No IPv6 explosion, but a ticking bomb

IPv6 could be a ticking security time bomb in Belgium if businesses fail to respond to the fact that adoption is gaining momentum fast

Internet protocol version six (IPv6) has hardly exploded in Belgium as predicted in the late 1990s, but it could be a ticking security time bomb if businesses fail to respond to the fact that it is now gaining momentum fast and that many of their devices are IPv6 enabled.

The belated acceleration in adoption is mainly due to the fact that major players on the market (Belgacom, Telenet and Voo) are now massively rolling out IPv6 for residential customers, making Belgium second only to Switzerland in terms of deployment.

While browsing the web via IPv6 is completely transparent for residential users, deploying the new protocol in corporate environments introduces more challenges that must be addressed as soon as possible.

From a management perspective, IPv6 is sometimes considered, like security, as non-business critical because it does not improve the business. So what about the security on top of IPv6? For most companies, deploying IPv6 has a cost and will not increase their revenue. A small online shop, for example, will not sell more t-shirts because it is reachable over IPv6.

IPv6 training required

But, in terms of security, the first problem is human behaviour – people are afraid of big changes. Network administrators have been using IPv4 for decades, and switching to IPv6 is not an easy task because the way IPv6 works has changed several things. 

For most companies, deploying IPv6 has a cost and will not increase their revenue

Classic examples are ICMP (Internet Control Messaging Protocol) and Multicast, which are used intensively in IPv6, and ARP (Address Resolution Protocol) which was common in IPv4 but has disappeared altogether in IPv6. Also, within an IPv4 network, administrators could decide to block ICMP or Multicast completely at firewall level without any disturbance, but this is not possible in IPv6 as they are both mandatory.

The first important message for managers is send your network administrators to IPv6 training. Attackers are already a step ahead and have new weapons ready to test the IPv6 security of networks – scans, packet manipulations and much more. The possibility that attackers might have more expertise with IPv6 than an organisation must be considered.

Another important message is that IPv6 is already present in most networks, except if IT departments applied specific configuration to completely disable IPv6, but this is not often the case. 

Remember, it is the default protocol used in all modern operating systems, and most security solutions are also IPv6 enabled. Appliances such as proxies or anti-spam products rely on software that accepts IPv6 traffic. The administration interfaces, available via IPv6, can be put at risk if not protected. Therefore, implemented filters – firewalls, access lists – have to be adapted to IPv6 and their size will almost double. Both versions of the internet protocols must be monitored.

Address IPv6 connectivity concerns

If your network provider does not offer IPv6, there are online services, called "tunnel brokers", which can provide you IPv6 connectivity encapsulated in IPv4 – this is called "6to4" or "6in4". A workstation configured in this way could bypass all the rules in place at IPv4 level, tunnels not being encrypted by most firewalls. Companies are at risk in both directions – sensitive data is sent outside the security perimeter and internal resources can be attacked from the wild internet through the established tunnel.

More on IPv6

  • IPv6 benefits: Making the IPv6 business case
  • Handling network change: Is IPv4-to-IPv6 the least of your problems?
  • IPv6, SDN: When worlds collide ... in a good way
  • With SDN, IPv6 transition may not be so hard
  • Should your IPv6 deployment mirror your IPv4 strategy?
  • Computer Weekly Buyer's Guide to IPV6 migration
  • IPv4 to IPv6 conversion thwarted by ISP peering issues

A classic attack scenario on a network with IPv6-enabled devices is to use a man in the middle (MitM) attack. If IPv6 is still used to provide Dynamic Host Configuration Protocol (DHCP) services, a new way to perform dynamic configuration of hosts has been introduced via new ICMP messages: router advertisement (RA) and router solicitation (RS). 

The first type is generated by routers and says: "Hello I'm here, I can provide you some IPv6 connectivity, come to me." The second one is emitted by clients and says: "Hello, any router listening? Who can help me to make a connection to the internet?” You probably guess that it is easy to send rogue "RA" packets and intercept the complete IPv6 traffic on a LAN, even if the network has no IPv6 connectivity to the outside.

In addition to the security implications, the IPv6 protocol can affect applications deployed on your networks. 

Take the example of a website that displays dynamic content based on the visitor location. To achieve this, developers use the visitor's IP address and "geolocate" it, identifying the real-world geographic location of that device. If the server running the website is offering IPv6 services, the web application must be updated to handle the new type of addresses. 

Another example would be an application that stores the IP addresses of people who connected for compliance purposes. Information is stored in a SQL database. An IPv4 address can be saved as a string of up to 15 characters or a 32-bit integer, but an IPv6 address could be much longer and is a 128-bit integer. Both the application and the database must be upgraded to store IPv6 addresses. 

If you are thinking of deploying IPv6 in the near future, all teams must be included in the process – network and system administrators, database administrators, webmaster, etc. This is company process.

No safety in numbers for IPv6 addresses

From an attacker perspective, IPv6 is not a big issue. Due to the huge number of IP addresses available (2128, or approximately 3.4×1038 addresses, or more than 7.9×1028 times as many as IPv4), the bad guys will not be able to scan IPv6 networks. But this can provide a false sense of security. Security by obscurity is bad. 

If you are thinking of deploying IPv6 in the near future, all teams must be included in the process

An application using an IPv6 address will not be protected against classic attacks. As mentioned above, attackers already have toolboxes to attack IPv6 networks and most attacks performed today remain exactly the same: SQL/XML injection, DDoS, XSS, file inclusion and more.

Furthermore, not only can a device have an IPv4 address and an IPv6 address, it can also have more than one IPv6 address. This makes it  difficult to create an inventory of devices using discovery tools. Therefore, tracking unauthorised devices is a challenge.

To conclude, switching to IPv6 is not simple, but organisations do not really have a choice. From today, think "IPv6" and deploy systems which are ready – IPv6 must be a requirement in your requests for proposals. Send people to training and learn how to apply best practices.

Read more on IT risk management