Abort your IPv6 launch if you're not prepared

For all its security benefits, IPv6 can open holes in your network if you haven't planned properly

It's IPv6 Launch Day -- but don't panic if your organization isn't fully IPv6 compliant. Yes, advocates of a mass migration to IPv6 make some compelling arguments. Compared to IPv4, IPv6 offers nearly unlimited addresses, enhanced mobility, better performance, superior security features, and plenty more.

But that doesn't mean you should rush to flip the IPv6 switches on your network for the sake of keeping up with the Googles and Facebooks. In fact, if you're not prepared, you might want to turn off the IPv6 features, lest you fall prey to cyber attackers who have devised ways to prey on IPv6 novices.

That warning, which comes from experts such as VeriSign Chief Security Officer Danny McPherson, may seem counterintuitive, given IPv6's celebrated security advantages over IPv4. For example, IPv6 comes with built-in IPSec, and it supports Secure Neighbor Discovery, Privacy Addresses, and Unique Local Addresses, all of which provide new layers of security.

According to McPherson, "If network operators don't properly manage IPv6 -- and recognize that it's enabled 'out of the box' in most devices today, this will have a substantial impact of their security posture. One of the biggest but arguably easiest-to-remedy pitfalls is that an increasing array of networking equipment and end systems today are shipped with IPv6 enabled by default."

The problem is not all the network management tools offer the same feature features and functionality for IPv6 as they do for IPv4. "This lack of feature parity means that security teams do not have the same visibility and mitigation capabilities when trying to identify and block IPv6-based attacks against targets," said Arbor Networks senior software QA engineer Bill Cerveny.

If network admins aren't prepared for IPv6 in terms of ensuring "full functional parity from a security and operational perspective, then they really need to disable IPv6 entirely and deploy new devices and hardware in a very calculated manner," said McPherson.

The reasoning here is that cyber criminals have devised ways to exploit an organization's lack of IPv6 preparedness. Hackers have hatched a way to use secret tunnels to send IPv6 traffic over IPv4, slipping viruses and spyware through the network defenses, according to Check Point. Some bad guys also have exploited IPv6 to steal data, as well as to launch botnet C&C (command and control) infrastructure and DDoS attacks.

Security concerns surrounding IPv6 don't end there, either. Among other threats, McPherson explained that translating IPv4 to IPv6 can be a pitfall in that when "transferring payloads from IPv4 envelopes to IPv6 ones, an opportunity arises for a poor implementation or a bad actor to exploit a potential vulnerability."

Additionally, IPv6 introduces add-on extension headers "that may be chained and require complex processing by various systems: these could overwhelm firewalls and security gateways. It could even introduce router forwarding performance degradation and be a potential vector for distributed denial of service and other attacks," McPherson said.

While transitioning from IPv4 to IPv6, organizations may need to deploy NAT translation devices and protocols. These could complicate network and operations, according to McPherson, and break functions and tools (such as blacklists and traffic filters) that security admins use to monitor security incidents.

Finally, scanning network infrastructure for unauthorized or vulnerable systems is far more complex with IPv6 than with IPv4, according to McPherson, in that IPv6 has such sparse address space. "These capabilities need to be augmented with network access controls and active measurement systems that trigger vulnerability scanning," he said.

This story, "Abort your IPv6 launch if you're not prepared," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.


Copyright © 2012 IDG Communications, Inc.