How To Get Your Network IPv6 Ready
The Internet Protocol version 4 (IPv4) is the core technology employed in the internet to transfer information from one system to another. For more than 25 years, IPv4 has been the core underlying technology enabling services such as the internet, web-browsing, e-mail and mobile smart-phones. However, as a result of the growth of the internet, IPv4 is unable to provide a unique address to each system willing to interconnect with others.
To overcome the exhaustion of IPv4 addresses, the Internet Protocol version 6 (IPv6) was developed, with addresses to allow the foreseeable future growth of the internet. Its main driver is the increased address space along others network layer security such as encryption and authentication of communications.
Key Security Concerns of IPv6
IPv6 Transition Mechanisms
During the development of IPv6, one of the requirements was that this new protocol must have flexible transition mechanisms. It should be easy to transition to this new protocol. Running IPv4 and IPv6 concurrently within a network is possible and it is called “dual stack”. It’s one of the common transition strategies that are employed currently. The other strategies involves different types of approaches such as tunneling where IPv6 is carried over IPv4 networks that have yet to be migrated to IPv6 and translation which allows IPv6-only host to exchange TCP, UDP traffic with IPv4-only host. It works similar to Network Address Translator where it translates (TCP, UDP) IPv6 to (TCP, UDP) IPv4, or vice versa.
Running both IPv4 and IPv6 can open the network to attacks on both protocols. Given that IPv6 development is still in its infancy stage, and it is not as “field tested” as IPv4, new bugs and vulnerabilities will surface and be exploited. Adding to the woes, attacks can also evolve to leverage a combination of vulnerabilities in both IPv4 and IPv6 that make it more difficult to detect and mitigate.
Tunneling and translation approaches shared the same fate as its close cousin. There will be likely attacks on the transition mechanisms themselves to gain access to either IPv4 or IPv6 networks. The underground hacker community has already started exploring IPv6 and the protocol is beginning to be well understood by these groups. In fact, IPv6 capabilities have been started to be added to several popular hacker tools such as scapy6, parsite6 etc.
Limited IPv6 support in security devices
As we know, IPv6 implementations are relatively new in the markets. Security products vendors such as firewalls and Network Intrusion Detection Systems have less support for the IPv6 protocols than for their IPv4 counterparts. IPv4 security products that have not been programmed to inspect IPv6 packets in depth thus can allow malicious packets to pass through by taking advantage on the encapsulation of IPSEC in IPv6
There is likely to be a period of time where deflects will be found, and security vendors will need to respond quickly to patch their bugs. Thus, the early adopters of IPv6 are encouraged to thread lightly and make sure that the security is part of their transition plans.
Lack of trained personnel
Face the fact, most current technical engineers have less confidence with the IPv6 protocols than with their IPv4 counterparts since IPv4 has been around much longer.
As it is likely these engineers will be asked to deploy IPv6 before their confidence with the protocol matches that of IPv4, it is also likely the security implications of IPv6 may be unknowingly overlooked during deployments. This means that, aside from the security properties of the protocols themselves, the security of these emerging IPv6 deployments will lag that of the existing production IPv4 counterparts.
It should be obvious that, regardless of whether an organization has plans for deploying IPv6 in the future, IT executives and managers must facilitate IPv6 training, particularly in regard to security, for technical personnel, and should encourage experimentation with IPv6 in their environments prior to deployment, such that they gain the necessary know-how before deploying IPv6 in production environments.
Effective security involves finding the perfect balance between protecting an asset and handling the extra burden security adds to doing business. You should craft a security strategy which underlines the following approaches:
Complete a risk assessment on how IPv6 and related technologies (such as transition/co-existence technologies) may affect the security of existing IPv4 networks.
Develop a transition plan; IPv6 affects every network and there is no ‘do nothing’ option.
Ensure that relevant staff, e.g. network engineers and security administrators, are confident with IPv6 and related technologies before they are required to deploy and operate IPv6 in production networks.
Work with security product vendors to improve the robustness of their implementations, such that the robustness of IPv6 implementations roughly matches that of typical IPv4 implementations.