World IPv6 Day: Why it really matters

Wednesday 8 June 2011 is World IPv6 Day, which means around 200 organisations, including Google, Facebook and Yahoo, will offer content over IPv6 for a 24-hour trial to highlight security holes.

Wednesday 8 June 2011 is World IPv6 Day, which means around 200 organisations, including Google, Facebook and Yahoo, will offer content over IPv6 for a 24-hour trial.

Many in the industry are seeing the trial, which is supported by the Internet Society, as a "wake-up call" for organisations to prepare for IPv6 to ensure a smooth transition as IPv4 addresses run out.

But that is at least several months away. Of more immediate concern, and the reason why IPv6 Day really matters, is to highlight the security holes that are already opening up.

Organisations must consider a number of issues that are often taken for granted in IPv4 environments, including creating secure user policies and accelerating or optimising IPv6-enabled Web content, says Qing Li, chief scientist at Blue Coat Systems.

"Traditional technologies that address these challenges in IPv4 environments do not work in IPv6 environments, so organisations should look for systems that can rate both new and unknown IPv6 web content in real-time and optimise that content over the WAN, making the transition between IPv4 and IPv6 environments seamless for users, he says.


Security concerns of moving from IPv4 to IPv6

"Security could become the Achilles heel of the IPv6 switchover," said Mark Lewis, director services development at networking firm Interoute.

In the IPv4 world, securing the LAN from cyber attacks and intrusions is far easier, he says, and with multiple enterprise devices sharing a single IPv4 address, internet-facing devices such as firewalls act as a single point of protection and control.

"In contrast, IPv6 is designed for a world where everything can speak to everything else. With IPv6 becoming ubiquitous, every PC, mobile phone, tablet, printer and vending machine could potentially be an undercover agent inside the office, working to bring down the corporate network," he said.

It could leave organisations wide open to attack given how many of those devices are portable and neither controlled by IT nor sitting inside IT-secured networks, says Lewis. Every device will need to be identified and protected, including every new phone, tablet and laptop, before it is allowed to engage with the corporate network, creating a significant headache for enterprise IT teams to solve.


Dangers of running IPv6 by default

Another, easy to miss danger is that some companies are using IPv6 without being aware of it because it is enabled by default on most of the latest operating systems and network devices, says James Lyne, director of technology strategy at security firm Sophos.

Businesses should be switching IPv6 off until their systems are properly configured, he says, as many firewalls focus exclusively on IPv4 and will not filter IPv6 traffic at all, opening up security holes.

"Running IPv6 by default could allow attackers to bypass security controls and wreak havoc," said Lyne.


How can organisations ensure their systems are safe? 


There are four things that organisations can and should be doing to ensure they make the transition to IPv6 safely.

1. Keep tunnels to a minimum

First, they should be cautious when using tunnelling during the initial overlap period. While tunnels can provide vital connectivity between IPv4 and IPv6 components or enable IPv6 in parts of networks still based on IPv4, they can introduce security risks, warns Lyne.

"Tunnels can cut through perimeter firewall rules and could allow attackers to connect to resources inside the 'hard shell' of an organisation's network without its knowledge," he said.

For this reason, Lyne recommends that in transitioning to IPv6, organisations should keep tunnels to a minimum and use them only where absolutely necessary.

2. Tailor network structure to IPv6

Another security danger lies in the fact that the network layout under IPv6 is different from the layout under IPv4, so simply replicating an existing set-up will not get the best out of IPv6, which includes the various security enhancements built into the protocol.

Organisations should plan to redesign their network structure from the start, rather than running multiple migrations, to avoid problems with security and performance, says Lyne.

3. Check compatibility at protocol level

IPv6 could also introduce risks at the protocol level, he says, so it is important to check that an organisation's entire networking infrastructure is compatible and all software and patching is up to date. "Many organisations do not include their network infrastructure in their patching plans, which can leave them open to very nasty attacks," said Lyne.

4. Review perimeter-level security

While internet protocol security (IPSec) is automatically part of IPv6, the end-to-end encryption may interfere with some perimeter-level security processes, so Lyne says protection may have to migrate closer to the desktop level, and organisations should ensure desktop security includes data loss prevention and web security. They may also have to upgrade or reconfigure their firewalls.

"Organisations should check that their endpoint provider has the full range of controls required to replace conventional perimeter controls," he says.


Planning is key

While the transition to IPv6 is no reason to panic, says Lyne, it is far better to spot potential problems at the planning stage than half way through the implementation. The key is to take the transition step by step to ensure all bases are covered before starting, particularly from a security point of view.

Read more on IT risk management