By Jason L. Stradley, US&C Security Practice Lead, BT
The drivers for the adoption of IPv6 continue to mount. IPv4 address space exhaustion, the proliferation of more diverse and larger quantities of smart devices and the demand for real-time services over the internet are all inexorably moving us to an IPv6 world.
IPv6 will be a major force in alleviating those issues and expanding the use of the internet far into the future. When it comes to innovation however, for every step forward there are sometimes additional risks that come with that advancement.
Areas of potential risk and many misconceptions are associated with the adoption of IPv6
So it is with IPv6 as there are a variety of security concerns and risk areas that need to be addressed as an organisation migrates toward an IPv6 world.
The IPv6 protocol will not make an organisation more secure than they are today using the IPv4 protocol. IPv6 is a network protocol occupying layers 2, 3 and 4 of the OSI stack and as such will have literally no impact on applications layers. This means that if your website is vulnerable to Cross-Site scripting attacks today, that application will also be vulnerable to the same type of attack if converted to an IPv6 set of protocols.
The misconception is that without network addresses translation (NAT), a given organisation’s internal network will be less secure.
Is security through obscurity the answer?
On the contrary NAT is a prime example of security through obscurity, the practice of which is frowned upon by most security veterans. NAT is not only a non-existent security capability, it reduces the effectiveness of real security utilities such as Virtual Private Networks (VPN) and creates a set of challenges for the functionality of real-time applications such as Voice over IP (VOIP) and internet based TV (IPTV). The deprecation of NAT from the network architecture in an IPv6 world will allow for true end-to-end security and the ability to make use of real-time applications in a very efficient and effective manner.
Security risks in transition from IPv4 to IPv6
The transition to IPv6 itself poses potential security risks. It has been estimated that once the adoption of IPv6 begins en-mass there will be hybrid IPv4 / IPv6 networks in place for as long as 15 years. While several transition methods have been devised, the ‘Dual Stack’ method has emerged as the method that appears to have the least operational risk to the enterprise. This ‘Dual Stack’ approach is exactly what it sounds like and consists of having a given node in an enterprise run an IPv4 and IPv6 stack concurrently and communicate independently over the same media.
On a very simplistic level this potentially doubles the attack surface of any given node. At the very least it allows the weakness of one protocol to overcome the strengths of the other. For example, in an IPv6 world, network reconnaissance as we understand it today becomes very difficult as compared with an IPv4 network. With a network size that could be 2^64 in size (184467441 + 11 zeros), using a traditional network scanning tool it would take years to scan that network space entirely. For a node running a ‘Dual Stack’ the reconnaissance could be accomplished using the IPv4 address space and, once enumerated, that node could be exploited through the IPv6 stack.
Look to the protocols
Some of the potential risk areas around the IPv6 protocol suite extend from the protocol itself and from the fact that the transition time from IPv4 to IPv6 will not be brief. Some believe that complete transition to an IPv6 environment on a global basis could take as long as 10 to 15 years, once the transition moves into top gear.
An example of a risk area within the IPv6 protocol itself includes the ability to do ‘Flow Labeling’, which is a capability in the IPv6 stack to ‘tag’ a particular traffic flow and, through a request from the originator, give that flow special handling. Services such as VOIP and IPTV will benefit from such capabilities. A security concern associated with this capability is the potential for the creation of denial-of-service attacks and the potential theft of service by unauthorised traffic.