The successful global test of IPv6 on June 8 proved the new Internet protocol is fit for purpose and much of the underlying infrastructure is already in place to support it. The 24-hour test, during which major websites such as Google, Yahoo and Facebook moved all functionality to the new Internet protocol version, resulted in no known serious errors or problems in the day or so following the test.
So, unless systems administrators start thinking both IPv4 and IPv6 at the same time, we’re going to have a false sense of security.
Leon Ward, field marketing manager, Sourcefire
While that is good news for a world fast running out of address space with the current IPv4 protocol, experts say the introduction of IPv6 will usher in an extended period of uncertainty and potential IPv6 security problems.
The major benefit of IPv6 is it increases the size of an IP address from 32 to 128 bits, and removes the danger of the IP address pool being exhausted within the foreseeable future. It allows each endpoint device to have its own unique IP address and to communicate directly using IPsec with other devices on the Internet.
As IPv6 gathers momentum, however, many of the existing defences guarding corporate networks may have to be replaced, and most will need to be reconfigured to cope both with existing IPv4 traffic, as well as with a growing volume of IPv6 packets. Most experts forecast that support for both protocols will be needed for at least the next 10 years, and possibly longer.
Some aspects of security will benefit from IPv6, according to Qing Li, chief scientist at Blue Coat Systems, a US network security vendor. For example, random brute-force attacks will be much less effective, he said, because of the huge address range in IPv6. Under IPv4, an attacker can select virtually any block of IP addresses and expect to find some devices assigned to them, whilst such an approach in IPv6 would be unlikely to succeed.
However, IPv6 will create new opportunities for hackers. “With IPv4, we use network address translation (NAT) [for network-attached devices], and that gives us the benefit of security by obscurity,” Li said. “With IPv6, the network infrastructure is wide open, and you need another intelligent appliance on top of the firewall in order to be able to protect the devices.”
Li added that a lot of security policies written for the IPv4 infrastructure cannot be applied to IPv6. “For example, how do they deal with dynamically configured IPv6 addresses? From the IT manager's perspective, they will not be able to translate policies syntactically from v4 to v6. In most cases, they have to analyse the purposes of the policies, how they were enforced and then translate them semantically, in many cases rewriting them to fit into the v6 way of doing things.”
For Mark Lewis, director of services development at London network services firm Interoute, the success of the June 8 test is just the beginning; he warned that much more work must be done to ensure applications are compatible with IPv6. “The test provided us with an opportunity to do an end-to-end test of infrastructure. We assumed it would work, and it did, but that was only the first major hurdle,” he said. “The bigger problem over time will be getting your CRM or billing system to do IPv6, your IP/PBX and your email. ... Stitching that all together will take a long time.”
Applications will have to run dual stacks for both protocols, creating extra complexity for IT administrators, because endpoint devices will default to either IPv4 or IPv6, depending on their age and configurations. “It’s going to be tough for the IT guys to support all these different devices, apps and operating systems,” Lewis said. “The timing couldn’t really be worse for our widespread adoption of IPv6, because IT is also having to cope with a lot of new devices, such as iPads, and the need to facilitate borderless networks at the same time.”
Leon Ward, field marketing manager at US IPS vendor Sourcefire, agreed: “Running v4 and v6 together will open up more risks and create challenges. With a pure v4 network, everyone knows it well. They’ve done their Microsoft and Cisco exams, and everyone understands it well,” he said. “With IPv6, it’s extremely different.”
Ward also warned that the presence of two protocols could cause security to be completely bypassed. “People running networks will have to think in two different languages at the same time. They will already have firewall rules and access control lists that limit who can access what. But when two endpoints are able to talk IPv6 as well -- in some operating systems they default to IPv6 -- it meanstheir security and policy constraints may be ignored.”
In addition, some firewalls may not yet filter IPv6 traffic, and merely allow it to flow through unchecked, Ward cautioned. “So you could be testing the security of your machine, doing port scanning and vulnerability assessments against it with IPv4, and think it was all locked down. But any device using IPv6 would be able to gain access,” he said. “So, unless systems administrators start thinking both IPv4 and IPv6 at the same time, we’re going to have a false sense of security. Policies will also be more complicated because they are trying to work in two different languages at the same time.”
Paul Lee, director of IT for certification authority Comodo in the UK, who has been working on IPv6 for a while, played down some of the problems. “When we introduced IPv6, we had a lot of help from Juniper and we found we could convert some of our IP tables and rules quite easily.”
Lee's main advice to other companies was to make sure network devices have enough RAM to accommodate the dual stacks and the much larger address pools in IPv6. The extra processing, he said, favoured more expensive hardware-based routers, but are better suited for the extra work they will need to do.
Peter Wood, CEO at Shoreham-by-Sea pen-testing company First Base Technologies, said smaller companies are likely to struggle with the introduction of IPv6. “The idea of the massive address space is that you won’t need NAT anymore. If your firewall is not properly configured, it means all your devices could be visible to the Internet. I can imagine smaller businesses falling into that trap without realising what they are doing,” he said.
Patrick Bedwell, VP of product marketing at security appliance vendor Fortinet, advised companies to start preparing now for the transition.
“The recent exhaustion of unassigned IPv4 addresses and the limited availability of assigned addresses under IPv4 means networks, regardless of size, need to prepare for the migration to IPv6,” Bedwell said. “Essentially, any device that connects to an IP network, whether it is a laptop, printer, scanner, etc., will need to support IPv6. Those organisations that do not take the necessary steps to migrate their devices to IPv6 will find themselves struggling to be found by existing and potential customers.”
Bedwell's advice is to start with an inventory of all the devices currently connected to the network, checking for those devices that will either need a software update or complete hardware refresh to support the new protocol. Then, organisations should research how long it will take each vendor to become IPv6 compliant, ultimately helping them to budget and prepare for any IPv6-related costs.
“During the research stage it’s important to note that you should conduct a product test if you have to replace legacy hardware to ensure your network performance does not suffer; check that products are evaluated and certified by independent third parties, such as JITC (US Defence Department certification), and, finally, make sure you truly understand what a vendor means by ‘supports IPv6,’" Bedwell said, "as it could mean passing IPv6 data packets or being able to perform deep packet inspection on IPv6 address, both of which are completely different business requirements.”