Gradual move to IPv6 makes time to address security threats
The slow transition to IPv6 may be advantageous for network security, according to one National Security Agency official.
Neal Ziring, technical director of NSA's Information Assurance Directorate, said an organization's main goals during IPv6 integration should be to avoid weakening their network's security and to ensure that existing operational capabilities are maintained.
Since the 'transition will be gradual, that's a good thing because it gives us time to address the security threats,' Ziring said yesterday during an Information Assurance Collaboration Forum on IPv6 security concerns at the Johns Hopkins Applied Physics Lab in Laurel, Md. 'An organization's mission capabilities must continue to function through transition,' he added.
As federal agencies work to transition their network backbones to IPv6 by June 30, Ziring's concern is mitigating security risks. The transition mechanisms available to assist IPv6 implementation are generally summarized into three areas: dual-stack, tunneling and translation approaches. Ziring cautioned that each transition mechanism brings its own security risks.
A dual-stack network has IPv4 and IPv6 running concurrently on a network. Many networks will have both protocols co-existing for a period that could last for decades. The main risk is to avoid allowing attacks that use one protocol 'to evade restrictions posed by the other,' according to Ziring. For example, it is possible for an attacker to deny service on the IPv4 network by attacking the IPv6 side of the network.
Many network administrators will ease into IPv6 by using tunneling techniques that allow for IPv6-enabled edge devices to pass traffic over an IPv4 core network. This poses the risk of 'tunnel traffic injection.' which Ziring advises can be mitigated by encrypting traffic in IPv6-over-IPv4 tunnels.
In addition, tunnels may allow an attacker to evade firewall or intrusion detection systems that enforce policy based on information in the upper protocol layers, which may not be visible to the security systems.
IPv4-IPv6 protocol translation will also be prevalent. Since the migration is expected to be a long process, and organizations will proceed at different paces, there will be many islands of IPv4 and IPv6 networks that must communicate, necessitating protocol translation gateways. These translation boundaries create holes for network probing and denial-of-service attacks.
Ziring stated that while the standards for network boundary security exist, the differences between IPv4 and IPv6 will change boundary security policies and strategies. 'Firewall best practices are just starting to emerge, and the filtering capabilities in routers and firewalls still need improvement,' he said.
Some of IPv6's best features may pose the biggest security risks. Ziring discussed the importance of achieving IPv6's benefits without opening up new security holes that are based on IPv6 features.
For example, Mobile IPv6 provides improvements to the IPv4 version and may accelerate the proliferation of handheld mobile devices, even providing the potential for mobile networks. But the security implications of network mobility have not been widely studied, according to Ziring.
Stateless auto-configuration allows network devices to configure themselves and join a network with little to no human interaction. This feature is key to the Defense Department's goal to deploy sensors and other nontraditional network devices across its Global Information Grid. However, the power of auto-configuration is met with the challenge of authenticating and tracking devices as they join, move or leave the network.
Another promise of IPv6 is to satisfy an original goal of the Internet, which was for true end-to-end (or peer-to-peer) communication. In today's world, such transactions need to be secured.