Search this website:


IPv6 Presents a Security Paradox for the Network

By Danny McPherson is Chief Security Officer (CSO) for Verisign.

 

Date: 3 Dec 2012

The capabilities IPv6 provides will enhance online security, but the shift to the new Internet address scheme may also present risks if not properly managed. Previously, Internet security was largely an after-thought for the early Internet, as its primary purpose was to facilitate open, end-to-end, any-to-any communications and information exchange for bridging and accelerating research efforts. Today, we have a much more complex online ecosystem that spans billions of users across the globe and serves not only as an engine for e-commerce, but as an engine for all commerce.

 

The Internet protocol suite has become the de facto standard for global Internet services and consumers, but it also serves as a near ubiquitous substrate for running critical network infrastructure and business critical applications. Transportation, financial systems, emergency services, utilities, and government applications are just a few examples of services that need absolute availability and robust security. But having robust security is only one part of the solution.

 

At the micro level, the migration of personally identifiable information and proprietary intellectual property online has influenced IPv6 protocol architects to bake additional security into the stack. For example, IPSec is mandatory to implement in IPv6 compliant protocol stacks, while secure neighbour discovery capabilities, privacy addresses, and unique local addresses (ULA) all provide additional security enhancements. While these additional security measures are good for end users, they can present some real challenges for network administrators. For example, one of the biggest - but arguably easiest-to-remedy - pitfalls is that today most networking equipment and end systems are shipped with IPv6 enabled by default. This is ideal to foster IPv6 deployment, but puts the onus on network administrators to have a plan in place to proactively manage IPv6, as leaving IPv6 turned on by default can create security holes if not properly managed.

 

In an Internet environment with no bad actors it is perfectly reasonable and even requisite to enable IPv6 by default in order to rapidly deploy. However, if network managers aren’t ready for IPv6 in their operating environments, meaning full functional parity from a security and operational perspective, then they really need to disable IPv6 entirely and deploy new devices and hardware in a very calculated manner.

 

With IPv6 usage on the rise, it is critical that networks, equipment, and systems are implemented appropriately to help securely enable its full potential and prevent the creation of inadvertent security issues. Some such issues that have been observed include IPv6 being used to compromise systems “under the radar” of IPv4-only sensors and  IPv6 being expressly enabled by miscreants in order to exfiltrate data, facilitate malware propagation, and enable botnet C&C infrastructure and distributed denial of service attacks.

Other considerations for securely implementing IPv6 include the following:

 

Translating IPv4 to IPv6 (because it will take some time before all systems are running on v6, and some may never run IPv6) itself can be a pitfall. This is because IPv4 and IPv6 are not “bits on the wire” compatible; translating traffic from IPv4 to IPv6 will inevitably result in middle boxes mediating transactions as packets move through the network. Like a mail sorter at a post office transfer facility, transferring payloads from IPv4 to IPv6 packets creates an opportunity for a poor implementation or a bad actor to exploit a potential vulnerability.

Unlike IPv4′s variable header size, IPv6 has a 40-byte fixed header, but introduces add-on “extension headers” that may be chained and require complex processing by various systems that handle the packet. These chains could overwhelm firewalls and security gateways. They could even introduce router forwarding performance degradation and be a potential vector for distributed denial of service and other attacks.

 

During a long period of “transitional coexistence,” IPv6 adoption may require large network address translation protocol translation (NAT-PT) devices, end system or intermediate translation devices and protocols. But these devices complicate the network and could break useful functions like geo-location or tools that security administrators use to identify and mitigate malicious network behaviours, including blacklists (e.g., spam and phishing) and traffic filters.

Because of IPv6′s sparse address space, active scanning of infrastructure for unauthorized or vulnerable systems is much more complex than with IPv4. These capabilities need to be augmented with network access controls and active measurement systems that trigger vulnerability scanning.



ShareThis

« Previous article

Next article »

Tags:

More Exclusive News

Know your enemy: Why it is important to think like a cyber attacker in order to keep your data secure

27 Apr 2015
By Erik Driehuis, VP EMEA, Digital Guardian.

Dedicated cloud platform brings stability to Attraction World

27 Apr 2015
Attraction World is one of the world’s leading theme park and attraction specialists, selling tickets to over 8,000 theme parks and attractions worldwide, including Alton Towers, Disneyland P...

Where are data centre techologies coming from and where are they going?

27 Apr 2015
The rush for new technologies to meet bandwidth demands in data centres is clear, but how and why is it happening? asks our regular contributor Willy Rietveld, from TE Connectivity (W.Rietveld@TE.com).

Five factors to consider when selecting your Cloud backup provider

27 Apr 2015
By Paul Evans, Managing Director of Redstor.

Cloud, new and improved

27 Apr 2015
More and more organisations deploy their own private cloud to increase data security, flexibility and efficiency. By Mark Young, Director of Systems Engineering EMEA, Tintri.

The story behind Software Defined Storage

27 Apr 2015
By David Ellis, CTO and Senior Director Services – EMEA at Arrow ECS EMEA.

Ten things you didn’t know about rack PDUs

20 Apr 2015
Do you want to accurately monitor and control energy usage in your IT installation? Do you want to enhance the reliability and availability of your IT systems? Do you want to cut cooling, administr...

Black Hole Routing does not equate to DDoS protection

20 Apr 2015
By Stephen Gates, Chief Security Evangelist for Corero Network Security.

Easynet delivers proactive service to a global customer base with streamlined patch management

20 Apr 2015
Easynet works with Shavlik in rolling out a centralised patch management solution for its global cloud services business.

DevSecOps: Taking a DevOps approach to security

20 Apr 2015
By James Brown, Director, Cloud Solutions Architecture.

The avalanche of data and exploding costs in the data centre

20 Apr 2015
How data virtualisation influences the overall performance of a data centre By Ash Ashutosh, CEO, Actifio.

Software-defined application services take data centres into new era

20 Apr 2015
By Gary Newe, F5 Networks.

Data security - top tips for senior managers

13 Apr 2015
Ian Kilpatrick, chairman Wick Hill Group, explains why senior managers now need to be more involved in data security and offers his top tips.

NHS Dumfries and Galloway adopts a proactive approach to safeguarding patient data

13 Apr 2015
Guarding against security threats with a state-of-the-art vulnerability management solution.

Making OpenStack enterprise ready with software defined availability

13 Apr 2015
By Jason Andersen, Senior Director, Product Management and Marketing at Stratus Technologies.

Recruitment

Latest IT jobs from leading companies.

 

Click here for full listings»