6 tips for securing IPv6
Ready or not, the move to the next generation of Internet protocols is upon us. For government networks, there are two drivers for the transition to IPv6.
First, the pool of available IPv4 addresses is rapidly drying up, so the growth in the Internet will increasingly be in the IPv6 address space. Second, the White House has mandated that agencies enable IPv6 on public-facing servers and services by September 2012 and enable the new protocols on internal applications within two years after that.
In the long term, IPv6 promises to improve security with improved encryption and features such as IPsec, an end-to-end scheme offering mutual authentication between hosts.
But system and network administrators don’t live and work in the long term. And “near term, it’s probably not going to help,” said Andy Champagne, vice president of engineering at Akamai Technologies, a Cambridge, Mass., firm that helps resolve Internet traffic congestion.
Kundra sets new IPv6 deadlines
Why the time is now for IPv6 (and it's not for lack of IPv4 addresses)
Peter Tseronis, chairman of the CIO Council’s IPv6 Task Force, agreed. “If anybody thinks that IPv6 is more secure, that is a mistake,” he said. “Until we get to a pure IPv6 environment, we will probably be slightly more at risk.”
Although IPv6 offers new features, for the foreseeable future, administrators will need to maintain existing IPv4 infrastructure — what Champagne describes as “nothing but a numbering scheme” to which security has been added. That means the familiar firewalls, access control lists and other security barriers now in place will have to be maintained.
“That isn’t going away,” Tseronis said. At the same time, the new protocols will have to be managed and maintained with a dearth of experience, expertise and tools. That, in turn, could expand attack surfaces and open new vectors of attack for the bad guys.
“IPv6 is not a silver bullet to solve all security problems,” said Qing Li, chief scientist at Blue Coat Systems, an application delivery company. “It’s not going to solve your user and application problems. In some senses, it will make those problems harder. When you talk about transition, don’t gloss over security.”
Here is a brief list of security issues to keep in mind when planning your transition to IPv6. It is not comprehensive but a consensus of high-level suggestions from government and industry experts and observers.
Planning and policy
Introduction of IPv6 will create a separate and not necessarily equal network in the enterprise that will require its own security policies. New policies will need to be as stringent as existing ones and appropriate controls will have to be applied all over again because existing controls may not translate to the new environment.
“One must pay attention to the IPv6 environment and keep the IPv6 filters and policies up-to-date and in parallel to the IPv4 policies,” said Owen DeLong, IPv6 evangelist at Hurricane Electric, which operates a global IPv6 backbone. Otherwise, “you might have IPv6 vulnerabilities that you assumed were closed because they were closed in IPv4.”
“You have to spend the time and effort to examine your existing security and access policies and how they can be adapted to IPv6,” Li said.
One area of concern is likely to be access policy, which often associates an address with a user in assigning privileges. “That system is beginning to show wear,” with the proliferation of personal mobile devices that are increasingly being used to access network resources, Li said. “It might not be possible with IPv6.” With the larger address space available in IPv6, “the addressing is more dynamic in IPv6 and is almost constantly changing.”
In enabling IPv6 for internal applications, thought will have to be given to just what services should be available through IPv6 and what to maintain under current access controls for IPv4. As more resources are made available on IPv6, authentication and authorization schemes and technology at the same level of security will have to be tailored for the new protocols.
Workforce and experience
Managing and securing two networks running different protocols will require trained workers who might not be readily available. “It’s the human element, having people who know not only how to implement the new protocols, but manage and maintain them as well,” Tseronis said. “The onus is on you to hire that resource.”
Is there an adequate pool of IT professionals with training and experience in IPv6 to draw from? “I don’t believe so,” Tseronis said. “Engineers today are grounded in version 4.”
“You’ve got to learn,” said Steve Garrison, vice president at Infoblox, a network infrastructure automation firm.
Fortunately, although versions 4 and 6 of the Internet protocols are not interoperable, they still are IP, and if you know one, learning the other should not be that difficult. “If you are a network engineer today, the leap to IPv6 is not a huge leap, but it does require some hitting the books,” Tseronis said.
The situation is not the same as the move from switched circuit telephone service to Internet telephony, which Tseronis oversaw while at the Education Department. That move came suddenly and the differences between traditional service and voice over IP were great. For those who chose not to adapt, it was a career-ending decision, he said. But government engineers and administrators have been working under mandates to move to IPv6 since 2005 and many are well along the learning curve.
This does not change the fact that additional manpower is likely to be needed to oversee two networks or two versions of a network, however, and despite available training for IPv6, practical experience in running a production network with the protocols still is scarce.
“IPv6 is a lot more complex,” Garrison said, and complexity equals problems. “When you are making a transition this complex, the potential for mistakes and unexpected issues is great.”
The problems can come in two broad areas. There are bound to be new and unexpected flaws and vulnerabilities in the coding and configuration of the networking stack and in applications and services.
“We are going to see an array of bugs that in some cases will become security vulnerabilities,” Champagne said. “We will see new exploits evolve. I don’t think that there is anything we can do to prevent that,” but it must be taken into account when implementing the protocols and forming policy.
The other area of threats comes from breaking things already in place, or allowing existing policies to break new things. Take, for example, the Internet Control Message Protocol (ICMP), which is used to send error messages and is not typically used by end-user applications.
“If a security administrator is overly conservative, blocking everything he doesn’t know is needed, ICMP6 might get completely blocked, impeding discovery, routing and more,” DeLong said. “ICMP6 cannot be blocked arbitrarily. The good news is that ICMP6 also doesn’t contain the vulnerabilities found in ICMP4.”
Although equivalent security must be maintained for both sets of protocols, the policies might not be transferable without creating problems.
Tools and testing
The government has been requiring a basic level of IPv6 capability in networking products and tools for several years, and industry has responded. The equipment set for IPv6 is therefore becoming more complete.
What is lacking is maturity. While IPv6 capability is theoretically available, few networks have been using it. Will network management and security tools work as advertised? Will they perform on parity with IPv4 tools, or will they create bottlenecks and roadblocks?
“It’s too new to be an established set,” Champagne said. “It needs to be used more in production.”
“That is always a debatable question,” Tseronis said of performance parity. “We will have to work closely with the vendor community to identify needs and find the best tools."
Development of a fully mature suite of tools will require real world experience that will not be available until the transition to IPv6 is well under way. In the meantime, thorough testing will be needed to eliminate the most obvious problems and improve performance. Poorly implemented IPv6 stacks and tunneling or translation plans will be difficult to properly secure and monitor, Tseronis said.
Breaking some glass in a test environment will be necessary.
Spam and blacklisting
Spam, like the poor, will always be with us. And the transition to IPv6 could make it worse.
“Every time there is a change, it gives the spammers a new way to figure out how to get through the firewall,” Garrison said. “A lot of the spam tools won’t be ready to address these tricks.”
One of those tools is blacklisting, the blocking of IP addresses and URLs that are known to be sources of spam or other malicious traffic. Blocking addresses, as well as monitoring traffic to identify and filter malicious traffic, could become more difficult in a the dynamic IPv6 environment.
But dynamic content now being delivered via IPv4 already is making blacklisting at least an imperfect tool. “The approach is already ineffective in IPv4,” Li said. “I think it will become less effective” with IPv6.
One Web page request can be subject to 20 or more links, and bad guys can take advantage of this to hide the source of malicious traffic. Another complication with blacklisting is the use of distributed botnet as well as legitimate resources that have been compromised to distribute spam and malicious code. By limiting the volume of suspicious traffic from any one source, identifying and blacklisting that source can be made more difficult.
Inadequate as blacklisting is by itself, it remains a useful tool and is not likely to be abandoned with IPv6. But as monitoring suspect traffic and its source becomes more complex in a fully IPv6 world, Li predicts that it will require cloud-based services to provide the granularity of control and scale to the volumes needed for effective blocking.
Fortunately, the full impact of this change is not likely to be felt for some time. The level of IPv6 traffic on the Internet so far is miniscule, and “for the next couple of years we are going to be seeing a trickle rather than a flood,” Garrison said.
Security through obscurity
There is a constant tension in networking between functionality and convenience on one side and security on the other. The improved visibility and end-to-end connectivity offered by IPv6 could have its down side in the form of increased risks.
One of the unforeseen advantages of IPv4 has been Network Address Translation, a technology for placing multiple private addresses behind a single public IPv4 address as a way to extend increasingly scarce addressing resources. NAT has been criticized as a Band-Aid fix that breaks the end-to-end connectivity of the Internet and interferes with network management. But it also provides a degree of security through obscurity by shielding much of the network from outsiders.
Putting NAT in an IPv6 network would be like putting a buggy whip holder on an automobile. But “if you get rid of NAT, you are going to open up the attack surface of your network,” said Li.
NAT-based policies for address allocation and management no longer will apply, and outsiders are given a potentially unobstructed view of the network. One solution could be to take advantage of the large amount of address space available in IPv6 to restore some of the obscurity.
A block of addresses could be remapped to a proxy that would make it more difficult for an outsider to correlate traffic and see what is going on inside the network, and to inject himself into a particular stream. That could restore some of the security provided by NAT at the cost of additional network complexity. But “there has always been a conflict of interest” between visibility and security, Li said, and that is not necessarily going to change with the adoption of IPv6.