InformationWeek – Security > Security issues to consider while migrating from IPv4 to IPv6

Welcome Guest | |

Home
Global CIO 2010
Case Studies
Special Features
Interviews
Top News
Section
Vertical
- BFSI
- IT/ITES
- Government
- FMCG
- Telecom
- Manufacturing
- Pharma
- Services
Special Property
Editor Zone
Analytics & Reports
International News

| | | | | | | | | | |

Security

Security issues to consider while migrating from IPv4 to IPv6
Despite its innumerable virtues, IPv6 is still vulnerable and poses various security threats By Jayabalan S, Netmagic Solutions, August 24, 2011

From a security point of view, the new IPv6 protocol stack represents a considerable advance in relation to the old IPv4 stack. However, despite its innumerable virtues, IPv6 is still vulnerable.

Dual Stack Attacks

Though, the Internet is mostly IPv4-based, the adoption of IPv6 as the Internet protocol will increase. During the lengthy transitioning process, ‘6 to 4’ stacks will take care of this, by implementing IPv6 and IPv4 separately, or in a hybrid manner, which allows applications to work transparently over both IPv4 and IPv6. However, a dual stack transition deals with two non-interoperable protocols and their specific sets of security issues. This leads to more technical complexity, which will make configuration even harder and more prone to failure.

Spoofing attacks

The modification of a source IP address, as well as the ports on which they are communicating, can be done to make it appear as if traffic originated somewhere else. There are best practice methods for filtering, as in RFC 2827, but this isn’t mandatory, which means many ISPs won’t implement it. The use of strong cryptography can thwart these attacks. On the other hand, even though IPSec support is mandatory on IPv6 (whereas it was optional for IPv4) it’s likely to experience the same hurdles as with IPv4 and not be widely deployed.

Flooding attacks

Due to IPv6’s massive address space, it would take years to scan a single IPv6 block, versus seconds for an IPv4 block. Due to multicast traffic, which allows the user to send a packet to multiple destinations with a single send operation, distributed denial of service (DDoS) attacks, like Smurf, are possible.

With a Smurf attack (a type of broadcast amplification attack), a victim’s IP address is used to send an echo-request message with subnet broadcast’s destination address, along with a spoofed source address, causing all of the subnet’s end hosts to respond to the spoofed source address and flood the victim with echo-reply messages.

Header manipulation and fragmentation

Attacks exploiting header manipulation and fragmentation can do everything from bypassing intrusion detection systems (IDS), intrusion prevention systems (IPS) and firewalls, by using out-of-order fragments, or even go after the network’s infrastructure itself. Also, in IPv6, there are extension headers, which can be used to get around access control lists (ACL) on routers and firewalls, by causing devices at the end host to process router headers and forward them elsewhere.

(Jayabalan S is CTO & Co-founder at Netmagic Solutions)

blog comments powered by Disqus

Digital Issues