Backbone networks have been changing on layer-3 the last few years due to the worldwide operational deployment of IPv6 from several Internet Service Providers. According to the Cisco Labs measurements, at the end of 2015 the IPv6 transit Autonomous Systems are more than 75% in Western Europe on an average, with some countries reaching even 92%. While a decent amount of research has been performed concerning the IPv6 security implications on local area networks, this is not the case regarding its impact on backbone IP networks. The assumption that the potential attack vectors in IPv6 networks should be the same as in the case of IPv4 is rather naïve given the new functionalities that IPv6 introduces. This study will discuss the most significant IPv6-related security issues on backbone networks, describing why the evasion of Access Control Lists is rather inevitable. Hands-on experimental results of three different well-known vendors will demonstrate these issues. By analysing the root cause of the problem we will be able to propose very specific mitigation techniques, both in terms of device implementation (so as to protect our networks in short-term), but also regarding the philosophy of the Internet Protocol itself and how this should be changed in the long run.
Antonios Atlasis is an IT Security researcher with a special interest in IPv6 (in)securities. His work has been presented in several IT Security conferences and it has resulted in the discovery of various IPv6-related vulnerabilities. He is the author of Chiron, an IPv6 specialized and very flexible security assessment tool.