IPv6 is the next-generational internet protocol, designed to give us more IP addresses. Back in the day when no one dreamed that toasters would one day be connected to the Internet, the idea that the number of IP addresses in the world would run out was silly. Today, the growing number of connected devices means we need more IP addresses, and IPv6 is the way to achieve that. Unfortunately for network administrators, it’s a new technology stack that hasn’t yet been fully scrutinized by security experts.
While the most secure system is one that does exactly what you want it to do, with adequate monitoring and no additional back doors or unused functionality, IPv6 doesn’t exactly fall into that category yet. It has not been fully adopted and many companies haven’t worked out what monitoring and support is required. In a recent survey by Ipswitch, Inc. two thirds of network administrators reported that only one in five of their networked devices were IPv6 ready. But sticking your head in the sand is not a good approach to network security.
Should network administrators be worried?
The IPv6 threat
“There are some specific new attack vectors using IPv6 such as manipulation of route headers, rogue router advertisements, NDP spoofing, but on the whole the security concerns of IPv6 aren’t something that should be a roadblock with the right monitoring infrastructure,” said Chris Smithee, Network Security manager at infrastructure monitoring firm Lancope.
Matthew Levine, director of Engineering at Akamai Technologies, agreed that any potential security pitfalls of IPv6 can be overcome.
“In reality, IPv6 is not inherently less secure than IPv4, but it presents the opportunity for risks because it is different,” he explained. “For example, current firewall configurations may be IPv4 specific, such that adopting IPv6 would create more exposure than desired. There are some security concerns around IPv6 in IPv4 tunneling. The fundamental issue is that such a tunnel can potentially bypass a firewall that doesn’t ‘understand’ IPv6. Whether you want to use IPv6 or not, you should ensure your firewall handles it properly.”
The bury-your-head-in-the-sand approach is a concern for John Curran, president and CEO of ARIN, the American Registry for Internet Numbers, which is the non-profit responsible for managing the IP addresses, including IPv6, in the U.S., Canada, and parts of the Caribbean.
“Potential security pitfalls happen when network operators choose to ignore that two protocols are running at the same time,” he said. “For example, IPv6 could be turned on, and because of tunneling and network address translation (NAT), someone could be using IPv6 on your network without your knowledge. The solution is to realize that there are two network protocols in use whether you intend it or not, and to plan for both in your security model. It’s not that there are security issues with IPv6, but that the same security configuration already in place for IPv4 must be consciously turned on.”
So should you switch IPv6 off? Oliver Lavery, director of Security Research and Development, for network security and compliance auditing firm nCircle said yes.
“Any network facing service or capability that you aren’t using should be turned off; that’s just good security hygiene,” he said. “Every service or capability you expose to the network increases your attack surface. Attack surface is the amount of functionality an attacker could exploit to compromise any computer. Ideal security means you want to present the absolute minimum attack surface without compromising functionality.”
Levine agreed. “As a general security principle, it is a good practice to switch off anything that is not required,” he said. “That said, the world is moving to IPv6, so while it may not be required today, it will be required soon. There’s no question that it will happen. The only question is how long it will take.
But, while switching off IPv6 is an option today, it just means prolonging the inevitable.
“IPv4 addresses have been fully depleted from the Internet Assigned Numbers Authority (IANA) free pool and the regional Internet registries (RIRs) are quickly running out of their addresses,” said Curran. “The public Internet is moving to be both IPv4 and IPv6, so you will need to be ready for that regardless of whether you run IPv6 internally.”
If you do choose to switch IPv6 off for now you would be wise to spend time investigating how to be ready when IPv6 arrives. Investing effort in these early days about how best to make your network secure will mean that you are well prepared to deal with any security vulnerabilities when IPv6 is switched on permanently.
Eventually, though, firms are going to have to switch IPv6 on.
“The move to IPv6 shouldn’t be scary, it’s just different,” said Levine. “Look at your configurations, and not just for security, to ensure they’re ready to handle IPv6. A little knowledge and understanding will go a long way to mitigating risk and ensuring the move to IPv6 is successful and secure.”
Even so, it is likely to take a long time before network professionals believe that IPv6 is fully secure.
“Recently, Microsoft fixed a serious security flaw in its 25-plus year old implementation of IPv4,” said Lavery. “This clearly demonstrates how hard it is to get any IP protocol implementations correct and secure.”
Elizabeth Harrin is a writer and project manager living and working in London, UK.