With the gradual switch to IPv6, I've read that attackers will have a basically infinite amount of unique IP addresses from which they will be able to send malicious traffic. Right now, my organization utilizes a reputation-based security system to filter out such traffic from known, malicious IPv4 addresses, but will that be possible once IPv6 uptake is in full swing? How should we change our network security posture to account for this new risk?
Ask the expert
Brad Casey is ready to answer your network security questions. Submit them now via email!
First, I would like to ease your anxiety a little by saying that I've been hearing about this switch from IPv4 to IPv6 for over a decade now, and other than a few pockets of eccentricity here and there, I have yet to notice any large-scale movement in that direction in the U.S. However, I would caution against total ambivalence toward the switch, as China made the move a few years ago and, from what I can tell, they've experienced much success with it. So, given the IP address space crunch and the fact that many network infrastructure providers are making the switch, it will become necessary for enterprises to make the transition, probably within the next five years.
In terms of reputation-based security systems, you will still be able to utilize them after the migration, as they are not controlled by the breadth of IP addresses available. Once an entry is made into the systems' respective database, the entry is there for good and your network should be subsequently protected.
However, because the number of potential IP addresses in the IPv6 scheme is something like 2128, I can see databases possibly getting overloaded by having to maintain huge lists of malicious IP addresses. While it should not affect security, this could cause performance degradation as each new IP address must be searched for by the filter. If this indeed becomes the case, content-based filtering may become a more viable option.
Currently, content-based filtering is considered extremely resource-intensive, hence the popularity of reputation-based filtering. With reputation-based filtering, large numbers of packets can be blocked without having to examine the contents, but if reputation-based filtering within an IPv6 environment becomes more resource intensive than content-based filtering, those companies who invested in content-based filtering products may end up ahead of the game. My advice is that organizations that can afford to do so should consider content-based filtering technology for a variety of reasons, not just IPv6, though that's certainly among the most compelling reasons to do so.
Dig Deeper on IPv6 security and network protocols security
Related Q&A from Brad Casey
Allowing users to tunnel through a firewall to access any site creates a security risk. How big of a risk is it? It depends on how much you trust ... Continue Reading
Our IT organization needs to secure customer names, but also needs to conduct searches on the entire customer database to match and merge records. Continue Reading
Don't treat physical and virtual machines' security differently. Since VM security issues threaten the whole infrastructure, here's how to stop ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.