A (relatively) safe way of moving to IPv6
NIST offers a guide to avoiding the most likely risks
- By William Jackson
- Jan 06, 2011
The next generation of Internet Protocols will present security
challenges as they are implemented on government networks, and the
National Institute of Standards and Technology is providing guidance for
network engineers and administrators on avoiding risks as IPv6 is
NIST has released the final version of Special Publication 800-119, "Guidelines for the Secure Deployment of IPv6."
Because IPv6 is not backward-compatible with IPv4, the set of
protocols currently being used on IP networks, the deployment of IPv6 on
these networks will be a major task, said Sheila Frankel, lead author
of the publication.
“Security will be a challenge because organizations will be running
two protocols, and that increases complexity, which in turn increases
security challenges,” Frankel said.
SP 800-119 describes IPv6 protocols, services and capabilities,
including addressing, Domain Name System services, routing, mobility, quality
of service, multihoming, and IP Security. For each there is an analysis of the
differences between IPv4 and IPv6 and the security ramifications of
those differences. The guidance characterizes the security threats posed
by the transition to IPv6 and gives guidelines on deployment, including
transition, integration, configuration and testing.
Kundra sets new IPv6 deadlines
Why bother moving to IPv6?
Agencies are facing a dual deadline for enabling their networks for
the new protocols. In September 2010, the Office of Management and Budget
directed agencies to enable public-facing servers and services to
operationally use IPv6 by Sept. 30, 2012, the end of the fiscal year.
Internal networks must be ready to support the protocols by the end of
At the same time, the pool of available IPv4 addresses is drying up. Less than 3 percent of the remaining address space
is unassigned at the Internet Assigned Numbers Authority, which sits
at the top of the address distribution hierarchy, and the last of those
addresses are expected to be distributed to the five Regional Internet
Registries in February. The regional registries are projected to have
assigned the last of those addresses to networks and enterprises in
Although IPv4 addresses will continue to be assigned to end users for
some time after November and the IPv4 Internet will continue to operate
for the foreseeable future, networks will increasingly need to be
capable of handling IPv6 traffic to be accessible to the growing number
of users who will be using IPv6 addresses.
“Organizations should begin now to understand the risks of deploying
IPv6, as well as strategies to mitigate such risks,” the NIST guidance
advises. “Detailed planning will enable an organization to navigate the
process smoothly and securely.”
IPv6 incorporates many of the security lessons learned from
implementing the current protocols, but security will continue to be a
challenge, NIST warned.
“IPv6 can be deployed just as securely as IPv4, although it should be
expected that vulnerabilities within the protocol, as well as with
implementation errors, will lead to an initial increase in IPv6-based
vulnerabilities,” the guidelines state.
Likely security challenges of IPv6 deployment identified by NIST include:
- An attacker community that probably has more expertise with IPv6 than an organization in the early stages of deployment.
- Difficulty in detecting unknown or unauthorized IPv6 assets on existing IPv4 production networks.
- The added complexity of operating IPv4 and IPv6 in parallel on a network.
- A lack of IPv6 maturity in security products when compared to IPv4 capabilities.
- The proliferation of IPv6 and IPv4 tunnels used to accommodate both
types of traffic, which complicates defenses at network boundaries.
The guidance urges agencies to increase staff knowledge of and
experience with IPv6 and plan for a phased deployment of the new
protocols, during which both sets of protocols will be operating. To
avoid security breaches from the new protocols, agencies that have not
yet deployed IPv6 should block all IPv6 traffic at the firewall, both
incoming and outgoing.
Enabling Web servers outside the firewall for IPv6 will allow outside
users of the new protocols to access those resources and will give
administrators and engineers experience in handling IPv6 traffic.