Don't Panic About, or Ignore, IPv6 Security

Carl Weinschenk

The move from IPv4 to IPv6 (Internet Protocol version 4 and 6) has gotten a tremendous amount of interest. The transition will be in the news more often as we approach the Internet Society's IPv6 launch day, which is slated for June 6. On that date - coincidentally or not, the 68th anniversary of D-Day - service providers, consumer electronics companies and website owners are being encouraged to turn on IPv6. Unlike last year's test, the plan is for them to not turn it off.

An issue riding under the radar for non-engineers is security. Experts say that IPv6 is more than a huge increase in the number of available IP addresses. It also requires some things to be done differently. Both issues need to be carefully examined to ensure the network's security is not compromised.

An Arbor Networks survey revealed that only 4 percent of respondents reported Distributed Denial of Service (DDoS) attacks on IPv6 networks. At CNET, Stephen Shankland reports on the survey. The 4 percent figure can be seen as good news. The bad news, however, is that even a single attack shows that the bad guys are on the case. He suggests that there is reason for concern:

IPv6 isn't the main route for attacks, since it's still a relative backwater, but two problems make IPv6 particularly vulnerable. First, with the relatively immature network infrastructure, many network operators don't have the ability to scrutinize network traffic well enough to distinguish DDoS attacks from benign traffic. Second, gateways that link IPv4 and IPv6 must store lots of "state" information about the network traffic they handle, and that essentially makes them more brittle.

The first quote in a story at Dark Reading on the security implications of the transition comes from well-known researcher Dan Kaminsky. The story, written by Kelly Jackson Higgins, is reassuring:

"I'm not too worried about IPv6 security flaws. We've gotten almost lazy about calling bugs out just because code is new. But the bottom line is that the major OSes have had their IPv6 stacks scrubbed fairly hard, and most embedded devices that do support IPv6 are built on these major OSes," Kaminsky says. "Things may go wrong, of course, but we'll survive."

The remainder of the story makes clear, however, that care must be taken in the transition. The sense is that experts aren't worried - but are not nonchalant. For instance:

One example of a dangerous misconfiguration is when setting up tunneling between IPv4 and IPv6. It's possible to inadvertently allow external traffic to flow through the tunnel freely, for instance, according to some experts. Another is not allocating sufficient memory for the longer IPv6 addresses, which could lead to remote code execution, for example.

There is reason to believe that IPv6 security eventually could be better than IPv4. Robert Mullins' piece at Network World suggests that compliance is deeply enmeshed in IPv6, which could lead to more secure networks almost by default. Regardless, the prudent approach is to be extraordinarily careful in planning, deploying and running an IPv6-based network. Anything that touches the Internet must be treated with great care - and healthy respect for Murphy's Law must be paid.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Feb 21, 2012 3:05 PM Robert Robert  says:

Very interesting post. Thanks for explaining this to us, your readers!


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.