Does IPv6 tunneling present any problem for firewall in an IPv4 network? Explain your reasoning for...

Yes, there is a problem for firewall in an IPv4 network which is presented by IPv6 tunneling. There has been a discussion about IPv6 tunneling for years now and even though actual IPv6 deployments have become more common since summer 2008, the vast majority of networks only run IPv4 network. The main reason for running the network in IPv4 is of the following uses i.e; The reason is quite simple: even if a network runs only IPv4, IPv6-enabled hosts can communicate over IPv6 natively with layer-2 adjacent nodes or by using transition mechanisms like 6to4 or ISATAP or Teredo tunnels. As soon as two IPv6 hosts can communicate, this communication channel can be used as an attack channel. And when the attack channel is used here comes a major problem of the firewall will be under the protection zone to protect the network. As a result, all network administrators and security officers should learn more about IPv6 and its security threats and mitigation techniques even before deploying IPv6 in their network.

• The move to IPv6 will not happen overnight or with all routers and nodes moving over IPv6 on a specific point in time. The IETF has standardized several tunnel-based transition techniques to allow a dual-stack node (this is a node with IPv4 and IPv6 protocol stacks) to communicate with another IPv6 node over an IPv4-only network. While some tunnels are statically configured very much like GRE or classic IPsec tunnels, others are dynamic (very much like Cisco Dynamic Multipoint VPN (DMVPN)). The dynamic tunnels include three types of tunnel-based techniques. They are,

1. ISATAP (RFC 5214): To link a single host to an ISATAP tunnel server (such as an IOS router) and through this server to an IPv6 node, it uses IPv4 protocol 41. It is mainly used within an organization because it can be used with RFC 1918 addresses. The default tunnel server is the host named isatap on the default DNS domain.

2. 6to4 (RFC 3056): To connect a single host or multiple networks to IPv6, it relies on IPv4 protocol 41. It requires the use of a globally routable address, or in other words, it does not work with RFC 1918 addresses. The default 6to4 relay acting as a gateway between IPv6 and IPv4 has a well-known address: 192.88.99.1, which is anycast (meaning that several organizations run a 6to4 relay and advertise its existence to their neighbor).

3. Teredo (RFC 4380): To link a single computer to IPv6, it relies on UDP to allow the tunnel to traverse NAT devices. Teredo uses UDP port 3544 to communicate with Teredo servers which are used as dispatchers between Teredo clients and Teredo relays.

• The main threats or problems that IPv6 tunneling to the firewall in an IPv4 network are as follows:

Here the threats are relevant only if you do not know the current impact of IPv6 tunneling present on your existing IPv4-network. As usual, knowledge is the key element of security. The threats are of two types. They are;

1. Fate-sharing
2. De-perimeterization

Here the two types are been explained that the problems to be discussed in the following and elaborated as

• Fate-sharing: Dual-stack hosts open two attack channels for the miscreant: over IPv4 and over IPv6. As several operating systems have IPv6 enabled by default (for example, Windows Vista, Windows 2008, Mac OS/X and so on), this means that each and every host running those operating systems must be protected against IPv4 and IPv6 attacks. This is also called fate-sharing: a dual-stack host is as secure as its weakest protocol stack is secure... And quite often, the IPv6 stack has either no protection at all (i.e. no personal IPv6 firewall) or non-configured protection (i.e. the personal firewall is for both IPv4 and IPv6 but the IPv6 side is not configured).
• De-perimeterization: Dynamic tunnels are often enabled by default (like 6to4 tunnels) or can be enabled by the users when they install some software packages. An example is Torrent versions (a BitTorrent client for Windows) which can configure the Teredo tunnel on behalf of the user. Depending on the security policy of the organization, those dynamic tunnels could traverse the firewall and allow remote IPv6 attackers to attack the internal network from the outside by using this dynamic tunnel, bypassing the perimeter firewall. This is also called perimeter erosion.

• The different scenarios involving IPv6 tunneling are:

• For minimizing the transitions, all the routers on the way between the two IPv6 nodes do need to support IPv6. This method of transition is called tunneling. Primarily IPv6 packets are placed inside IPv4 packets then the packets are routed through the IPv4 routers. One of the objections to integrating IPv6 into the current IPv4 networks is the ability to transport IPv6 packets over IPv4 –only networks. Tunneling or in IPv6 known as overlay tunnel can be used. IPv6 packets are encapsulated through the overlay tunnel in IPv4 packets for delivery across IPv4 infrastructure. The main disadvantage of tunneling is that it does not let communication between users of new protocols and old protocols without dual-stack hosts.
  • Security Implications of Tunneling Mechanisms
  Unless properly managed, tunneling mechanisms might result in negative security implications. For example, they might increase host exposure, might be leveraged to evade security controls, might contain protocol-based vulnerabilities, and/or the corresponding code might contain bugs with security implications.

NOTE: [RFC6169] describes the security implications of tunneling mechanisms in detail. Of the plethora of tunneling mechanisms that have so far been standardized and widely implemented, the so- called "automatic tunneling" mechanisms (such as Teredo, Intra- Site Automatic Tunnel Addressing Protocol (ISATAP), and 6to4) are of particular interest from a security standpoint, since they might be employed without prior consent or action of the user or network administrator.

Tunneling mechanisms should be a concern not only to network administrators that have consciously deployed them but also to those who have not deployed them, as these mechanisms might not be leveraged to bypass their security policies.

NOTE: [CERT2009] contains some examples of how tunnels can be leveraged to bypass firewall rules. The aforementioned issues could be mitigated by applying the common security practice of only allowing traffic deemed as "necessary" (i.e., the so-called "default deny" policy). Thus, when such policy is enforced, IPv6 transition/coexistence traffic would be blocked by default and would only be allowed as a result of an explicit decision.