In a correctly deployed IPv6 network, security is enhanced over the older IPv4 protocol, because address spoofing can be detected and tracked, and every IP session can be encrypted using IPSec. The operative phrase in the preceding sentence is correctly deployed. Many network administrators haven't given IPv6 a second thought, believing falsely that IPv6 will wait for them. But a slew of open-source programs and free services let hackers deploy IPv6 in your network without your permission, using the advanced protocol to sneak around IDS and IPS systems and to surreptitiously pump data to outside hacker lairs.

A hacker gains an IPv6 foothold using the standard virus and Trojan propagation techniques: contaminated e-mail, spyware, DNS poisoning, and phishing attacks. Once landed on a victim desktop computer, a hacker can enable IPv6 on that system and use IPv6's autoconfiguration facilities to acquire an IPv6 address on your network -- or simply make up an IPv6 address using the target machine's MAC address. If you don't currently have an IPv6 router on your network, the hacker can convert the victim host into one.

The vast majority of successfully penetrated desktop systems run Windows, and Windows 2003 and XP have IPv6 built in -- it only needs to be enabled using the netsh DOS command. Windows IPv6 supports a transition protocol called 6to4 tunneling, which encapsulates IPv6 packets in a special protocol envelope and routes them to a distant IPv6 gateway, where they're turned back into IPv6 packets. Most IDS systems don't recognize 6to4 packets, or don't report them as a security risk. 6to4 packets don't look like ordinary IP packets, because they use network protocol 41, rather than TCP (6) or UDP (17). Yet many networking components, and virtually all ISPs, will cheerfully route these packets without complaint. The only good news is that most NAT firewalls block everything except TCP and UDP, and thus filter out protocol 41.

Hackers have alternatives should they find 6to4 tunneling infeasible. Windows also supports another IPv6 transition mechanism, called Teredo, that encapsulates IPv6 packets in an IPv4 UDP envelope. These packets pass right through NAT firewalls without trouble, and can even be made to look like DNS queries, which virtually every firewall passes out unmolested. Teredo is also built into Windows XP, as well as being available in a number of open-source IPv6 migration tools.

IPv6 tunneling techniques give attackers a permanent, invisible conduit from the outside world directly to the heart of your network, just as if you ran a Cat-5 cable from some clerk's desk to the far side of your firewall. Worse, once a hacker awakens IPv6 in one workstation, server, or router, he can then enable IPv6 in dozens or hundreds of machines on the same LAN.

The only cure is to block both 6to4 and Teredo at your borders, and upgrade your IDS and IPS to watch for unauthorized IPv6 traffic on your LAN. Check with your security software vendor today for IPv6 sensing capabilities. The open-source Snort IDS has an experimental IPv6 decoder, and many commercial IDS systems use Snort under the covers, so you may be able to install IPv6 awareness yourself.

But most importantly, become IPv6 savvy by giving yourself a short course in this new networking technology. I tell you how in the Dr. I. Doctor entry Take IPv6 Out for a Spin and my review of O'Reilly's book IPv6 Network Administration.