Guest post written by Danny McPherson
IPv6 presents a security paradox.
The capabilities IPv6 provides will enhance online security – but the shift to the new Internet address scheme may also present risks if not properly managed.
Internet security was largely an after-thought for the early Internet, as its primary purpose was to facilitate open, end-to-end, any-to-any communications and information exchange for bridging and accelerating research efforts. Today we have a much more complex Internet ecosystem that spans billions of users across the globe and serves not only as an engine for e-commerce, but as an engine for all commerce.
The Internet protocol suite has become the de facto standard for global Internet services and consumers, but it also serves as a near ubiquitous substrate for running critical network infrastructure and applications. Transportation, financial systems, emergency services, utilities, and government applications are just a few examples of services that need absolute availability and robust security.
At the micro level, the migration of personally identifiable information and proprietary intellectual property online has influenced IPv6 protocol architects to bake additional security into the stack. For example, IPSec is mandatory to implement in IPv6 compliant protocol stacks, while Secure Neighbor Discovery capabilities, Privacy Addresses, and Unique Local Addresses (ULA) all provided additional security enhancements.
So that’s the good news. But herein lies the rub: if network operators don’t properly manage IPv6 – and recognize that it’s enabled “out of the box” in most devices today, this will have a substantial impact of their security posture. One of the biggest but arguably easiest-to-remedy pitfalls is that an increasing array of networking equipment and end systems today are shipped with IPv6 enabled by default.
In an Internet environment with no bad actors it’d seem perfectly reasonable and even requisite to enable IPv6 by default in order to rapidly deploy. However, if network administrators aren’t ready for IPv6 in their operating environments, meaning full functional parity from a security and operational perspective, then they really need to disable IPv6 entirely and deploy new devices and hardware in a very calculated manner. As an industry, we’ve already observed IPv6 being used to compromise systems “under the radar” of IPv4-only sensors, and several folks have reported IPv6 being expressly enabled by miscreants in order to exfiltrate data, facilitate malware propagation, and enable botnet C&C infrastructure and distributed denial of service: attacks.
Other security considerations include the following:
- Translating IPv4 to IPv6 (because it will take some time before all systems are running on v6) itself can be a pitfall. Because IPv4 and IPv6 are not “bits on the wire” compatible, translating traffic from IPv4 to IPv6 will inevitably result in middle boxes mediating transactions as they move through the network. Like a mail sorter at a post office transfer facility, if transferring payloads from IPv4 envelopes to IPv6 ones, an opportunity arises for a poor implementation or a bad actor to exploit a potential vulnerability.
- Unlike IPv4′s variable header size, IPv6 has a 40-byte fixed header, but introduces add-on “extension headers” that may be chained and require complex processing by various systems: these could overwhelm firewalls and security gateways. It could even introduce router forwarding performance degradation and be a potential vector for distributed denial of service and other attacks.
- During a long period of “transitional coexistence” IPv6 adoption may require large network address translation protocol translation devices, end system or intermediate translation devices and protocols. But these devices complicate the network and operations and could break useful functions like geo-location or tools that security administrators use to identify and mitigate malicious network behaviors (e.g., blacklists and traffic filters).
- Because of IPv6′s sparse address space active scanning of infrastructure for unauthorized or vulnerable systems is much more complex than with IPv4. These capabilities need to be augmented with network access controls and active measurement systems that trigger vulnerability scanning.
news.Yahoo.com - SmartphoneWipes.com