The move from the Internet Protocol version 4 (IPv4) addressing scheme to the new and vastly more expansive IPv6 has been going on so long that it is becoming more like a tradition than a transition. Just about everybody, even those who are dragging their feet, understands that it is a vital technology upon which the long-term well-being of the Internet depends.
It is also fair to say that everything on the Internet has security implications. Questions about IPv6 are still on the table in this regard. IPv6, if approached carefully, will help the Internet reach its potential. It can, however, be problematic if care is not taken, and its complexity means that plenty of opportunities still exist to drop the ball.
IPv6 Security Challenges
The good news is that IPv6, because of its size and other attributes, offers security advantages. We just have to balance the challenges. Pulse Secure Software Development Manager Jonathan Beakley told IT Business Edge that IPv6 introduces several issues. “First, unfamiliarity with the IPv6 protocol can result in the introduction of security vulnerabilities through configuration mistakes on both endpoint devices (e.g., laptops and mobile devices) and network infrastructure (e.g., routers, switches).”
Beakley offered an example: IT staffs must make sure that virtual private networks (VPNs) support IPv6. “[O]therwise, sensitive data could ‘leak’ outside the secure VPN tunnel and would not be encrypted.”
In general, IPv6 is being added to networks while the older addressing scheme remains. The two will run in parallel, perhaps forever. This doubles the possible problems: “[In a dual stack world, network providers will] have an additional routed protocol to monitor and secure (IPv6) in addition to the one they already have (IPv4),” says Tom Coffeen, the chief IPv6 evangelist for Infoblox.
At the end of the day, experts seem to think that the emergence of IPv6 can be handled with little problem, provided that care is taken. Some point to the possibility of misconfigurations and mistakes, and note that these are more or less preventable.
“The good news is that, while there are unique security challenges with IPv6 (especially given that IPv6 can be significantly different in how it enables the addressing of nodes and how it tracks those addresses on the LAN), many existing network security policies are broadly applicable to both IPv4 and IPv6. You won't have to rewrite your security policy entirely,” Coffeen says. “You'll just have to make sure you have the knowledge and tools in place to effectively monitor and secure IPv6.”
Owen DeLong, director, Networks and Data Center Architecture for Akamai Technologies, agrees. He suggests that the problems are minimal from a purely technical perspective. “Frankly, there aren’t really any new dangers,” he says. “There are a couple of IPv4 vulnerabilities that don’t exist in IPv6 [and there] are a couple of vulnerabilities that are theoretical in IPv4 and real in IPv6. These relate mostly to the fact that while you could theoretically have millions of IPv4 addresses on a single network, in actuality, this isn’t practical due to the scarcity of IPv4 addresses. On the other hand, it’s the default scenario for IPv6.”
IPv6 Problems? Blame the Staff, Not the Technology
The insiders agree that mistakes and misconfigurations can be reduced by education and awareness. Whether IPv6 is dangerous or not depends more on the people running it than the addressing scheme itself. Misconfiguration of even the most secure technology leads to problems; IPv6 is complex, so it provides plenty of opportunity to make potentially costly mistakes. Scott Hogg, the CTO at GTRI, counsels organizations to get trained on IPv6, disable transition techniques that are not going to be used, secure IPv6 from the start, and work with their vendors to ensure that both IPv4 and IPv6 “have functional parity.”
The most important thing, according to DeLong, is to pay attention. “Don’t pretend that ignoring IPv6 means you aren’t having security issues related to IPv6. Nothing could be farther from the truth,” he says. “Trying to simply turn off IPv6 won’t protect you either. It’s time to develop a cogent and consistent strategy for IPv4 and IPv6 together.”
The bottom line seems to be that the key IPv6 security questions are sort of quasi-technical: Glaring vulnerabilities aren’t being introduced but, at the same time, a certain amount of dislocation and confusion exists – especially for organizations that don’t have a lot of expertise on hand. This is an environment in which crackers thrive.
“Deploying IPv6 in an environment requires effort, which may be a challenge for organizations that don’t have extra IT staff time for the deployment,” Hogg says.
IPv6 is inevitable and a positive for the enterprise, but it will be attacked by the same malcontents who go after legacy networks. In the final analysis, however, IPv6 is the future. It will enable the Internet to go places that it hasn’t before. The key to doing so safely is simply to be careful – and unafraid.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at email@example.com and via twitter at @DailyMusicBrk.