IPv6 isn't safer or less safe than IPv4, but it's different and experts say there's need for caution

August 17, 2011

6 Min Read
IPv6 Security: 5 Things You Need to Know

The switch to IPv6 will not make networks more secure or more vulnerable to attack in and of itself, according to a panel of industry experts. But failing to test equipment and to make sure security features are functioning as planned could leave networks vulnerable during and after the transition to the new numbering plan.

Here are key facts you need to know about IPv6 and network security:

1. The IPv6 protocol suite was designed to be more secure than IPv4, but that doesn't make it automatically so.

Merike Kaeo, chief Network Security architect for Double Shot Security and author of multiple technology papers on IPv6 security, points out that IPv6 was architected to be more secure but that was based on the attacks happening in the late 1990s. For example, IPv6 routers handle fragmenting of packets differently, and the IPv6 protocol spec mandates deployment of IPsec –- the protocol suite that authenticates and encrypts IP packets. Both of those things were designed to enhance security.

But threats have become more sophisticated, and deployments don't always follow the original plans. "For instance, the IPv6 protocol spec mandated that you had to implement IPsec to be compliant," Kaeo says. "But in reality, when people first started implementing IPv6, they weren't always using IPsec, and if they were using it, that doesn't mean they are implementing it properly."

Implementing IPsec properly isn't like "flipping a switch," adds Thomas Maufer, director of Technical Marketing for Mu Dynamics , a testing and application validation company. It requires having a Public Key Infrastructure, which is a repository and management system for digital certificates. Managing those certificates within an enterprise is one thing, but connecting two enterprises is a different level of challenge.

"A lot of operational things are not in place to do IPsec, and that has nothing to do with IPsec or people's best intentions," Maufer says. "Mu has found a number of vulnerabilities with Key negotiation protocols -- these are just software and software is going to have bugs. If you are going to deploy something and you believe it is secure -- you had better be testing it thoroughly to see that it really is."

Next Page: NAT Is Not Security

2. Network Address Translation (NAT) is not a form of security, although some folks have thought of it as such.

NAT devices have been widely used to extend the life of IPv4 by allowing enterprises to use private IPv4 addresses on premises and then translate those into a shared but smaller pool of IPv4 addresses to traverse the public Internet. Because NAT prevents direct access to those private addresses, many feel it offers a layer of security.

"I actually think that NAT has been falsely touted as a security feature," Kaeo says. "A lot of people misunderstand that even with NAT, you are not as secure as you might think you are. And it complicates a lot of issues in the network, for auditing capability and traceability."

Those complications move into the network once Carrier-Grade NAT is used to translate IPv4 addresses within a carrier's network, something many believe is inevitable but unfortunate during the period when both IPv4 and IPv6 addresses will be in use. (See The Case Against Carrier-Grade NAT and The Ugly Side of IPv6: Carrier-Grade NAT).

Even when used just on the premises, NAT provides a false sense of security, unless combined with a stateful firewall, says Maufer. It fails to protect against TCP hijacking, for instance, which is a common practice of punching through corporate defenses after authentication has taken place. "If you care about security, you need to take a lot more precautions than a network-only protocol," he says.

If anything, carriers and enterprises are adding to their security portfolio, using things like active intrusion protection systems (IPS) and deep packet inspection to look at incoming traffic and make sure it isn't malicious, and those efforts need to continue, he says.

The IETF has developed RFC 4864 which provides Local Network Protection (LNP) using IPv6 that can provide the same or more benefits without the need for address translation, says Daniel Awduche, IP Technologist in Verizon’s Corporate Technology Organization.

Next Page: New Software Means New Testing

3. IPv6 is immature, and will require more testing and more caution, especially in its initial deployments.

Equipment vendors have been stepping up to the IPv6 challenge, especially in the last couple of years, with the exhaust of IPv4 numbers at hand. Kaeo credits them with baking more things into hardware, rather than just offering software upgrades but adds that end-users still need to test everything, in house, to make sure it performs as advertised.

Because IPv6 is still relatively new, many devices -- firewalls, Intrusion Detection System and Intrusion Protection System proxies, are not capable of handling IPv6, says Awduche. "It's not intrinsic, just a manifestation of the current state of adoption."

There is also new software associated with IPv6, that also requires testing, says Mu's Maufer. And unlike with IPv4, which was largely tested in the field over a long period of time, IPv6 is being launched at a time when the Internet is the underlying network of a global economy so "implicit" or field-testing is much riskier.

"We don't have time for inevitable shakedown," he says.

Network operators have also done a ton of work in this area and have realized the value of keeping their network configurations simpler -- going with dual-stacking of IPv4 and IPv6, for example, versus using carrier-grade NAT or tunneling to juggle both addressing schemes in the same network.

Enterprises would be wise to also keep things simple, and test, test, test.

Next Page: Tunnels and New Apps

4. There will be transition strategies implemented, and they can impact security.

Until IPv6 connections are universally available, there will be tunneling of IPv6 traffic through IPv4 connections, and that will create a potential security challenge.

"If you are tunneling, it gives a way for malicious traffic to be hidden inside of the tunnel, so you will have to have devices that inspect traffic inside the tunnel," says Kaeo. "This is not something really new, but it may become more prevalent with IPv6. Going native IPv6, it is a lot easier to see where the traffic is originating from, and identify it as malicious traffic.

Carrier-grade NAT is another transition strategy, but I think that turf has been well-trod.

5. Security will be needed at the application layer.

"The world doesn’t understand that vulnerabilities that live in the app layer, above layer 3," says Aashu Virmani, senior director of product marketing for Sonus Networks Inc. (Nasdaq: SONS).

At this point, such a small percentage of applications are impacted by IPv6 that applications developers aren't concerned, but they will be soon, particularly on the mobile app side. Because the explosion of mobile connected devices is one of the drivers for IPv6, there will be increasing deployment on that side, which will concern the folks using mobile apps.

For example, a financial services company that wants a custom transaction management app for iPhones and Android devices will be the only one affected by bugs in that app, but the impact could be enormous, Maufer says.

— Carol Wilson, Chief Editor, Events, Light Reading

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like