The IETF has a working group SAVI (Source Address Validation) and Cisco is implementing a three-phase plan to upgrade its IOS that started in 2010 and will be fully implemented by sometime in 2012, depending upon the switch type.
Vyncke notes that some of the more common IPv6 security risks are accidentally created by an improperly configured end-user device on the network, and that proper configuration and IPv6 security measures would eliminate many of these risks.
"The answer to this type of problem is to deploy native IPv6, and to protect IPv6 traffic at the same level and against the same kinds of threats you already defend in IPv4," Vyncke explains.
The IPSec myth
There's a common perception that IPv6 is natively more secure than IPv4 because IPSec support is mandatory in IPv6. "This is a myth that needs to be debunked," Vyncke says.
He points out that, aside from the practical challenges associated with the broad-scale implementation of IPSec, the content of IPSec-encapsulated traffic becomes invisible to devices (routers/switches/firewalls), thereby interfering with their important security functions.
For this reason, Vyncke, who is also an active member of the IETF and the author of RFC 3585, reports that an IETF working group is considering a change that would make IPSec support "recommended" rather than "required" in IPv6 implementations.
Regarding disabling IPv6, Vyncke says it's a bad idea for two reasons. One, Microsoft has said that disabling IPv6 on Windows 2008 constitutes an unsupported configuration. And Vyncke says trying to disable IPv6 is a head-in-the-sand strategy that delays the inevitable and could make security worse because IPv6 enabled devices are going to be showing up on the network whether IT wants it or not.
Security threats aside, there is a growing business case for IPv6 that is getting harder to sweep under the rug. Banks and online brokerages already face the challenge of losing communication with international customers whose networks no longer support IPv4.
Companies like Telefonica and T-Mobile are embracing IPv6 in a big way, especially for their European bases. And the U.S. government, which has been steadily migrating to IPv6, is clamoring for providers and vendors to deliver more IPv6 products and services.
"You never want to be in a position where you can't interact with your customers," says Keith Stewart, director of Brocade Communications Systems Applications Delivery Products. Nevertheless, sharing the prevalent view among network vendors, Stewart sees a gradual migration to IPv6.
"A wholesale upgrade to IPv6 across the Internet is neither practical nor effective," Stewart says. "Customers need a balanced, practical approach." He notes that service providers, who consume addresses faster than anyone else, are first in line for IPv6 upgrades, followed by content hosts (Google and Facebook), and finally end-users, whose home routers are still 99% IPv4-based.
When Brocade needed to move to IPv6, it took existing load balancers and turned on IPv6 translation to public-facing services, preserving IPv4 connectivity on the internal network. "The public stack is the most important. Pick a smaller project where you can make a business case to communicate with IPv6 customers. When building out your next set of services, demand that it's dual-stack capable or translation-capable for older IPv4 architectures. This allows you to build a business-facing ROI as your teams gain competence with IPv6. Any transition should be designed to be seamless for the end user," Stewart says.