Securing IPv6 Networks

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

Windows Server 2003 currently supports the use of IPv6 only when IPv4 is also installed. Because TCP/IP internetworks are susceptible to a variety of attacks, ranging from passive attacks, such as eavesdropping, to active attacks, such as denial-of-service attacks, be sure to follow best practices for security when using IPv6 on your network. A few general and IPsec-related IPv6 security suggestions follow.

General Recommendations for Securing IPv6 Networks

Be aware of the following known security risks for IPv6, and consider reconfiguring your system to meet the recommendation that is shown for each:

  • The installation of an unauthorized router can cause reconfiguration of clients and rerouting of IPv6 traffic.

    To communicate with IPv6 nodes on other network segments, IPv6 must use a default router. A default router is automatically assigned based on the receipt of a router advertisement. Malicious users with physical access to the IPv6-enabled network can install an unauthorized IPv6 router on the network segment, enabling a denial of service attack on IPv6 hosts. The unauthorized IPv6 router can reconfigure IPv6 clients, set itself as the default router, reroute link traffic, and disrupt other network services.

    Recommendation: Ensure that unauthorized individuals do not have physical or wireless access to your network. For more information, see Best practices for security in Help and Support Center for Windows Server 2003.

  • Internet Connection Firewall (ICF) and Basic Firewall cannot filter or block IPv6 traffic.

    • ICF, which is available in the 32-bit versions of Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition, restricts the traffic that can enter your network from the Internet. Because ICF can filter only IPv4 traffic, IPv6 traffic might get through the firewall and enter your network.

    • Basic Firewall, which is a component of Routing and Remote Access, can be enabled for public interfaces. Because Basic Firewall filters only IPv4 traffic, IPv6 traffic might get through the firewall and enter your network.

    Recommendation: If you are running IPv6 on your network, use firewall software or hardware that can filter and block IPv6 traffic.

  • On-link computers (computers on a link, or LAN segment) can take control of another IPv6 address, causing on-link devices to create an incorrect entry in their neighbor cache.

    Nodes on an IPv6 link use address resolution to resolve a neighboring nodes IPv6 address to its link-layer address in the same way that nodes on an IPv4 link resolve addresses in IPv4. The resolved link-layer IPv6 address becomes an entry in a nodes neighbor cache (equivalent to the ARP cache in IPv4). If an attacker causes an IPv6 node to maliciously use another nodes address, it can cause other computers on the link to add a false entry to their neighbor cache. All traffic that is intended for the original computer goes instead to the attacker's computer, and the attacker can appear to send traffic from the original computer.

    Recommendation: Ensure that unauthorized individuals do not have physical or wireless access to your network. For more information, see Best practices for security in Help and Support Center for Windows Server 2003.

  • When native IPv6 connectivity is not present (that is, when an IPv6 router does not exist on the network segment), it is easier to spoof, or appear to use, off-link IPv6 source addresses.

    A common defense against IP source address spoofing involves using packet-filtering routers. However, because traffic between hosts on the same link does not cross a router, this protective filtering is not used and spoofing might go undetected.

    Although spoofing can occur in native IPv4 or IPv6 networks, where on-link hosts can spoof off-link addresses in communication with other hosts on the link, the threat is greater outside the native IPv6 network. Outside the native IPv6 network, encapsulation technologies are used. Because the logical link used for packet encapsulation spans a large portion of an IPv4 network (often the entire IPv4 Internet), an attacker can be anywhere on that IPv4 network and still spoof off-link addresses.

    Recommendation: Ensure that an IPv6 router is present on the network segment.

For more information about IPv6 security, see "Security information for IPv6" in Help and Support Center for Windows Server 2003.

Securing with IPsec on IPv6 Networks

The IPv6 protocol for Windows Server 2003 incorporates Internet Protocol security (IPsec), which protects IPv6 data as it is sent over the network. IPsec is a set of Internet standards that uses cryptographic security services to provide the following:

  • Confidentiality. Captured IPsec traffic cannot be deciphered without the appropriate encryption key.

  • Data origin authentication. IPsec traffic contains a cryptographic checksum that incorporates a shared encryption key so that the receiver can verify that it was actually sent by the apparent sender.

  • Data integrity. The cryptographic checksum is also used by the receiver to verify that the packet was not modified in transit.

IPsec in IPv6 is separate from, and does not interoperate with, IPsec for TCP/IP. IPsec policies that are configured with the IP Security Policies or Group Policy snap-ins have no effect on IPv6 traffic. You need to manually configure IPsec policies, security associations (SAs), and keys for IPv6. For more information about IPsec for TCP/IP, see Internet Protocol security (IPsec) in Help and Support Center for Windows Server 2003. For an example of configuring IPsec for IPv6, see "Using IPsec between two local link hosts" in Help and Support Center for Windows Server 2003.

In addition to the general security recommendations listed in the preceding section, follow these guidelines when you use IPv6 with IPsec:

  • Do not use IPsec for IPv6 in a production environment. The current implementation of IPsec for IPv6 is not recommended for use in a production environment because it relies on static keying, which means that it has no provisions for updating encryption keys when sequence numbers are reused.

  • Use random numbers to configure SPIs. When you manually configure IPsec Security Parameters Indexes (SPIs) for IPv6, always use random numbers so that you do not compromise the security of your IPsec for IPv6 policies.

  • Use only supported Encapsulating Security Payload (ESP) (ESP with NULL encryption). The IPv6 protocol for Windows Server 2003 does not support the use of IPsec ESP data encryption. However, the use of ESP with NULL encryption is supported. Although NULL encryption uses the ESP header, only data origin authentication and data integrity services are provided.

For more information about IPv6 security features, see "Security features for IPv6" in Help and Support Center for Windows Server 2003.