IPv6: Friend or Foe?

Introduction

Microsoft is a well-known software manufacturer that has released helpful tools such as Word, Excel, Windows Operating System (OS), and their newest software venture, CoPilot (an AI assistant baked into Windows OS). Microsoft is continuously trying to innovate and create new routes and solutions for their customers to effectively and comfortably utilize their technology. One sector of technology that Microsoft is particularly relevant in is enterprise networking. For this article, we can define enterprise networking as the use of interlinked computer systems within organizations. Because Microsoft loves to be at the forefront of software, they often run into security issues that cannot be foreseen. In this article we will explore Microsoft’s implementation of the protocol IPv6. We will discover what IPv6 is, how it is used in enterprise networking, and what potential security risks it brings to an organization. All of these areas will help any organization determine whether IPv6 truly is a friend or foe within a given enterprise network structure.

What is IPv6?

To begin, let’s define what IPv6 is. First, IP addresses are numbers that identify a unique device on a public or private network. Second, it is important to understand the different types of IP addresses. For this article, we will focus on IPv4 and IPv6. IPv4 is the most common type of IP address. This IP address uses the following structure: “127.0.0.1”. As you can see, this number is separated by four dots. Each section of this number is referred to as an octet. Octets have 254 usable numbers within them. That means that any combination of numbers from 1.0.0.0 to 254.254.254.254 can theoretically be used to create an IPv4 address. IPv6, however, follows a different format. That format can be seen in the following example: “0:0:0:0:0:0:0:0:1:”. This address is the IPv6 formatted address for “127.0.0.1”. Each of the sections for the IPv6 format is correlated to a hexadecimal. I know what you’re thinking: why do we have two different versions of IP addresses? Well, the short answer is that IPv4 will eventually exhaust all the possible combinations of IP addresses that exist; because of this, IPv6 creates a space where more possible combinations are available, and thus, we are far less likely to run out of IP addresses anytime soon.

What is IPv6 Used For?

Now that we have covered what IPv6 is, let’s explore how it is commonly used in enterprise networking. In the opening statement, we discussed how widely used Microsoft software solutions are implemented in organizations today. Notably, almost all organizations are using a considerable number of devices that are running Windows OS. Something that Windows OS has enabled by default is IPv6 Dynamic Host Configuration Protocol (DHCP). This protocol dynamically assigns IP addresses to devices once they arrive on the network. When that IPv6 address is assigned, it is allocated a lease for how long it can use a given IPv6 address. Once that lease expires, the device is allocated a new IPv6 address. The main advantage of this is that it makes setting up a network for a network administrator much easier, as they will not have to assign IP addresses to each device. Sounds great, right? The convenience of this technology seems to create an efficient solution for overworked IT staff and IT administrators alike. When it comes to information security, convenience and security are always playing a game of tug-of-war. Even though this solution seems great, it has some serious information security implications.

IPv6 Attack Vectors

In this section of the article, two main attack vectors will be mentioned. The first of those attack vectors is commonly used by TraceSecurity Analysts in almost all Internal Penetration Tests we conduct IPv6 DHCP Spoofing. IPv6 DHCP Spoofing is the act of leveraging the presence of IPv6 DHCP to impersonate other devices with IPv6 enabled. This attack vector often leads to the capture of password hashes and authentication relay attacks. Both additional attack vectors, in the right circumstance, can be utilized to create conditions for active directory takeover. Once a tester has taken over an active directory, they can access all domain-joined machines, allowing them to divulge sensitive information, move between domain-joined devices, and install malware or other code to maintain persistence on a network.

The second attack vector is known as Windows TCP/IP Remote Code Execution (RCE). This vulnerability was discovered earlier this year and has a CVE assigned to it (CVE-2024-38063). According to Microsoft, “an unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution.” (https://msrc.microsoft.com/upd...) In this case, the only thing that needs to be enabled for an attacker to run code remotely on a device in an organization’s enterprise network is IPv6. The general recommendation here is to disable the use of IPv6 within an internal network; however, it is worth noting that IPv6 is required for some functionality/communication between Windows hosts. Microsoft denotes. “Internet Protocol version 6 (IPv6) is a mandatory part of Windows Vista and Windows Server 2008 and newer versions. We do not recommend that you disable IPv6 or its components. If you do, some Windows components may not function. We recommend using Prefer IPv4 over IPv6 in prefix policies instead of disabling IPv6.” (https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-ipv6-in-windows#summary). With that said, the most effective form of remediation here is to leave IPv6 enabled and ensure that IPv4 is preferred over IPv6.

Conclusion

Now that we have explored IPv6, how it is typically utilized in an enterprise network, and its information security implications, it is time for your organization to ask itself: Will you reach the end of the IPv4 allocation space? Do the convenience benefits outweigh the security risks? And finally, is IPv6 your friend or your foe?