Security information for IPv6

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Security information for IPv6

The use of IPv6 is currently supported only when IPv4 is also installed. TCP/IP internetworks are susceptible to a variety of possible attacks, from passive attacks (such as eavesdropping) to active attacks (such as denial-of-service attacks). For more information, see Security issues with IP.

It is important to follow best practices for security when using IPv6 on your network. For more information, see Best practices for security.

Following is known security information for IPv6:

  • The installation of an unauthorized router can cause reconfiguration of clients and rerouting of IPv6 traffic

    Configuration of IPv6 addresses is based on the receipt of Router Advertisement messages from IPv6 routers. In addition, to communicate with IPv6 nodes on other network segments, IPv6 must use a default router. A default router is automatically assigned based on the receipt of a router advertisement.

    Malicious users with physical access to the IPv6-enabled network can cause a denial of service attack on IPv6 hosts by installing an unauthorized IPv6 router on the network segment. The unauthorized IPv6 router can reconfigure IPv6 clients, set itself as the default router, reroute link traffic, and disrupt other network services.

    Recommendations:

    • Ensure that unauthorized persons do not have physical or wireless access to your network.
  • Internet Connection Firewall (ICF) and Basic Firewall cannot filter or block IPv6 traffic

    ICF, available on the 32-bit editions of Microsoft® Windows Server® 2003, Standard Edition and Windows Server 2003, Enterprise Edition, is used to restrict the traffic that is allowed to enter your network from the Internet. Because ICF can only filter IPv4 traffic, IPv6 traffic might circumvent the firewall and enter your network.

    Basic Firewall is a component of Routing and Remote Access that you can enable for any public interface on a computer running both Routing and Remote Access and a member of the Windows Server 2003 family. Because Basic Firewall can only filter IPv4 traffic, IPv6 traffic circumvent the firewall and enter your network.

    Recommendations:

    • Use firewall software that can filter and block IPv6 traffic if you are running IPv6 on your network.
  • On-link computers can take control of another IPv6 address, causing on-link devices to create an incorrect entry in their neighbor cache

    Nodes on an IPv6 link use address resolution to resolve a neighboring node's IPv6 address to its link-layer address (equivalent to ARP in IPv4). The resolved link-layer address becomes an entry in a node's neighbor cache (equivalent to the ARP cache in IPv4). If an IPv6 node uses another node's address, it can cause other computers on the link to add a false entry to their neighbor cache. All traffic intended for the original computer instead goes to the attacker's computer, and the attacker can appear to send traffic from the original computer.

    Recommendations:

    • Ensure that unauthorized persons do not have physical or wireless access to your network.
  • When native IPv6 connectivity is not present, spoofing off-link IPv6 source addresses is easier

    The common defense against IP source address spoofing is source ingress and egress filtering on packets by routers. Because traffic between hosts on the same link does not cross a router, this protective filtering is not used.

    While this threat applies to native connectivity (in both IPv4 and IPv6) where on-link hosts can spoof off-link addresses in communication with other hosts on the link, the threat is greater when native connectivity does not exist. When native IPv6 connectivity is not present, encapsulation technologies such as ISATAP and 6to4 are used.

    Because the virtual link used for packet encapsulation spans a large logical area of the network (for example, in the case of 6to4, the entire IPv4 Internet), an attacker can be anywhere on the IPv4 Internet and still spoof off-link addresses.

    Recommendations:

    • Ensure that native IPv6 connectivity is present.

Note

  • When the computer running IPv6 is started, IPv6 logs event ID 3100 in the system event log.

Additional information

  • This implementation of IPSec for IPv6 is not recommended for use in a production environment because it relies on static keying and has no provisions for updating keys upon sequence number reuse.

  • When you manually configure Security Parameters Indexes (SPIs) for IPSec for IPv6, always use random numbers. Do not use sequential numbers for SPIs, or you will compromise the security of your IPSec for IPv6 policies.

  • The IPv6 protocol for the Windows Server 2003 family does not support the use of IPSec Encapsulating Security Payload (ESP) encryption. However, the use of ESP with NULL encryption is supported. Although NULL encryption uses the ESP header, only data origin authentication and data integrity services are provided.

  • Windows Firewall is not included in the original release of the Windows Server 2003 operating systems.

  • Internet Connection Firewall is included only in the original releases of Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition.

For additional information about IPv6 security, see Security features for IPv6 and Using IPSec between two local link hosts.