We All Need to Be on IPv6 ASAP

Ralph DeFrangesco

It's hard to believe that IPv6 is 14 years old, yet I don't personally know a single company that has migrated to it. I did some quick research and found that quite a few companies are using IPv6 or are IPv6 ready, meaning they have the infrastructure in place. Google, Sprint, AT&T, Comcast, Verizon, China, Japan, Korea, and several federal agencies claim to be using the new address space.

 

What are some of the security implications of moving to IPv6?

 

  1. You must deal with IPSec.
  2. ICMPv6 runs on top of v6, giving it ARP-like security.
  3. Additional functionality for protocol negotiation and key management.
  4. Until v6 is fully deployed, packets will come into your network tunneled - v6 packets in a v4 data stream.
  5. v6 stateless autoconfiguration allows systems to generate their own IP address and then check for duplicates on the network.
  6. Large Extension Headers (EH) or a long chain could be used to confuse or everwhelm routers and firewalls and hide an attack.

 

 

What are the advantages of going to IPv6? Here are just a few:

 

  1. More address space.
  2. Security will be improved. The use of IPSec is mandatory in IPv6.
  3. QoS can be fine-tuned due to the additional bits available in the header file.
  4. NAT will no longer be needed due to the additional address space.

 


So why aren't more companies using it? To answer that question, we have to look at why IPv6 was developed. The new addressing protocol was developed because we thought we were running out of IP addresses. When the specification was first released in 1995, we thought we would be out of addresses by 2005. It looked like the sky was falling. 2005 came and went and we didn't run out of addresses. Here we are in 2009 and the estimate is now that by 2012, we will be out of addresses. The Internet Engineering Task Force (IETF) is working on methods to help with the transition to IPv6. These include:

 

  • Dual-stack lite - In development by Comcast, this tool will translate IPv4 addresses to IPv6 through an external gateway using NAT.
  • NAT64 - Another tool to translate v4 to v6 and vice versa.
  • DNS64 - Allows a v6 device to call up a v4-only name server.
  • IPv4 sharing - The IETF is working on a way that will allow ISPs to share a single IPv4 address among multiple users.

 

When we look at these methods, what we really see are the ways that will yet prolong the use of IPv4. Who knows when this nonsense will end? Companies need to bite the bullet and make the switch.

 

Yes, there are a few minor disadvantages to going to IPv6:

 

  1. Since there can be more addresses on a subnet, the router table will have more entries and the router will have to process more and therefore will use more memory and CPU. The increase should go unnoticed.
  2. Deployment costs. These should be minimal.
  3. Not all applications take advantage of IPv6 yet.
  4. It's difficult to build a justifiable business case at this point in time.

 

I am not saying that the sky is falling, but would it help if I said it was? When is your organization going to switch to IPv6?



Add Comment      Leave a comment on this blog post

Mar 27, 2009 7:28 AM TJ TJ  says:

WRT "What are some of the security implications of moving to IPv6?" ... I have a few nits to pick ...

   1. You must deal with IPSec.

TJ> Yes and no.  You don't need to do anything with IPsec, above and beyond what you are doing in IPv4 (if blocking it in IPv4, be prepared to block it in IPv6).  If you want to make use of IPsec, then do so - and know what you are getting in to (good and bad!).

   2. ICMPv6 runs on top of v6, giving it ARP-like security.

TJ>  This is jumbling topics a bit ...

Yes, ICMPv6 runs on IPv6 - just as ICMPv4 runs atop IPv4

ARP doesn't really count or offer security ...

AND, I think you are referring to Neighbor Discovery vs. ARP, which is a valid comparison and neither of which do much for security ... ?

   3. Additional functionality for protocol negotiation and key management.

TJ> THis is an implementation choice, nothing to do with IPv6 per se.  Again, if you choose to implement IPsec, these may be relevant ...

   4. Until v6 is fully deployed, packets will come into your network tunneled - v6 packets in a v4 data stream.

TJ> Tunneling poses a whole range of threats, whether IPv6-in-IPv4 or any of the other various and sundry tunnels we need to guard against.  WRT IPv6-in-IPv4 (Protocol 41 or v4/UDP) there are valid threats, and counter-measures ... but these will still be threats even after "IPv6 is fully deployed".

   5. v6 stateless autoconfiguration allows systems to generate their own IP address and then check for duplicates on the network.

TJ> Statekess Address AutoConfiguration (SLAAC) allows a host to generate an address with only a light hint (via a Prefix Option attached to a Router Advertisement) - not totally by itself.  Also, Duplicate Address Detection is relevant regardless of how the host learns/configures the address.

   6. Large Extension Headers (EH) or a long chain could be used to confuse or overwhelm routers and firewalls and hide an attack.

TJ> Indeed, certain EHs - or the manner in which they are attached, or the number involved - can cause concerns that our "next generation" of Firewall/IDS/IPS will need to know how to handle.  Certain IPv6-savvy companies are working on this now ...

Reply
Mar 30, 2009 10:18 AM Joe Joe  says:

Ralph,

You did a good job at pointing out the advantages and disadvantages of IPv6 to your readers. However, I just want to point out that there are many more...to many to list here.

Joe

Reply
Mar 30, 2009 11:32 AM FunLovingNetworkGuy FunLovingNetworkGuy  says:

As I have said many times, the devil is in the details. Go out and read the specifications.

FLNG

Reply
Mar 30, 2009 11:58 AM Hank Hank  says:

Don't know a lot about IPv6, but I do now.

Hank

Reply
Mar 31, 2009 11:19 AM MickeyBigByte MickeyBigByte  says:

Look, why prolong this? Get the @*%^& on IPv6 now so the rest of us can get on with our work!

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 

Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making

SOA

SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data