This tip is a part of the SearchSecurity.com mini learning guide,IPv6 tutorial: Understanding IPv6 security issues, threats, defenses.
According to experts monitoring the Internet Protocol version 6 (IPv6) protocol changeover, the enterprise transition to IPv6 could be a minefield for information security pros: IPv6 configuration errors, software vulnerabilities and suspect IPv6 security features in security devices may allow knowledgeable attackers easy access to sensitive systems.
There will be patches and updates, but enterprises will need to get past the hype around the topic.
Silvia Hagen, author of IPv6 Essentials and CEO of Sunny Connection AG
So far, adoption has been slow and IPv6 traffic makes up only about 10% of all Internet traffic, but over the next several years experts predict a steady increase in IPv6 usage and enterprises will need the networking systems to support it. That’s because the urgency of the transition is increasing as IPv4 address space runs out; experts predict some ISPs will run out of IPv4 addresses by September.
While the transition could take as long as three more years, according to some estimates, experts say now is the time for organizations to begin planning how to transition to IPv6. The protocol itself is more complex than IPv4 and, without the knowledge of seasoned networking professionals, many believe enterprises could set themselves up for IPv6 attacks.
“These stacks will not be mature, and when something is new there will be early issues and you may find bugs,” said Silvia Hagen, author of IPv6 Essentials and CEO of Sunny Connection AG in Switzerland, where she works as a senior consultant and analyst. “There will be patches and updates, but enterprises will need to get past the hype around the topic.”
That hype may reach an all-time high this week. June 8 marks World IPv6 Day, when a number of major websites, ISPs and some early adopter enterprises will test the protocol. The event was organized by The Internet Society (ISOC), a nonprofit organization that fosters Internet-related standards, education and policy. World IPv6 day will not only test production systems for IPv6 compatibility issues, but will also shed light on the dwindling number of IPv4 addresses , the primary driver behind the IPv6 transition.
Andy Champagne, vice president of engineering at Cambridge, Mass.-based Akamai Technologies Inc., a Web content provider for dozens of large businesses, said he doesn’t expect any disruption during the testing of the protocol Wednesday. Instead, Champagne said enterprise networking pros should use the day to educate themselves and spread the word about the pending transition.
“You can put off IPv6 and be faced with a really difficult transition down the road, or you can begin to make inroads today with events such as IPv6 Day and through those inroads have a nice easy transition,” Champagne said. “When it comes to security, I think it’s a much more prudent approach to try it rather than just turning it on when it’s absolutely essential.”
Research into inherent vulnerabilities in IPv6 has been minimal, said Fernando Gont, a network engineer and security consultant who has tested IPv6 implementations for several government departments in the UK. Gont said the lack of research papers and few best practices from early adopters have caused many enterprises to take a wait-and-see attitude toward the transition. Over time, he said, the protocol will gain increased interest from security researchers and additional weaknesses will emerge.
“With IPv4 we have had more than 20 years of experience working and deploying the protocol, and with IPv6, we’ve played with the protocol for only couple of years,” Gont said. “The problem is that vendors have not done the work when it comes to producing good default configurations and all the security implications have not been explored.”
Networking pros should begin learning the protocol and security pros need to understand whether security appliances can handle IPv6 traffic, Gont said. Equipment that supports IPv6 -- firewalls, intrusion prevention systems and other network security devices -- has also faced little scrutiny and may contain vulnerabilities. In addition, operating systems and other software will ship with IPv6 support enabled by default – currently Windows 7 is IPv6 enabled – providing another possible attack vector for cybercriminals, he said.
Ultimately IPv6 could improve security, bolstering encryption with IPsec, and offering an end-to-end scheme for mutual authentication between hosts. But in the near term, Gont said the introduction of IPv6 would likely foster significant network security threats because network devices will need to support both versions of the Internet protocol. Some devices will need to be replaced, others will gain v6 support through a software update, he said. While setting up a dual-stack network, organizations will need to set separate security policies and decide what applications and services can be accessed using v6.
“There’s much less experience with v6 than with v4 and it’s likely that when v6 is deployed, many of the security implications of IPv6 will be overlooked,” Gont said. “There will be a lot of vulnerabilities that will be discovered in IPv6 implementations before its maturity matches that of its v4 counterpart.”
Akamai’s Champagne said the networking community is gaining a better understanding of the protocol and how to properly route it, but without a careful rollout, IPv6 complexities could leave some enterprise networks vulnerable. For example, on several flavors of Linux, the IPv4 firewall and the IPv6 firewall are entirely different systems and must be configured separately, Champagne said. Turning on IPv6 without that knowledge, he said, would leave transmissions via IPv6 wide open.
“Make sure that you are checking the documentation for your specific systems to figure out how they handle IPv6 traffic,” Champagne said. “You don’t want to make IPv6 a backdoor into your enterprise.”