Got an IPv6 Firewall?
Just like the call "Winter is Coming" in Game of Thrones, we keep hearing IPv6 is coming to our networks spreading doom and gloom to our most priced assets. But just like the clothing worn by some of the actors of the TV show isn't exactly suited for winter, the network security infrastructure deployed currently wouldn't give you a hint that IPv6 is around the corner.
On the other hand, here are some recent numbers:
- Over 25% of Comcast customers are "actively provisioned with native dual stack broadband" (see comcast6.net)
- 40% of the Verizon Wireless network is using IPv6 as of December 2013 (http://www.worldipv6launch.org/measurements/)
- Between July and December last year, Akamai saw IPv6 traffic go up by about a factor of 5 (http://www.akamai.com/ipv6)
When I made our new "Quickscan" router scanning tool available last week, I left it IPv6 enabled. So it is no surprise, that I am getting e-mails like the following:
The results were "interesting"
...
A few weeks ago I had installed an IPv6 capable modem and updated my router config to enable IPv6. The results were glorious in that IPv6 ran like a charm.
The sober facts arose when I ran the ISC router scan - it used my IPv6 address, which hooked directly to my desktop (behind my firewall) and pulled up my generally unused native Apache service.
I went over my router config with a fine-tooth comb and realized that my router has no support for IPv6 filtering.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
IPv6 Security Training ( https://www.sans.org/sec546 )
Twitter
Comments