Systems integrators and network consultants should be aware of the new risks that may arise when migrating their customers' IP networks over to IPv6. Despite the new protocol being security-enabled, the transition can weaken an organization's security strategy. This tip, reposted courtesy of
SearchSecurity.com, analyzes some of these risks and offers potential solutions.
If you haven't thought about the impact of IPv6 on your network's security, it's time to start thinking! The replacement for the venerable IPv4 protocol is now in use on the Internet and might even exist on your network without your knowledge. Here's a look at some of the security implications of IPv6.
You're probably aware of the driving force behind the push to IPv6 -- we're running out of IP address space! The current 32-bit addressing scheme used by IPv4 allows for a whopping 4.3 billion unique addresses. Although that sounds like a lot, consider that there are approximately 6.4 billion individuals on our planet. Certainly everyone doesn't have an IP address, but those that do might have multiple between home and work systems, IP-enabled phones and other network-aware devices. The rapid explosion of technology in emerging markets, especially in the Asian-Pacific region, demands a new supply of IP address space. IPv6 solves this problem by using 128-bit addressing. That allows for a total of 3.4 x 1038 addresses; a quantity that should keep us from running out for a long time. (Although, that's what they said when IPv4 came out!)
So, what does the emergence of IPv6 mean to security practitioners? Let's look at five specific issues that impact our work:
- Security practitioners need education/training on IPv6.
IPv6 will come to the networks under your control -- it's only a matter of time. As with any new networking technology, it's essential that you learn the basics of IPv6, especially the addressing scheme and protocols, in order to facilitate incident handling and related activities.
- Security tools need to be upgraded.
IPv6 is not backwards compatible. The hardware and software used to route traffic across networks and perform security analyses won't work with IPv6 traffic unless they are upgraded to versions that support the protocol. This is especially important to remember when it comes to perimeter-protection devices. Routers, firewalls and intrusion-detection systems may require software and/or hardware upgrades in order to "speak" IPv6. Many manufacturers already have these upgrades available. For example, Cisco networking devices support IPv6 as of IOS release 12.0S.
- Existing equipment may require additional configuration.
The devices that do support IPv6 typically treat it as an entirely separate protocol (as they should). Therefore, the access control lists, rule bases and other configuration parameters may need to be reevaluated and translated to support an IPv6 environment. Contact the appropriate manufacturers for specific instructions.
- Tunneling protocols create new risks.
The networking and security communities have invested time and energy in ensuring that IPv6 is a security-enabled protocol. However, one of the greatest risks inherent in the migration is the use of tunneling protocols to support the transition to IPv6. These protocols allow the encapsulation of IPv6 traffic in an IPv4 data stream for routing through non-compliant devices. Therefore, it's possible that users on your network can begin running IPv6 using these tunneling protocols before you're ready to officially support it in production. If this is a concern, block IPv6 tunneling protocols (including SIT, ISATAP, 6to4 and others) at your perimeter.
- IPv6 autoconfiguration creates addressing complexity.
Autoconfiguration, another interesting IPv6 feature, allows systems to automatically gain a network address without administrator intervention. IPv6 supports two different autoconfiguration techniques. Stateful autoconfiguration uses DHCPv6, a simple upgrade to the current DHCP protocol, and doesn't reflect much of a difference from a security perspective. On the other hand, keep an eye on stateless autoconfiguration. This technique allows systems to generate their own IP addresses and checks for address duplication. This decentralized approach may be easier from a system administration perspective, but it raises challenges for those of us charged with tracking the use (and abuse!) of network resources.
As you can tell, IPv6 is revolutionary. It allows us to prepare our networks for the next decade of ubiquitous access but, as with any innovation, requires careful attention from a security perspective.
About the author
Mike Chapple, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles including the CISSP Prep Guide and Information Security Illuminated.
This tip originally appeared on SearchSecurity.com.
This was first published in January 2007