There’s plenty of material online on the IPv6 vs. IPv4 topic. Suffice it to say that IPv6 provides a gazillion times more addresses than IPv4, making the address space exhaustion a non-issue and obsoleting workarounds such as NAT that’s been used for many years to extend IPv4’s life.
That’s the good news. With IPv6, you can install all the internet connected devices you want and they will get online with no danger of running out of addresses. The less good news is that the IPv6 adoption has been slow and many people aren’t very knowledgeable about it, some may not even be aware that they’re on it which could be a weak link in terms of security risks.
Suppose I told you that every IPv6 internet connected device in your home or office is visible online, naked, with very little or no protection. You may reply, but they’re behind a router which does the firewalling. That’s where you may be wrong.
As many ISP’s have rolled out IPv6, many existing routers and devices in homes or offices that have been relied on for years, just acquire what’s known as global unicast addresses and put themselves online for everyone to see and access, no protection, no firewalling, no security. The older routers with their older firmware may have settings to configure IPv4 security, but many offer little or no capability for IPv6. They just route IPv6 with no firewalling.
This means that each online device must handle its own security which is not very practical and can be error-prone. In my case, I knew my home router didn’t have any IPv6 security settings, but I’d believed it was blocking externally initiated connections by default. Not so, as I discovered that my Windows laptop’s Remote Desktop was fully open online for anyone to attempt connection via IPv6.
To be sure, there are mitigating factors. Some devices on the network may not even be IPv6 capable while others may have defenses by default. Also, the IPv6 address space is so vast that makes scanning the network expensive and lengthy, specially since in most cases those addresses are rotated periodically. Even so, online scanners, including crawlers such as Shodan, are getting faster and more efficient all the times, and there are other ways of discovering live IPv6 hosts, such as a web site, controlled by an attacker, capturing the IPv6 addresses of the clients that reach it.
With that, here are some steps to take to protect against potential IPv6 threats:
- Check If you are even assigned an IPv6 address.
- Check if the router already blocks IPv6 connection attempts by default, or if there are settings for that.
- Update the router’s firmware which may add additional IPv6 settings, otherwise replace the router with another that has IPv6 firewall settings.
- Bolster IPv6 defenses for all the IPv6 capable devices on the network or disable IPv6 on the devices that don’t need it.
- If IPv6 is not needed, just disable it on the router. That way no device on the network will acquire a public IPv6 address, including the router itself.
While IPv6 continues to proliferate around the world, it’s still not at a level needed for most people. In almost all cases, IPv4 (with NAT) is still adequate to do everything online.
In my case, I decided to disable IPv6 on the home router and have had no adverse effects so far.