A (relatively) safe way of moving to IPv6

NIST offers a guide to avoiding the most likely risks

• By William Jackson
• Jan 06, 2011

The next generation of Internet Protocols will present security challenges as they are implemented on government networks, and the National Institute of Standards and Technology is providing guidance for network engineers and administrators on avoiding risks as IPv6 is deployed.

NIST has released the final version of Special Publication 800-119, "Guidelines for the Secure Deployment of IPv6."

Because IPv6 is not backward-compatible with IPv4, the set of protocols currently being used on IP networks, the deployment of IPv6 on these networks will be a major task, said Sheila Frankel, lead author of the publication.

“Security will be a challenge because organizations will be running two protocols, and that increases complexity, which in turn increases security challenges,” Frankel said.

SP 800-119 describes IPv6 protocols, services and capabilities, including addressing, Domain Name System services, routing, mobility, quality of service, multihoming, and IP Security. For each there is an analysis of the differences between IPv4 and IPv6 and the security ramifications of those differences. The guidance characterizes the security threats posed by the transition to IPv6 and gives guidelines on deployment, including transition, integration, configuration and testing.

---

Related stories:

Kundra sets new IPv6 deadlines

Why bother moving to IPv6?

---

Agencies are facing a dual deadline for enabling their networks for the new protocols. In September 2010, the Office of Management and Budget directed agencies to enable public-facing servers and services to operationally use IPv6 by Sept. 30, 2012, the end of the fiscal year. Internal networks must be ready to support the protocols by the end of fiscal 2014.

At the same time, the pool of available IPv4 addresses is drying up. Less than 3 percent of the remaining address space is unassigned at the Internet Assigned Numbers Authority, which sits at the top of the address distribution hierarchy, and the last of those addresses are expected to be distributed to the five Regional Internet Registries in February. The regional registries are projected to have assigned the last of those addresses to networks and enterprises in November.

Although IPv4 addresses will continue to be assigned to end users for some time after November and the IPv4 Internet will continue to operate for the foreseeable future, networks will increasingly need to be capable of handling IPv6 traffic to be accessible to the growing number of users who will be using IPv6 addresses.

“Organizations should begin now to understand the risks of deploying IPv6, as well as strategies to mitigate such risks,” the NIST guidance advises. “Detailed planning will enable an organization to navigate the process smoothly and securely.”

IPv6 incorporates many of the security lessons learned from implementing the current protocols, but security will continue to be a challenge, NIST warned.

“IPv6 can be deployed just as securely as IPv4, although it should be expected that vulnerabilities within the protocol, as well as with implementation errors, will lead to an initial increase in IPv6-based vulnerabilities,” the guidelines state.

Likely security challenges of IPv6 deployment identified by NIST include:

• An attacker community that probably has more expertise with IPv6 than an organization in the early stages of deployment.
• Difficulty in detecting unknown or unauthorized IPv6 assets on existing IPv4 production networks.
• The added complexity of operating IPv4 and IPv6 in parallel on a network.
• A lack of IPv6 maturity in security products when compared to IPv4 capabilities.
• The proliferation of IPv6 and IPv4 tunnels used to accommodate both types of traffic, which complicates defenses at network boundaries.

The guidance urges agencies to increase staff knowledge of and experience with IPv6 and plan for a phased deployment of the new protocols, during which both sets of protocols will be operating. To avoid security breaches from the new protocols, agencies that have not yet deployed IPv6 should block all IPv6 traffic at the firewall, both incoming and outgoing.

Enabling Web servers outside the firewall for IPv6 will allow outside users of the new protocols to access those resources and will give administrators and engineers experience in handling IPv6 traffic.