Riscos na transição para IPv6

Um artigo na ArsTechnica sobre os riscos de segurança durante o período de transição de IPv4 para IPv6. O artigo diz respeito a um recente draft do IETF: "Security Implications of IPv6 on IPv4 networks", draft-gont-opsec-ipv6-implications-on-ipv4-nets-00.

Beware of IPv6 security goblins, IETF warns

With World IPv6 Day just six weeks away, security consultants are once again warning that networks transitioning to the Internet's next-generation addressing scheme face serious risks unless they modify their defenses to accommodate the changes.
In a draft proposal filed Tuesday with the Internet Engineering Task Force, a security consultant warned that IPv6 traffic is often able to bypass firewalls, intrusion detection systems, and other security protections. With the majority of end-user devices now speaking the new language by default, their use may have serious unintended consequences.
"Most general-purpose operating systems implement and enable by default native IPv6 support and a number of transition-co-existence technologies," Fernando Gont of the UK Centre for the Protection of National Infrastructure wrote. "In those cases in which such devices are deployed on networks that are assumed to be IPv4-only, the aforementioned technologies could be leveraged by local or remote attackers for a number of (illegitimate) purposes."
The draft was published six weeks before the 2012 World IPv6 Day, scheduled for June 8. The aim of the campaign is to raise awareness of the new protocol, which will offer a virtually unlimited supply of IP addresses as well as improved efficiency and security in the way data is delivered from one endpoint to another. But the transition is fraught with risks for network administrators who don't ensure that transition extends to their defenses as well.
Of particular concern are technologies such as link-local IPv6 connectivity, 6over4 Neighbor Discovery, and various tunneling mechanisms, which are all used to help networks carry both IPv4 and IPv6 traffic. The draft also singles out a tunneling technology called Teredo that's built into various operating systems, including Microsoft Windows. Unless specific changes are made, networks that use these technologies are vulnerable to remotely-exploited buffer overflow attacks and exploits that allow hackers to impersonate a local router.
Gont's paper, which is titled Security Implications of IPv6 on IPv4 Networks, provides links to a wealth of resources for ensuring that sensitive network resources remain isolated from IPv6 traffic.