Risk of Windows 6to4 IPv6 address

Some network administrators are considering launching their IPv6 websites with the use of 6to4 address.

Windows 2003 Server has the function of auto-config 6to4 IPv6 address and the associated gateway. I like to stress that there is a security concern in using Windows default 6to4 IPv6 address. Take an example, for the IP addresss, the IPv6 address will become 2002:ca51:101::ca51:101. The 3rd - 6th octets exactly matching 13th - 16th octets tells outsiders that this IPv6 address is assigned to a Windows Server and if it is running web service, IIS is adopted. Hackers can initiate attacks targetted at Windows and IIS vulnerabilities.

Unfortunately, for Windows OS, network administrators have no way to change the auto 6to4 address or to remove it permanently. For the example above, a work-around solution is to manual assign another 6to4 address within the range 2002:ca51:101::/48 to that interface and publish the AAAA record with the manual assigned IPv6 address. This way, things should work without a clue to outsiders what OS are behind.

1 comment:

Anonymous said...

nice post. thanks.