6 tips for securing IPv6

Despite the long-term promise of improved security, the transition to IPv6 will bring additional problems to the network in the short term. Here are six tips to help you handle them.

Ready or not, the move to the next generation of Internet protocols is upon us. For government networks, there are two drivers for the transition to IPv6.

First, the pool of available IPv4 addresses is rapidly drying up, so the growth in the Internet will increasingly be in the IPv6 address space. Second, the White House has mandated that agencies enable IPv6 on public-facing servers and services by September 2012 and enable the new protocols on internal applications within two years after that.

In the long term, IPv6 promises to improve security with improved encryption and features such as IPsec, an end-to-end scheme offering mutual authentication between hosts.

But system and network administrators don’t live and work in the long term. And “near term, it’s probably not going to help,” said Andy Champagne, vice president of engineering at Akamai Technologies, a Cambridge, Mass., firm that helps resolve Internet traffic congestion.


Related coverage:

Kundra sets new IPv6 deadlines 

Why the time is now for IPv6 (and it's not for lack of IPv4 addresses)


Peter Tseronis, chairman of the CIO Council’s IPv6 Task Force, agreed. “If anybody thinks that IPv6 is more secure, that is a mistake,” he said. “Until we get to a pure IPv6 environment, we will probably be slightly more at risk.”

Although IPv6 offers new features, for the foreseeable future, administrators will need to maintain existing IPv4 infrastructure — what Champagne describes as “nothing but a numbering scheme” to which security has been added. That means the familiar firewalls, access control lists and other security barriers now in place will have to be maintained.

“That isn’t going away,” Tseronis said. At the same time, the new protocols will have to be managed and maintained with a dearth of experience, expertise and tools. That, in turn, could expand attack surfaces and open new vectors of attack for the bad guys.

“IPv6 is not a silver bullet to solve all security problems,” said Qing Li, chief scientist at Blue Coat Systems, an application delivery company. “It’s not going to solve your user and application problems. In some senses, it will make those problems harder. When you talk about transition, don’t gloss over security.”

Here is a brief list of security issues to keep in mind when planning your transition to IPv6. It is not comprehensive but a consensus of high-level suggestions from government and industry experts and observers.

Planning and policy

Introduction of IPv6 will create a separate and not necessarily equal network in the enterprise that will require its own security policies. New policies will need to be as stringent as existing ones and appropriate controls will have to be applied all over again because existing controls may not translate to the new environment.

“One must pay attention to the IPv6 environment and keep the IPv6 filters and policies up-to-date and in parallel to the IPv4 policies,” said Owen DeLong, IPv6 evangelist at Hurricane Electric, which operates a global IPv6 backbone. Otherwise, “you might have IPv6 vulnerabilities that you assumed were closed because they were closed in IPv4.”

“You have to spend the time and effort to examine your existing security and access policies and how they can be adapted to IPv6,” Li said.

One area of concern is likely to be access policy, which often associates an address with a user in assigning privileges. “That system is beginning to show wear,” with the proliferation of personal mobile devices that are increasingly being used to access network resources, Li said.  “It might not be possible with IPv6.” With the larger address space available in IPv6, “the addressing is more dynamic in IPv6 and is almost constantly changing.”

In enabling IPv6 for internal applications, thought will have to be given to just what services should be available through IPv6 and what to maintain under current access controls for IPv4. As more resources are made available on IPv6, authentication and authorization schemes and technology at the same level of security will have to be tailored for the new protocols.

Workforce and experience

Managing and securing two networks running different protocols will require trained workers who might not be readily available. “It’s the human element, having people who know not only how to implement the new protocols, but manage and maintain them as well,” Tseronis said. “The onus is on you to hire that resource.”

Is there an adequate pool of IT professionals with training and experience in IPv6 to draw from? “I don’t believe so,” Tseronis said. “Engineers today are grounded in version 4.”

“You’ve got to learn,” said Steve Garrison, vice president at Infoblox, a network infrastructure automation firm.

Fortunately, although versions 4 and 6 of the Internet protocols are not interoperable, they still are IP, and if you know one, learning the other should not be that difficult. “If you are a network engineer today, the leap to IPv6 is not a huge leap, but it does require some hitting the books,” Tseronis said.

The situation is not the same as the move from switched circuit telephone service to Internet telephony, which Tseronis oversaw while at the Education Department. That move came suddenly and the differences between traditional service and voice over IP were great. For those who chose not to adapt, it was a career-ending decision, he said. But government engineers and administrators have been working under mandates to move to IPv6 since 2005 and many are well along the learning curve.

This does not change the fact that additional manpower is likely to be needed to oversee two networks or two versions of a network, however, and despite available training for IPv6, practical experience in running a production network with the protocols still is scarce.

Breaking things

“IPv6 is a lot more complex,” Garrison said, and complexity equals problems. “When you are making a transition this complex, the potential for mistakes and unexpected issues is great.”

The problems can come in two broad areas. There are bound to be new and unexpected flaws and vulnerabilities in the coding and configuration of the networking stack and in applications and services.

“We are going to see an array of bugs that in some cases will become security vulnerabilities,” Champagne said. “We will see new exploits evolve. I don’t think that there is anything we can do to prevent that,” but it must be taken into account when implementing the protocols and forming policy.

The other area of threats comes from breaking things  already in place, or allowing existing policies to break new things. Take, for example, the Internet Control Message Protocol (ICMP), which is used to send error messages and is not typically used by end-user applications.

“If a security administrator is overly conservative, blocking everything he doesn’t know is needed, ICMP6 might get completely blocked, impeding discovery, routing and more,” DeLong said. “ICMP6 cannot be blocked arbitrarily. The good news is that ICMP6 also doesn’t contain the vulnerabilities found in ICMP4.”

Although equivalent security must be maintained for both sets of protocols, the policies might not be transferable without creating problems.

Tools and testing

The government has been requiring a basic level of IPv6 capability in networking products and tools for several years, and industry has responded. The equipment set for IPv6 is therefore becoming more complete.

What is lacking is maturity. While IPv6 capability is theoretically available, few networks have been using it. Will network management and security tools work as advertised? Will they perform on parity with IPv4 tools, or will they create bottlenecks and roadblocks?

“It’s too new to be an established set,” Champagne said. “It needs to be used more in production.”

“That is always a debatable question,” Tseronis said of performance parity. “We will have to work closely with the vendor community to identify needs and find the best tools."

Development of a fully mature suite of tools will require real world experience that will not be available until the transition to IPv6 is well under way. In the meantime, thorough testing will be needed to eliminate the most obvious problems and improve performance. Poorly implemented IPv6 stacks and tunneling or translation plans will be difficult to properly secure and monitor, Tseronis said.

Breaking some glass in a test environment will be necessary.

Spam and blacklisting

Spam, like the poor, will always be with us. And the transition to IPv6 could make it worse.

“Every time there is a change, it gives the spammers a new way to figure out how to get through the firewall,” Garrison said. “A lot of the spam tools won’t be ready to address these tricks.”

One of those tools is blacklisting, the blocking of IP addresses and URLs that are known to be sources of spam or other malicious traffic. Blocking addresses, as well as monitoring traffic to identify and filter malicious traffic, could become more difficult in a the dynamic IPv6 environment.

But dynamic content now being delivered via IPv4 already is making blacklisting at least an imperfect tool. “The approach is already ineffective in IPv4,” Li said. “I think it will become less effective” with IPv6.

One Web page request can be subject to 20 or more links, and bad guys can take advantage of this to hide the source of malicious traffic. Another complication with blacklisting is the use of distributed botnet as well as legitimate resources that have been compromised to distribute spam and malicious code. By limiting the volume of suspicious traffic from any one source, identifying and blacklisting that source can be made more difficult.

Inadequate as blacklisting is by itself, it remains a useful tool and is not likely to be abandoned with IPv6. But as monitoring suspect traffic and its source becomes more complex in a fully IPv6 world, Li predicts that it will require cloud-based services to provide the granularity of control and scale to the volumes needed for effective blocking.

Fortunately, the full impact of this change is not likely to be felt for some time. The level of IPv6 traffic on the Internet so far is miniscule, and “for the next couple of years we are going to be seeing a trickle rather than a flood,” Garrison said.

Security through obscurity

There is a constant tension in networking between functionality and convenience on one side and security on the other. The improved visibility and end-to-end connectivity offered by IPv6 could have its down side in the form of increased risks.

One of the unforeseen advantages of IPv4 has been Network Address Translation, a technology for placing multiple private addresses behind a single public IPv4 address as a way to extend increasingly scarce addressing resources. NAT has been criticized as a Band-Aid fix that breaks the end-to-end connectivity of the Internet and interferes with network management. But it also provides a degree of security through obscurity by shielding much of the network from outsiders.

Putting NAT in an IPv6 network would be like putting a buggy whip holder on an automobile. But “if you get rid of NAT, you are going to open up the attack surface of your network,” said Li.

NAT-based policies for address allocation and management no longer will apply, and outsiders are given a potentially unobstructed view of the network. One solution could be to take advantage of the large amount of address space available in IPv6 to restore some of the obscurity.

A block of addresses could be remapped to a proxy that would make it more difficult for an outsider to correlate traffic and see what is going on inside the network, and to inject himself into a particular stream. That could restore some of the security provided by NAT at the cost of additional network complexity. But “there has always been a conflict of interest” between visibility and security, Li said, and that is not necessarily going to change with the adoption of IPv6.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.