Like any other protocol, IPv6 got it’s own little problems. These weaknesses can mainly be exploited in the local network. The problem with IPv6 is the fact, the it is active  on most systems, but the administrators are not aware of it.

• Hidden IPv6 Traffic

If you are not using IPv6, block inbound and outbound traffic on your firewall. Most firewalls still have handicaps compared to IPv4. Intrusion Protection Systems do have only limited or no functionality in IPv6.

• IPv6 Tunnels

Teredo, 6to4 and ISATAP allow to tunnel IPv6 through IPv4. For the administrator it looks like common IPv4 traffic. This allows an attacker to bypass Intrusion Protection Systems and firewalls. Teredo can even establish unwanted bidirectional tunnels to the Internet.

• Router and Duplicate Address Detection Spoofing

Under IPv6 it is relatively simple to execute Router Spoofing and Duplicate Address Detection Spoofing. Similar attacks are possible under IPv4 as well. Because of the lacking knowledge, these attacks are very effective.

• Rogue Router

Today, almost all devices have IPv6 turned on, but it is not actively used. That means, that all devices only wait for a Router Advertisement to become active. This Advertisement is the trigger for every device to set an IPv6 address and to actively use IPv6. Placing a rogue router in your network ends in a big mess.

The biggest danger with IPv6 is to ignore it. Even if you got no IPv6 connection to the Internet, it is here. IPv6 is not something to come in the far future.

If you do not want to use IPv6, then don’t use it by intention.

For most people it is not obvious, what the change from IPv4 to IPv6 really means. It is actually very simple. IP addresses are like phone numbers.

A long time ago, there was only one telephone in one village. The number range was much smaller that times then it is now. Today every person got a least one mobile, a land line, a fax line. To have enough telephone numbers, the range of numbers have been expanded. Exactly the same happens with IPv6. In theorie, you only get a much bigger numer range.

Because IP was developed a long time ago, it is an old protocol. Of course there have been some changes over the time, but IPv6 also contains some improvements over IPv4.

If you look how computer communication works, it mainly consists of 5 layers:

• Link Layer
• Network Layer
• Transport Layer
• Application Layer

The Link Layer is the physical connection. Basically the cable. Or you could compare it with a road.

The Network Layer is responsible for the addressing. Compare it with the Post. If I send a letter to Fantasy Road 22 in Houston, Texas, I handover the letter to the postoffice. They know how to handle the letter and where to send it. Somewhen the letter arrives in Houston. I do not have to know where Houston is. The Post is doing it for me. Or the Network Layer.

While the Network Layer is only in charge to address the devices, the Transport Layer addresses the indvidual services. Services are identified using ports. In the Fantasy Road 22 in Houston you got multiple appartements. In every appartment you have multiple persons. The Transport Layer defines now the person, who gets the letter, Mr. Miller.

The top layer is the Application Layer. The application layer defines the kine of information which is exchanged. Is the letter an invoice or an order? In the network environment it defines the kind of traffic: DNS, SMTP, SSH, HTTP …

Changing IPv4 to IPv6 only changes the Network Layer. All other 3 layers remain the same. Of course there are small changes in the Transport and in the Application Layer, but the real change only affects one layer.

The remaining IPv4 address space is getting exhausted in a number of days. It is definitely time, to have a closer look at IPv6.

APNIC ran out of IPv4 addresses.
RIPE should have no IPv4 addresses left by June 2012.