Tip

Get ready for IPv6: Five security issues to consider

    Requires Free Membership to View

What you will learn from this tip: Although IPv6 is a security-enabled protocol, migration from IPv4 can create new risks and weaken an organization's security strategy. In this tip, learn about the potential hazards and how to ensure a smooth transition without jeopardizing your company's security.

If you haven't thought about the impact of IPv6 on your network's security, it's time to start thinking! The replacement for the venerable IPv4 protocol is now in use on the Internet and might even exist on your network without your knowledge. Here's a look at some of the security implications of IPv6.

You're probably aware of the driving force behind the push to IPv6 – we're running out of IP address space! The current 32-bit addressing scheme used by IPv4 allows for a whopping 4.3 billion unique addresses. Although that sounds like a lot, consider that there are approximately 6.4 billion individuals on our planet. Certainly everyone doesn't have an IP address, but those that do might have multiple between home and work systems, IP-enabled phones and other network-aware devices. The rapid explosion of technology in emerging markets, especially in the Asian-Pacific region, demands a new supply of IP address space. IPv6 solves this problem by using 128-bit addressing. That allows for a total of 3.4 x 1038 addresses; a quantity that should keep us from running out for a long time. (Although, that's what they said when IPv4 came out!)

So, what does the emergence of IPv6 mean to security practitioners? Let's look at five specific IPv6 security issues that impact our work:

  1. Security practitioners need education/training on IPv6. IPv6 will come to the networks under your control – it's only a matter of time. As with any new networking technology, it's essential that you learn the basics of IPv6, especially the addressing scheme and protocols, in order to facilitate incident handling and related activities.
  2. Security tools need to be upgraded. IPv6 is not backwards compatible. The hardware and software used to route traffic across networks and perform security analyses won't work with IPv6 traffic unless they are upgraded to versions that support the protocol. This is especially important to remember when it comes to perimeter-protection devices. Routers, firewalls and intrusion-detection systems may require software and/or hardware upgrades in order to "speak" IPv6. Many manufacturers already have these upgrades available. For example, Cisco networking devices support IPv6 as of IOS release 12.0S.
  3. Existing equipment may require additional configuration. The devices that do support IPv6 typically treat it as an entirely separate protocol (as they should). Therefore, the access control lists, rule bases and other configuration parameters may need to be reevaluated and translated to support an IPv6 environment. Contact the appropriate manufacturers for specific instructions.
  4. Tunneling protocols create new risks. The networking and security communities have invested time and energy in ensuring that IPv6 is a security-enabled protocol. However, one of the greatest risks inherent in the migration is the use of tunneling protocols to support the transition to IPv6. These protocols allow the encapsulation of IPv6 traffic in an IPv4 data stream for routing through non-compliant devices. Therefore, it's possible that users on your network can begin running IPv6 using these tunneling protocols before you're ready to officially support it in production. If this is a concern, block IPv6 tunneling protocols (including SIT, ISATAP, 6to4 and others) at your perimeter.
  5. IPv6 autoconfiguration creates addressing complexity. Autoconfiguration, another interesting IPv6 feature, allows systems to automatically gain a network address without administrator intervention. IPv6 supports two different autoconfiguration techniques. Stateful autoconfiguration uses DHCPv6, a simple upgrade to the current DHCP protocol, and doesn't reflect much of a difference from a security perspective. On the other hand, keep an eye on stateless autoconfiguration. This technique allows systems to generate their own IP addresses and checks for address duplication. This decentralized approach may be easier from a system administration perspective, but it raises challenges for those of us charged with tracking the use (and abuse!) of network resources.

As you can tell, IPv6 is revolutionary. It allows us to prepare our networks for the next decade of ubiquitous access but, as with any innovation, requires careful attention from a security perspective.

About the author:
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.


This was first published in June 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.