The move to IPv6 will end shortage of IP addresses, starting on IPv6 Launch Day, but security issues remain.
Today is World IPv6 Launch Day, the deadline for major service providers to cut-over to the new IP protocol, which could potentially help to lure the rest of the world to move in that same direction.
In some respects, the deadline is seen as a non-event since many of the organisations required to cut over to v6 have done so long ago.
From a security standpoint, the industry’s move towards two versions of the Internet Protocol will introduce an additional layer of complexity. And, where there is complexity, therein lies an additional level of vulnerability. The degree to which IPv6 will foster new security threats depends upon whom you ask.
“I personally think the security issues around IPv6 are more mundane than technical and have more to do with the fact that people running local networks are not as accustomed IPv6,” said Cricket Liu, vice president, architecture and technology at Infoblox.
“They're probably going to make some accidental errors in set-up and configuration around routers and firewalls, and things like that.”
The deadline applies to large service providers and not enterprise networks, which are far more likely to continue to run Version 4 for the foreseeable future. But, Liu says many networks have IPv6 running in part and oftentimes without the knowledge of network managers or channel partners with whom they work.
This is often caused by the introduction of new devices that have IPv6 active by default setting.
“Partners need to be aware that IPv6 is already here and running internally on their customers’ networks,” said Liu.
“Tools that help them to discover ways in which IPv6 is already operating on the network are an important thing for them to have. They also need to understand the differences in the functional capabilities of the gear that they sell. IDS and IPs’ capabilities are pretty limited over IPv6. But, I think firewalls are getting better.”
A channel opportunity
Infoblox's Liu added that the transition opens new opportunities for channel partners to conduct assessments for customers, looking at all their external-facing gear in terms of what is ready for IPv6 and what needs to be upgraded or replaced in order to enhance security.
“With IPv6 coming online, it's a chance to look at the internal network once again and look beyond the firewall,” he said.
“In a few years, IPv6 will be more widely deployed at the customer prem, and we will be moving away from private addressing. Once we move into an environment where we’ve got global unicast addresses on internal networks, this will bring about more scrutiny to the threats at the perimeter of the network.”
The opportunity for assessments makes sense to Bob Hinden, a Checkpoint “fellow” and co-inventor of IPv6.
“You want to make sure that all of your security devices have the proper versions that support IPv6,” Hinden told CRN.
“We have many customers who are very conservative about upgrading, but this transition is a very good reason to upgrade,” he said, adding that customers can “then take the next step of creating rules in [their] firewall to ensure consistency with the preferred security policies.”
One potential vulnerability involves the encapsulation of IPv4 traffic over IPv6.
“Encapsulation standards are all over the map,” said Carl Herberger, vice president of security at Radware.
“This situation causes problems with security inspections because if I can send an attack that exploits Version 4 vulnerabilities through a Version 6 inspection module, I’ve got a pretty high chance of success because the Version 6 inspection module will not be able to read it. And we haven't been able to resolve this problem yet.”
However, some disagree with this view, pointing to variables in firewall deployment.
“I don't think it's going to be that difficult to address the encapsulation issue,” responded Hinden. “It's about how you deploy the firewall. Security technology has gotten good at going beyond the transport layer.
So if you didn't do deep packet inspection or application control or URL control, then this provides another set of things that you need to know about when you're doing those things.”
The good and the bad
The pros far outweigh the cons, according to Michael Wheeler, vice president of global IP networks at NTT America in Redmond, WA.
“V6 has a number of inherent benefits, especially if you look at the prospect of every networked device in the world having its own unique identifier, which provides a much higher level of security than what V4 does today. Encapsulation creating a doorway is certainly a concern that needs to be addressed, but I think we can deal with that.”
Wheeler urges partners to “skill-up” on IPv6. The expertise will become more valuable as time goes on, and Wheeler believes it will be instrumental in preventing distributed denial of service attacks.
“DDOS attacks have gotten more sophisticated and the volume has grown over time,” he said. “If v6 were the default protocol, we’d be in a better condition to deal with those threats.”
Overall, the general consensus is that channel partners need to take a comprehensive look at their customers’ security measures. Be sure that the security devices support IPv6 and that the proper features and security policies are enabled.