Donate
Can IPv4 Networks Be Compromised via IPv6? Thumbnail
‹ Back
Deploy360 15 January 2018

Can IPv4 Networks Be Compromised via IPv6?

Jan Žorž
By Jan ŽoržOperational Engagement Programme Manager
The Fox-IT International Blog recently published an article on how IPv4 networks can be compromised via IPv6. The attack vector relies on the default IPv6 configuration in the Windows operating system to spoof DNS replies by acting as a malicious DNS server to redirect traffic to an attacker-specified endpoint. The Windows Proxy Auto Discovery (WPAD) feature can also be exploited in order to relay credentials and authenticate to various services within the network, using a tool called called mitm6 created by Fox-IT.

Fox-IT is recommending that IPv6 is disabled when it is not being used, as disabling Proxy Auto Detection. This of course means that Windows-based hosts are unable to switch preference to IPv6 when it is available (which all versions since Windows Vista will do), and that IPv6 would need to be explicitly re-enabled on hosts.

The article makes some important points, but IPv4 and IPv6 are fundamentally incompatible on a wire level and it needs to be understood they can’t communicate with each other except through translation devices. There are a number of known issues (including this one) with the security of automatic configuration mechanisms running on Local Area Networks, both under IPv6 and IPv4, but these require physical access to a wired or wireless LAN. In any network, if an attacker gains unsecured access to Layer 2 protocols that do not have any port security or client separation, then any Layer 3 protocol can be compromised.

As such, turning off IPv6 should not be the recommended solution to this issue. Deploying, configuring and securing IPv6 on your network is preferable, which would also ensure hosts will be able to communicate with IPv6. By deploying a DHCPv6 server, and network security mechanisms such as port security, RA, and DHCPv6 guard, and other “first hop security” mechanisms, then we can minimize the risk of our networks being exploited.

In the absence of basic network security we can’t simply expect that turning off one of the protocols will solve the problems. Securing the network infrastructure would mitigate much of the threat, so if an attacker gains physical access to it, they will have a hard time to successfully connect and send any packets.

Deploy360 aims to help you deploy IPv6 securely, so please take a look at our IPv6 Security references to learn more.

‹ Back

Related articles

IPv6 Privacy Addresses Provide Protection Against Surveillance And Tracking
IPv68 December 2014

IPv6 Privacy Addresses Provide Protection Against Surveillance And Tracking

Recently we've seen several articles, such as one out today, that assert that IPv6 addresses will make it easier for...

IPv6 Privacy Addresses Provide Protection Against Surveillance And Tracking
Deploy3608 December 2014

IPv6 Privacy Addresses Provide Protection Against Surveillance And Tracking

Recently we've seen several articles, such as one out today, that assert that IPv6 addresses will make it easier for...

IPv6 Security Myth #1 - I’m Not Running IPv6 so I Don’t Have to Worry
Deploy36013 January 2015

IPv6 Security Myth #1 – I’m Not Running IPv6 so I Don’t Have to Worry

Now that IPv6 is being actively deployed around the world, security is more and more a growing concern. Unfortunately, there...

Join the conversation with Internet Society members around the world