Can IPv4 Networks Be Compromised via IPv6? Thumbnail
Deploy360 15 January 2018

Can IPv4 Networks Be Compromised via IPv6?

By Jan ŽoržFormer Operational Engagement Programme Manager
The Fox-IT International Blog recently published an article on how IPv4 networks can be compromised via IPv6. The attack vector relies on the default IPv6 configuration in the Windows operating system to spoof DNS replies by acting as a malicious DNS server to redirect traffic to an attacker-specified endpoint. The Windows Proxy Auto Discovery (WPAD) feature can also be exploited in order to relay credentials and authenticate to various services within the network, using a tool called called mitm6 created by Fox-IT.

Fox-IT is recommending that IPv6 is disabled when it is not being used, as disabling Proxy Auto Detection. This of course means that Windows-based hosts are unable to switch preference to IPv6 when it is available (which all versions since Windows Vista will do), and that IPv6 would need to be explicitly re-enabled on hosts.

The article makes some important points, but IPv4 and IPv6 are fundamentally incompatible on a wire level and it needs to be understood they can’t communicate with each other except through translation devices. There are a number of known issues (including this one) with the security of automatic configuration mechanisms running on Local Area Networks, both under IPv6 and IPv4, but these require physical access to a wired or wireless LAN. In any network, if an attacker gains unsecured access to Layer 2 protocols that do not have any port security or client separation, then any Layer 3 protocol can be compromised.

As such, turning off IPv6 should not be the recommended solution to this issue. Deploying, configuring and securing IPv6 on your network is preferable, which would also ensure hosts will be able to communicate with IPv6. By deploying a DHCPv6 server, and network security mechanisms such as port security, RA, and DHCPv6 guard, and other “first hop security” mechanisms, then we can minimize the risk of our networks being exploited.

In the absence of basic network security we can’t simply expect that turning off one of the protocols will solve the problems. Securing the network infrastructure would mitigate much of the threat, so if an attacker gains physical access to it, they will have a hard time to successfully connect and send any packets.

Deploy360 aims to help you deploy IPv6 securely, so please take a look at our IPv6 Security references to learn more.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...