The long ramp up to IPv6— the next iteration of the Internet Protocol addressing scheme—is characterized by periods of high and low visibility. For the past few months, it experienced very little coverage.
But the topic is coming up again. IPv6, according to Neohapsis Labs, raises a host of security concerns. A key attack, according to the firm, is called Stateless Address Auto Configuration (SLAAC). It could have dire consequences. According to an article from Baseline, Neohapsis Labs’ Director Scott Behrens warns:
These could include phishing attacks, client-side attacks and other methods to capture log-in credentials, as well as personal identity information, including credit card numbers. In the end, ‘An organization could wind up with someone who has access to highly sensitive files and data,’ Behrens says.
The story says that the attack has not yet been seen “in the wild,” but that it is causing concern. The Internet Engineering Task Force (IETF) has identified best practices that could lessen its impact. Cisco also has included protections on its high-end routers, the story added.
The implication is that as serious as SLAAC is, it is but one of many security challenges that come with IPv6. That should frighten IT and security staff—and make them take action.
The broader view of IPv6 security is discussed by Brian Prince at Network Computing. According to Prince, since IPv6 Launch Day on June 6, 2012, Akamai has reported that IPv6 traffic has increased 250 percent and that now there are 10 billion requests daily on its network.
The bulk of Prince’s report focuses on four security misconceptions about security and IPv6. The first is that IPv4-only networks need not be concerned with IPv6 security. This is not so. Network elements now come with IPv6 software that can be exploited— even if the protocol is not in use. There also are misconceptions about IP Security (IPSec) support. Another misconception—one that echoes the Baseline story—is that IPv6 prevents man-in-the-middle attacks. Finally, folks who assume IPv6 is inherently less secure than IPv4 are mistaken, Prince writes.
The transition to IPv6 must be done carefully. Bank Info Security posted an interview with EMC researcher Davi Ottenheimer. One question was how an organization knows it is properly preparing for IPv6 from a security perspective:
You know you’re on the right path with IPv6 when you think about addressing every device uniquely, but also maintaining the ability to change address. You also know that you’re on the right path when you’re using IPv6 in this inexhaustible space to protect each device as though it were in a hostile environment all the time.
The overall takeaway is that IPv6 security is significantly different from that of IPv4. The ironic twist, however, is that organizations not making the transition must be as concerned about protecting their network as those that are upgrading.