By Bruce Bonsall, CISSP, Senior Security Strategist, BT US&C
It has been almost six months since major Internet players such as Google and some ISPs began using version 6 of the Internet Protocol (IPv6). On June 6th of 2012, companies began to use IPv6 features and the transition from the earlier version of the Internet Protocol (IPv4) began. This transition is sure to take years because it isn’t a forced march at all. The ability to take advantage of IPv6 has been built into a lot of operating systems, applications, and networking equipment for the better part of a decade now.
IPv6 was described in the Internet Engineering Task Force’s standard RFC2460 published in December, 1998. It’s been a long time coming and it was necessitated by the phenomenal growth of Internet use, particularly by Internet-enabled smart phones. In short, the Internet was running out of addresses.
When IPv4 was created, it allowed for about 4.29 billion distinct addresses and today there are approximately 1 billion smart phones in use in addition to nearly a billion Internet-connected PCs. The addresses provided by IPv4 are pretty much exhausted at this point making the implementation of IPv6 vitally important to the continued growth of the Internet.
Another very important benefit of IPv6 is the improved degree of security afforded by it. IPv4 was designed with almost no thought towards security but IPv6 was designed with security in mind. A cryptographic algorithm used in IPv6 helps to make spoofing IP addresses more difficult.
Despite having been defined and published well over a decade ago, and despite the improved security of version 6, not many companies have fully implemented it, yet. This slow adoption rate actually introduces its own risks as major technology vendors such as Microsoft have created transition technologies intended to help bridge the old IPv4 world with the emerging IPv6 world.
A prime example of transition technology is Teredo (RFC 4380). Teredo creates a sort of tunnel that allows the traffic created in the IPv6 world to pass through and into the older IPv4 infrastructure. One of the concerns with that is the tunnel uses the inherently insecure protocol UDP. Traffic that originates as IPv6 is likely to end up, during these transition years, on a network still running IPv4.
Another good example of complications brought about by this transition is the Internet Connection Firewall (ICF) that was included with Microsoft’s Server 2003. It can only filter IPv4 traffic and it can’t block IPv6 traffic. Attackers can get into your network with IPv6 packets if you don’t implement additional firewall technology capable of filtering IPv6.
Considering the vastness of the Internet landscape, a transitional period is no doubt necessary, but far too few have any idea of the implications introduced by the lack of certainty over Internet traffic security. Once everyone at both ends and the middle of an Internet connection are fully migrated to IPv6, a significant improvement in security can be realized. Until then, network security won’t be much better and could even be worse, particularly for those who don’t make time to understand the transition implications.
At the very least, at this point organizations should be implementing IPv6 in parallel with IPv4 in preparation for making the complete change. Supporting both protocols is a safer bet for avoiding interruptions as the rest of the world transitions too. And, during the transition period, organizations should be closely monitoring their IPv4 tunnels and inspecting all packets for malicious traffic. If you’re already doing a good job of monitoring the network, get even better at it. Plenty of information about the ten year-old IPv6 protocol is publicly available with which to educate oneself, and others. The Internet Engineering Task Force (IETF) and the National Institute of Standards and Technology (NIST) are good places to start learning about IPv6 and related security.
It looks like evolving networks to IPv6 will be a good thing in the end, but the transition period might be a bit turbulent.