this case, the node either cancels the communication action or it tries after failing – and typically after a timeout – to use IPv4 as a fallback mechanism to reach its target, resulting in pronounced delays and unsatisfactory behavior of the IT infrastructure.

Two IPv6 security experts, Fernando Gont (SI6 Networks) and Will Liu (Huawei Technologies), summarized important principles for securing IPv4-only networks in RFC 7123 (Security Implications of IPv6 on IPv4 Networks) [1]. This request for comment still has an "Informational" status, and is thus intended as a basis for discussion and as a guideline for practical applications. In contrast to standard-track RFCs, it is not mandatory.

IPv6 in IPv4-Only Networks

Ever since Windows Vista, IPv6 has been integrated into the Windows TCP/IP stack and enabled by default. To put this another way: Windows always runs in dual-stack mode first, with IPv4 and IPv6 running in parallel (Figure 1). The Linux kernel has supported IPv6 for many years, and nearly all distributors enable it by default. Because of various IPv6 features, such as automatic configuration, transition, and translation technologies (in particular, automatic tunneling), attackers can exploit IPv6 traffic on dual-stack nodes.

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • © Tramper2, fotolia.com
    IPv6 tunnel technologies
    Now that IPv6 is the official Internet protocol, all that remains is the simple task of migrating all the machines on the Internet. Until that happens, tunnel technologies provide an interim solution.
    more »
  • Neglected IPv6 Features

    IPv6 is establishing itself in everyday IT life, and all modern operating systems from Windows, through Mac OS X, to Linux have it on board; but if you let IPv6 introduce itself into your environment, you could be in for some unpleasant surprises.

    more »
  • Lead Image © gepard1979, 123RF.com
    IPv6 Tables
    We design a basic set of ip6tables rules for an IPv6 firewall.
    more »
  • Lead Image © Jarts, PHOTOCASE.com
    Migrating your network to IPv6
    Abraham Lincoln once said, "Give me six hours to chop down a tree and I will spend the first four sharpening the axe." The transition to IPv6 is a big step for many organizations. Careful planning and a systematic approach are critical to a successful migration.
    more »
  • Photo by Eugene Zhyvchik on Unsplash
    GENEVE network tunneling protocol
    LAN data transmission has evolved from the original IEEE 802.3 standard to virtual extensible LAN (VXLAN) technology and finally to today's Generic Network Virtualization Encapsulation (GENEVE) tunneling protocol, which offers improved flexibility and scalability, although it still faces some issues. We look at the three technologies and their areas of application.
    more »
comments powered by Disqus