IPv6 Security: 5 Things You Need to Know
The switch to IPv6 will not make networks more secure or more vulnerable to attack in and of itself, according to a panel of industry experts. But failing to test equipment and to make sure security features are functioning as planned could leave networks vulnerable during and after the transition to the new numbering plan.
Here are key facts you need to know about IPv6 and network security:
1. The IPv6 protocol suite was designed to be more secure than IPv4, but that doesn't make it automatically so.
Merike Kaeo, chief Network Security architect for Double Shot Security and author of multiple technology papers on IPv6 security, points out that IPv6 was architected to be more secure but that was based on the attacks happening in the late 1990s. For example, IPv6 routers handle fragmenting of packets differently, and the IPv6 protocol spec mandates deployment of IPsec –- the protocol suite that authenticates and encrypts IP packets. Both of those things were designed to enhance security.
But threats have become more sophisticated, and deployments don't always follow the original plans. "For instance, the IPv6 protocol spec mandated that you had to implement IPsec to be compliant," Kaeo says. "But in reality, when people first started implementing IPv6, they weren't always using IPsec, and if they were using it, that doesn't mean they are implementing it properly."
Implementing IPsec properly isn't like "flipping a switch," adds Thomas Maufer, director of Technical Marketing for Mu Dynamics , a testing and application validation company. It requires having a Public Key Infrastructure, which is a repository and management system for digital certificates. Managing those certificates within an enterprise is one thing, but connecting two enterprises is a different level of challenge.
"A lot of operational things are not in place to do IPsec, and that has nothing to do with IPsec or people's best intentions," Maufer says. "Mu has found a number of vulnerabilities with Key negotiation protocols -- these are just software and software is going to have bugs. If you are going to deploy something and you believe it is secure -- you had better be testing it thoroughly to see that it really is."
Next Page: NAT Is Not Security