IPV6, as we already said, is intended as a more secure option for internet and network connectivity. When it was designed it was built with a few things like security availability and tracking in mind. One of the features of IPV6 that is touted as a security feature is the difficulty in masking your connection address. This makes the possibility of spoofing an IPV6 address very unlikely (although certainly not impossible).
Of greater concern is privacy when using IPV6 although many operating systems have Privacy extensions in place to prevent a systems MAC address from being exposed inside the IPV6 address. In typical IPV6 addresses the host identifier portion of the address is usually generated from the MAC address of the network card in use; again in most operating systems this is not an issue, but in many hardware devices (routers etc) they do not have the privacy extensions enabled and make their activity easier to track.
The recent comments from the FBI that monitoring and tracking efforts would become more difficult with IPV6 forgot to mention this. They did cover the issue of the number of external addresses assigned to each home. Currently each home gets a very small range of IP addresses (usually only one) as an example if you were to look at the IP address assigned by your ISP you would see something like this;
IP Address 220.127.116.11
Subnet Mask 255.255.252.0
Default Gateway 18.104.22.168
This little bit of numbering shows you quite a bit about the network you are on. By taking your Subnet mask and applying it against your IP address you can easily identify the number of other systems inside your “network” in our example here there are 1022 usable IP addresses in this little group of which you own one. These blocks of IP addresses are assigned by certain geographical locations are well and can be narrowed down to the exact location they are assigned (when talking about home systems) as the assignment of these links your IP address to the MAC in the DHCP server that assigned it.
Now the 128-bit IPV6 address part of the actual address will be a 64-bit subnet identifier and the other 64 will identify the interface. It is the interface identity that is of concern here. As we mentioned before this part of the address is derived from the MAC address of the interface. Unlike IPV4 It is not merely associated with the MAC in the DHCP server, but it is part of the actual address. This means that data packets originating from your system have the Unique MAC address of your network card embedded in them (if you are using IPV6). In Windows, OSX and Linux there are privacy extensions that mask this with an empirical address to prevent direct monitoring as well as the option for Internet Protocol Security (IPSec) to encrypt the packets to prevent snooping and monitoring activity.
However, right now many of the hardware devices that support IPV6 do not support these features and when they redirect the traffic they can leave their own fingerprint allowing someone to track your information almost as easily as they can with IVP4.
It is also worth noting that if your firewall does not support IPV6 it can leak information out to the internet if you do not have certain precautions in place. These are precautions that most residential routers do not support just yet. So if you have IVP6 traffic on your network (and IVP6 is enabled by default in Windows Vista, Windows 7 and Windows 8 your home router could accidentally send traffic out over IVP4 protocol 41 and accept requests for that traffic if someone sends a request using the same protocol.
Oddly enough this does not seem to deter proponents of IPV6 some of which seem to feel that there will be no need for residential routers or firewalls. Tri Nguyen from ZyXEL has said “All devices will be accessible on the public network, making it easier for people to manage things like home automation, file sharing, online gaming, peer-to-peer programs and other applications without complex settings on their router”
However, this is exactly the type of thing that we should not want. Even with the extra security in IPV6 it is not fool proof, there needs to be a barrier between the user and the open internet. It is exactly this type of thinking that has gotten critical infrastructure devices like SCADA placed on open internet connections. It is foolish to think that there will not be a way to spoof packets or to spoof IPV6 Addresses after all for years it was thought that you could not spoof a MAC address and that turned out to be very possible.
So as we head into the next generation of the Internet and we see IPV6 at its forefront remember that the idea of every device being on the open internet and not behind a firewall is not something to push for at least not from a privacy and security standpoint. Although IPV6 does have better security features it is also just as trackable as IPV4 and the IPSec rules in place are nothing to decrypt for agencies like the FBI, NSA and CIA (or for most ISPs for that matter). After all there are bills in place that will require companies to provide the decryption keys to law enforcement before releasing products to the public. If you think that your ISP, Microsoft, Google, Apple or any other corporation will somehow be excluded you are sadly mistaken.
To wrap up this simplistic (and unfortunately rambling) article IPV6 offers the benefit of more IP addresses for devices, but also comes with a few concerns and security risks of its own. It might be more secure than IPV4, but nothing is completely secure and we are confident that we will start to hear about holes and more privacy risks in the IPV6 security very soon…
Discuss this in our Forum