What happens if you don't use IPv6 for your internet-facing services?
TL;DR: Managing the online exposure of systems can be difficult. Sometimes IPv6 network configurations get forgotten, leading to services unknowingly connected to the internet.
We’ve been (very) slowly adopting IPv6 since its introduction in 1995. This a dded protocol version allows computer systems to be available in two different address spaces (IPv4 and IPv6). This could possibly expand the attack surface of a system if it’s not managed properly. Fortunately, most firewalls will update user defined rules for both versions simultaneously. This blog-post goes further into finding exposed online services in the IPv6 space, which aren’t reachable via their IPv4 counterpart.
I’ve scanned a subset of the public IP space to get an idea of how many firewalls/systems actually have different configurations in the two address spaces. I was able to match these using DNS look-ups and validating them by looking for exposed services that make use of certificates.
The experiment started with a sample group of 18 710 IPv4/6 address pairs. Of these, 10 683 (~57.1%) address couples had matching certs and 8 027 (~42.9%) did not (mostly due to incorrect DNS records). The non-matching pairs were disregarded.
