Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Using reputation-based security to mitigate IPv6 security risks

Get help creating a network security strategy for IPv6 and learn if reputation-based security to filter IP traffic will work in a larger environment.

With the gradual switch to IPv6, I've read that attackers will have a basically infinite amount of unique IP addresses from which they will be able to send malicious traffic. Right now, my organization utilizes a reputation-based security system to filter out such traffic from known, malicious IPv4 addresses, but will that be possible once IPv6 uptake is in full swing? How should we change our network security posture to account for this new risk?

Ask the expert

Brad Casey is ready to answer your network security questions. Submit them now via email!

First, I would like to ease your anxiety a little by saying that I've been hearing about this switch from IPv4 to IPv6 for over a decade now, and other than a few pockets of eccentricity here and there, I have yet to notice any large-scale movement in that direction in the U.S. However, I would caution against total ambivalence toward the switch, as China made the move a few years ago and, from what I can tell, they've experienced much success with it. So, given the IP address space crunch and the fact that many network infrastructure providers are making the switch, it will become necessary for enterprises to make the transition, probably within the next five years.

In terms of reputation-based security systems, you will still be able to utilize them after the migration, as they are not controlled by the breadth of IP addresses available. Once an entry is made into the systems' respective database, the entry is there for good and your network should be subsequently protected.

However, because the number of potential IP addresses in the IPv6 scheme is something like 2128, I can see databases possibly getting overloaded by having to maintain huge lists of malicious IP addresses. While it should not affect security, this could cause performance degradation as each new IP address must be searched for by the filter. If this indeed becomes the case, content-based filtering may become a more viable option.

Currently, content-based filtering is considered extremely resource-intensive, hence the popularity of reputation-based filtering. With reputation-based filtering, large numbers of packets can be blocked without having to examine the contents, but if reputation-based filtering within an IPv6 environment becomes more resource intensive than content-based filtering, those companies who invested in content-based filtering products may end up ahead of the game. My advice is that organizations that can afford to do so should consider content-based filtering technology for a variety of reasons, not just IPv6, though that's certainly among the most compelling reasons to do so.

This was last published in April 2014

Dig Deeper on IPv6 security and network protocols security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.