IPv6 move could cause network problems, threaten cybersecurity

By Erin Kelly, Contributor 26 Jan 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The move to Internet Protocol version 6 (IPv6) could have a profound effect on the Internet, breaking it up into islands of connectivity and threatening cybersecurity in the process, according to Jeff Young, a senior analyst at the Burton Group.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

As the IPv4 free address pool continues to dwindle, enterprises can expect to see IPv6-only hosts on the Internet within a three-year timeframe, Young said. In the report, "IPv4 Address Exhaustion: An Inconvenient Truth," Young addresses the incompatibility of IPv4 and IPv6 and some of the problems that need to be addressed during the changeover.

"The biggest problem I see right now with security is that there are not a lot of well-informed networking people or security people with regard to IPv6," Young said in an interview with SearchSecurity.com.

In 1998, the Internet Engineering Task Force (IETF) designated IPv6 as the successor to version 4. But adoption has been slow with currently less than 1% of all Internet traffic on IPv6, according to statistics released by Google. For some time, IPv6 was considered a security threat due to the many net tunnels used to connect to IPv6. Some operating systems automatically create these tunnels, allowing them to go undetected by security systems, Young said.

Move to IPv6: Will organizations that lag behind on IPv6 adoption have greater security risks? Network security pro Mike Chapple explains why he beleives a delay on IPv6 adoption is nothing to worry about. Vista users urged to beware of IPv6: A researcher warns that attackers could make trouble for Vista users by exploiting Teredo, an IPv6 tunneling tool enabled by default in the latest Windows OS.

"If your host required v6, it would send v6 packets to your device and create a tunnel," Young said. "There were some number of people who took advantage of that and got into tunnels that otherwise maintained good security."

Large enterprises will not be immediately affected by address exhaustion, but it is necessary for businesses to implement dual-stack hosts and routers that can handle both IPv4 and IPv6 protocols, Young said. Enable IPv6 throughout all externally facing services, such as e-commerce, BPM service and email on the Microsoft Exchange Server, he said. Once IPv4 space runs out, providers will have no other alternative but to give their users v6 space and accommodate v6 hosts.

"We've known for some time that the limited number of Internet address space is decreasing, and regional Internet registries (RIR) that fill out this space have reported by 2011 or 2012 they won't be able to give new blocks of address space out," Young said.

Service providers will be affected most by this address exhaustion because their customers use the largest blocks of address space, he said.

Some have suggested extending the life of IPv4 by adopting an "open market" for address space among businesses. However, these efforts will probably not help service providers, Young said.

SearchSecurity radio:

"It's likely [service providers] will run into some kind of roadblock, use technology or start panning out IPv6 addresses. There's not an endless supply [of IPv6 addresses], but nearly that. It's time to get v6 into that process so that in two years or so we can get v6 at least enabled externally," Young said.

While Young points out in his article that the IPv4 routing system is not as secure as it could be, he said IPv6 is no more secure than IPv4 because there is no way to authenticate the ownership of a route.

Regardless of these security threats, Young stressed the fact that large enterprises have to find a way to serve current customers using IPv6.

Young does not advocate a transition of the network that enterprises use internally, but rather advises to leave it alone and urges large businesses to enable the service they already provide on v6.

"For a long time IPv6 was all about transition, and that's been going on with people for 15 years, but right now we're at the point where some portion of the network has to switch and be enabled for IPv6," Young said.

Tags: Network Protocols and Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Protocols and Security How to keep networks secure when deploying an 802.11n upgrade Expert calls SSL protocol vulnerability a non issue How to prevent phishing attacks with social engineering tests How SSL-encrypted Web connections are intercepted DNSSEC deployment challenges can be overcome Microsoft issues SMB vulnerability advisory, patch pending Microsoft repairs Windows media, TCP/IP vulnerabilities How to test IPv6 infrastructures DNSSEC deployments gain momentum since Kaminsky DNS bug Kaminsky interview: DNSSEC addresses cross-organizational trust and security

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary 5 terms you need to know before you employ VoIP  (SearchSecurity.com) digest authentication  (SearchSecurity.com) IGP  (SearchSecurity.com) IP spoofing  (SearchSecurity.com) Secure Sockets Layer  (SearchSecurity.com) smurfing  (SearchSecurity.com) Transport Layer Security  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary