One of the main portions of network security is controlling the inbound and outbound network paths. If you cannot control the outbound network paths, most firewalls, web filters and security devices will not work. If a network has a web filter setup by their outbound path, if users could change their outbound path, they can get around the web filter. Typically the end user would be aware of this and have to setup a VPN to get around the web filter.
Well with IPv6 and the magic of router advertisement, anyone can be on the network and setup an outbound path like a wireless hotspot or MiFi setup on the inside of the network and redirect traffic out of the network. This makes it easy for someone to setup a system that has an alternative path out, and redirect traffic to through their system. This allow them to be a perfect man-in –middle. The routing advertisements make it almost impossible to properly secure any corporate network. The only way to fix this is to have an IPv6 RA guard on their switches. Wireless networks do not have any ability for an IPv6 RA guard and will always have this vulnerability.
If you corporate networks requires any network flow to enforce security like IPS, web filters and firewalls, then moving the corporate network to IPv6 on the inside is probably a bad idea.
Jason Howe, PEI
