The path to integrated, informed, intelligent security

IPv6: Secure Your Packets, We’re in for a Bumpy Transition

By Bruce Bonsall, CISSP, Senior Security Strategist, BT US&C

It has been almost six months since major Internet players such as Google and some ISPs began using version 6 of the Internet Protocol (IPv6).  On June 6th of 2012, companies began to use IPv6 features and the transition from the earlier version of the Internet Protocol (IPv4) began. This transition is sure to take years because it isn’t a forced march at all. The ability to take advantage of IPv6 has been built into a lot of operating systems, applications, and networking equipment for the better part of a decade now. 

IPv6 was described in the Internet Engineering Task Force’s standard RFC2460 published in December, 1998.  It’s been a long time coming and it was necessitated by the phenomenal growth of Internet use, particularly by Internet-enabled smart phones. In short, the Internet was running out of addresses.

When IPv4 was created, it allowed for about 4.29 billion distinct addresses and today there are approximately 1 billion smart phones in use in addition to nearly a billion Internet-connected PCs. The addresses provided by IPv4 are pretty much exhausted at this point making the implementation of IPv6 vitally important to the continued growth of the Internet.

Another very important benefit of IPv6 is the improved degree of security afforded by it. IPv4 was designed with almost no thought towards security but IPv6 was designed with security in mind. A cryptographic algorithm used in IPv6 helps to make spoofing IP addresses more difficult.

Despite having been defined and published well over a decade ago, and despite the improved security of version 6, not many companies have fully implemented it, yet. This slow adoption rate actually introduces its own risks as major technology vendors such as Microsoft have created transition technologies intended to help bridge the old IPv4 world with the emerging IPv6 world.

A prime example of transition technology is Teredo (RFC 4380).  Teredo creates a sort of tunnel that allows the traffic created in the IPv6 world to pass through and into the older IPv4 infrastructure.  One of the concerns with that is the tunnel uses the inherently insecure protocol UDP.  Traffic that originates as IPv6 is likely to end up, during these transition years, on a network still running IPv4.

Another good example of complications brought about by this transition is the Internet Connection Firewall (ICF) that was included with Microsoft’s Server 2003. It can only filter IPv4 traffic and it can’t block IPv6 traffic. Attackers can get into your network with IPv6 packets if you don’t implement additional firewall technology capable of filtering IPv6.

Considering the vastness of the Internet landscape, a transitional period is no doubt necessary, but far too few have any idea of the implications introduced by the lack of certainty over Internet traffic security.  Once everyone at both ends and the middle of an Internet connection are fully migrated to IPv6, a significant improvement in security can be realized. Until then, network security won’t be much better and could even be worse, particularly for those who don’t make time to understand the transition implications.

At the very least, at this point organizations should be implementing IPv6 in parallel with IPv4 in preparation for making the complete change. Supporting both protocols is a safer bet for avoiding interruptions as the rest of the world transitions too.  And, during the transition period, organizations should be closely monitoring their IPv4 tunnels and inspecting all packets for malicious traffic. If you’re already doing a good job of monitoring the network, get even better at it. Plenty of information about the ten year-old IPv6 protocol is publicly available with which to educate oneself, and others.  The Internet Engineering Task Force (IETF) and the National Institute of Standards and Technology (NIST) are good places to start learning about IPv6 and related security.

It looks like evolving networks to IPv6 will be a good thing in the end, but the transition period might be a bit turbulent. 

Comments

  1. Dave Walker says:

    Good article. The transition is indeed going to be a bit bumpy; from an Internet of v4, to islands of 6 in a sea of 4, to islands of 4 in a sea of 6 (and as there’s plenty of kit – lots of SCADA, to begin with – we’ll never actually get to a pure v6 Internet). Tunnelling technologies have their different pros and cons; as well as Teredo, there’s 6in4, 6over4 and at least one other, whose name I forget right now. It’s probably also worth having a look at what Cloudflare are up to – they have a 6-4 proxy as a cloud service, which looks interesting.

    The point most worth making – and which the post makes – is that IPv4 security and IPv6 security should be treated as wholly separate domains; while you’re dual-stacked, you need to implement appropriate security measures in both stacks, and it can’t be assumed that a device with one non-duplicated configuration will protect both kinds of stack.

    I have reason to test some infrastructure things with IPv6, and I’m hoping that BT Infinity for Business starts offering static IPv6 addresses soon, so I can purchase some to go with the IPv4 /29 subnet I have now :-).

  2. I’m not sure I can agree with this statement “IPv4 security and IPv6 security should be treated as wholly separate domains”.

    I think that you need an overall security posture and plan that encompasses both IPv4 and Ipv6. Your posture and intent should be identical for both, even if you are forced by current technology to provide separate Implementations.

    Or we might be in agreement and it is just a matter of phrasing?

Trackbacks

  1. […] a move in IETF to declare 6to4 technologies (including Teredo) as “historic”. Teredo will complicate network security until it is […]

Speak Your Mind

*