WEB STRATEGIES

Security will not come naturally with IPv6


The next generation of Internet Protocols has some security features built into it, but IPv6 is not inherently more secure than the current IPv4 now in use, said Brett Thorson, network and security architect at Excivity and a security adviser to the North American IPv6 Task Force.


Related stories:

Agencies should plan now to enable IPv6 on public-facing servers


IPv6 can be used to block, shield and hide data on your network, and the hackers already are learning to take advantage of this.

“This is what black hats are doing right now: They are planning their attacks for IPv6,” Thorson said today at the Next Generation Internet Conference in Washington hosted by the Digital Government Institute.

Although IPSec security is included in all IPv6 products, it is not enabled by most users, Thorson said. And when it is used, its effectiveness can vary because there are multiple ways to implement it.

However, the transition to IPv6 also offers opportunities for improving security. Greenfield installations can allow planners to design secure architectures, and features such as the ability of longer IP addresses can provide unique identifiers that can help identify every individual, device and process on a network, said Dale Geesey, principal with Auspex Technologies.

“There are a lot of challenges associated with the transition,” Geesey said. Meanwhile, IT administrators and network architects have several years to plan before IPv6 traffic and applications becomes a reality on government networks.

Agencies have enabled their network backbones to handle IPv6 traffic, but little, if any, use is being made of the new protocols. But as the existing pool of IPv4 address space is depleted over the next two years, growth in the public side of the Internet will increasingly come with new IPv6 addresses, said John Curran, president of the American Registry for Internet Numbers, one of five regional Internet registries. Three quarters of the available IPv4 address space has been allocated, and less than 11 percent remains available, he added. (Another 14 percent is unavailable for a variety of reasons.)

IT administrators will not necessarily have to transition their internal networks to IPv6, since they can continue to use IPv4 addresses, but public-facing servers will need to be enabled to use the new protocols as outside traffic increasingly is using IPv6, Curran said.

Many operating systems and other software now are enabled to accept IPv6 traffic by default, which can create problems if administrators are not aware of this and monitoring the traffic. Ignoring the protocols because a network that is not yet using IPv6 can be dangerous, Thorson said. “IPv6 is eventually going into your network whether you know if or not.”

Security has traditionally been added on after the fact in networks, devices and applications, and this has proved to be inefficient, ineffective and expensive. The increasingly complexity, size and speed of development for networks, applications and services will make it more important than ever that security be built in from the beginning, Geesey said.

Standards for IPv6 compliance are just now being completed and products conforming to the government’s IPv6 profile are not expected to begin arriving in agencies until July of next year. How and how well many security products such as logs, firewalls, antivirus, intrusion detection and other monitoring, blocking and filtering devices will handle IPv6 packets is an unknown. One vendor’s approach to handling IPv6 was to simply drop the packets, Geesey said.

Some features in IPv6 can make security management easier in theory, but how well any one feature on any single device will work and play with other applications in a network is not easy to guess.

“You need a person to sit there and turn one thing on at a time and see what happens,” Thorson said.

Agencies need to use the next two years to make it clear what they need and expect in IPv6 conformance and security, Geesey said.

“You have an opportunity to come to vendors and service providers and say this is what I need,” he added. “Vendors will respond. A $70 [billion] to $80 billion IT budget speaks.”

Reader Comments

Tue, Dec 29, 2009 Mark US

My understanding is that IPv6 reintroduces security issues currently fixed in IPv4. From a security perspective, it will be like recreating the wheel, or at least going back in time 10 plus years. It seems to have some inherent security issues that have thus far prevented a broader adoption. Calling those who haven't adopted it lazy doesn't move the resolution of the issues further.

// end my 2c

Mon, Sep 28, 2009

Why not just turn on IPv6 and use a firewall. IPv6 is free and EVERYBODY (using either native, 6to4, or teredo) can use IPv6 right now! It's silly that there's so much caution about IPv6. It's been around for years! The only reason it's not on and enabled by everybody is lazy IT departments who don't want to learn new technology (or maybe they're just scared of the IPv6 address format).

Sat, Sep 19, 2009 Marcelo Brazil

Mr. John Curran said that IT administrators will not necessarily have to transition their internal networks to IPv6, since they can continue to use IPv4 addresses internally. But this is not true. An IPv4 client cannot address all IPv6 possible available servers. It is set theory statement (and a logic fact): no two set of different sizes can have a biunivocal correspondence (not talking about infinite sets theory). This is mandatory for NAT to work in the IPv4 to IPv6 scenario. You can have proxy for some protocols to circumvent that, but not all protocols can go through proxies.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above