When moving to IPv6, beware the risks
Opening up networks and systems to the next generation of Internet Protocols entails some risk, which agencies should be aware of and prepared to mitigate as they comply with Office of Management and Budget Mandates to enable IPv6.
The National Institute of Standards and Technology identifies the likely risks and remedies in its Special Publication 800-119, “Guidelines for Secure Deployment of IPv6.”
“IPv6 can be deployed just as securely as IPv4, although it should be expected that vulnerabilities within the protocol, as well as with implementation errors, will lead to an initial increase in IPv6-based vulnerabilities,” the guidelines say.
Likely security challenges of IPv6 deployment include:
- The possibility that attackers might have more expertise with IPv6 than an organization in the early stages of deployment.
- Difficulty in detecting and managing unknown or unauthorized IPv6 assets on existing IPv4 production networks.
- The added complexity of operating parallel IPv4 and IPv6 networks.
- A lack of IPv6 maturity in security products.
- The proliferation of IPv6 and IPv4 tunnels can complicate defenses.
To meet these challenges, agencies should increase staff knowledge of and experience with IPv6 and plan for a phased deployment of the new protocols, NIST says. If IPv6 has not been formally deployed in a network, agencies should block all IPv6 traffic at the firewall, both incoming and outgoing.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.