Security issues with IPv6

Deployment of a new generation of Internet protocols is on its way. It is a process that may take several years to complete. In the meantime, the deployment raises considerable new issues, being security one of the most compelling. From a security point of view, the new IPv6 protocol stack represents a considerable advance in relation to the old IPv4 stack. However, despite its innumerable virtues, IPv6 still continues to be by far vulnerable.

Dual-stack related security issues with IPv6 :
Presently, the Internet continues to be mostly IPv4 based. However, it is reasonable to expect that this scenario will change soon as more and more networks are migrated to the new protocol stack. Unfortunately, migrating millions of networks is going to take quite some time. In the meantime, some form of 6 to 4 dual-stack will supply the desired functionality. Without a doubt, IPv6-IPv4 dual stacks increase the potential for security vulnerabilities—as a consequence of having two infrastructures with specific security problems. However, most of the issues are not a direct result of specific IPv6 design flaws but mostly a result of inappropriate or careless configuration.

Header manipulation related security issues with IPv6:
The use of Extension header and IPSec can deter some common sources of attack based on header manipulation. However, the fact that EH must be processed by all stacks can be a source of trouble—a long chain of EH or some considerably large-size could be used to overwhelm certain nodes (e.g., firewalls) or masquerade an attack. The same does not apply to 6 to 4 transition networks. Although one approach to 6 to 4 transition is using some form of dual-stack functionality, another approach is using some type of tunneling. Because tunneling requires that a protocol is encapsulated in another, its use could be a source of security problems such as address spoofing—in this case if the spoofed address is used to masquerade an external packet as one that was originated from the inside network. Best practices recommend to filter out traffic with unsupported services.

Flooding related security issues with IPv6:
Scanning for valid host addresses and services is considerably more difficult in IPv6 networks than it is in IPv4 networks. As mentioned above, to effectively scan a whole IPv6 segment may take up to 580 billion years— because the address space uses 64 bits. However, the larger addressing space does not mean that IPv6 is totally invulnerable to this type of attack. Nor the lack of broadcast addresses makes IPv6 more secure. New features such as multicast addresses continue to be source of problems. Smurf-type attacks are still possible on multicast traffic. Again, filtering out unnecessary traffic is the recommended best practice.

Mobility related security issues with IPv6:
Mobility is a totally new feature of IPv6 that was not available in its predecessor. Mobility is a very complex function that raises a considerable amount of concern when considering security. Mobility uses two types of addresses, the real address and the mobile address. The first is a typical IPv6 address contained in an Extension header. The second is a temporary address contained in the IP header. Because of the characteristics of this networks (something more complicated if we consider wireless mobility), the temporary component of a mobile node address could be exposed to spoofing attacks on the home agent. Mobility requires special security measures and network administrators must be fully aware of them.