The countdown to the saturation of the IPv4 address supply is
now down to a matter of months: and along with the vast address
space of the next-generation IPv6 architecture comes more built-in
network security as well as some new potential security
threats.
IPv6 has been in the works for over a decade now, but with the
exhaustion of the IPv4 address space expected anywhere from spring
to June of 2011, the long transition to the new IP may finally be
on the radar screen for some organizations. Unlike its predecessor,
the "new" protocol was built with security in mind: it comes with
IPSec encryption, for instance, and its massive address space could
help prevent worms from propagating, security experts say.
But its adoption also poses new security issues, everything from
distributed denial-of-service (DDoS) attacks to new vulnerabilities
in IPv6 to misconfigurations that expose security holes.
Some experts expect implementing DNSSEC in an IPv6 network to be
simpler than in existing IPv4 networks. "It eases the transition to
DNSSEC. IPv6 lets you migrate to DNSSEC much more easily than
trying to do so on an old IPv4 stack. The concern with DNSSEC has
been you've got a lot of legacy IPv4 equipment out there, and some
of it is non-standard, which is very difficult" to integrate with
DNSSEC, says Michael Markulec, COO of Lumeta.
But Dan Kaminsky, chief scientist for Recursion Ventures,
disagrees. He says DNSSEC isn't any easier to deploy in IPv6 than
in an IPv4 environment.
Meanwhile, given that much of the IPv6 address space will be
dark for some time as it rolls out and because of the vast address
space it offers, a network worm attack in an IPv6 network would be
inefficient because it would take much longer to crawl that massive
address space than in today's IPv4 networks, says Mike Montecillo,
senior threat analyst at IBM.
Kaminsky says the short-term risk with IPv6 will be the
introduction of new vulnerabilities. "Is this new code going to
break everything? The answer is all new code has that risk
associated with it," he says. "We will deal with that in testing
and fuzzing" and other code review, he says.
The longer-term risk with IPv6 is the age-old war between
networking and security. It's either networking functionality and
less security, or security and less network functionality. "I don't
know where this is going to come down," Kaminsky says.
Cricket Liu, vice president of architecture for Infoblox, says the
biggest threat will be organizations misconfiguring their IPv6
systems. "Until you understand it, you're not going to configure it
right. So there are going to be a lot of mistakes, and [that will
be] the source of a lot of vulnerabilities in the
configurations."
When setting up tunneling between IPv4 and IPv6 networks, for
instance, be careful what you allow to enter the tunnel, Liu says.
"It's possible to misconfigure the tunnel and allow external
traffic to flow through it without the proper scrutiny," he
says.
There also will be the inevitable vulnerabilities discovered in
IPv6 products. "Once we get past the teething phase [with IPv6] --
and that could take five- to 10 years -- there are a lot of tools
there to make IPv6 more secure than IPv4 is," Liu says. "I worry
about that transition: the pain of having vendors discover bugs in
their implementations [for instance]. It's going to be a nasty
period."
IPv6's large IP address space also has security advantages such
as rotating IP addresses, Liu says. "The downside is it introduces
an enormous amount of complexity to routers and endpoints that need
to process IPv6," he says, which may expose security holes and new
bugs.
And there's also the potential for inadvertent confusion among
routers with the ability to change IP addresses, Liu says. "With
the ability to change the IPv6 address, the generated traffic may
look like a DDoS attack to an IPv4 firewall," he says.
The popular practice of using Network Address Translation (NAT)
to extend IP address domains and to protect private IP addresses
could cause some problems if used in IPv6, experts say. IBM's
Montecillo says NAT provides a certain amount of protection for
internal IP addresses, for instance. "With IPv6, that may not be
the case. It requires proper configuration to prevent systems from
going directly onto the Internet," he says.
Since most networks will still run IPv4 as well, organizations
will have to maintain the two parallel networks. Nathan Myers,
product manager at F5 Networks, says his firm is working on
simplifying the problem of managing two sets of IP addresses for
the same application. "We're working on here in the next version is
a way to stuff IPv4 into IPv6. Then you only have to maintain one
record in the DNS system," Myers says.
Meanwhile, IBM's Montecillo says IPv6 presents organizations with
the opportunity for the first time to build security into their
infrastructure from the ground up: "It's a chance to re-architect
with security at the forefront, with a secure architecture versus
something built out of necessity," he says.
He says any security glitches with IPv6 aren't about the
technology itself, but in how an organization uses the technology.
"It depends on how you implement the technology. If organizations
carefully plan and consider how to put things on the network with
IPv6, they will benefit" from it, he says. That means mapping out
what security controls should be in place for both IPv4 and IPv6 in
the transition, he says.
And IPv4 won't be completely eradicated, anyway, because
organizations can still use NAT to recycle their IP addresses, for
instance, security experts say. "IPv4 will become more difficult to
obtain and register publicly routed IP addresses. creating
complexities," IBM's Montecillo says.
In the end, the adoption of IPv6 may be more about economic reasons
than address-space exhaustion ones. "IPv4 is a finite resource.
We're going to run out of IPv4 space, but that doesn't mean you
can't get on. It just becomes more expensive to get on the
network," Recursion's Kaminsky says.