As organisations around the world adopt IPv6 technology, the security landscape will be significantly altered. The exact changes that we will see are currently unclear as it is a new area for many organisations and hackers alike. However what is clear is that while the security improvements of IPv6 are significant, its introduction presents numerous risks that could harm current security systems if improperly managed. It is therefore essential to ensure that IT administrators are sufficiently educated on both the threats and opportunities associated with IPv6. This article outlines some of the key points in these areas and provides a guide to IT consultants, who are responsible for ensuring their clients are aware of the key issues.

IPv6 AT ITS CORE

To use the Internet, you must have some way for communicating with others - this comes in the form of an Internet Protocol (IP) address. Simply put, IP addresses ensure that the information that we send and request all travels to the right place. Given the unanticipated rate of growth of the Internet, we’re quickly approaching the 4.3 billion limit of our current IP addresses system, IPv4. To fix this, we have IPv6 with 340 trillion, trillion, trillion addresses. The IPv6 address is 128 bits, composed of 8 groups of 16 bits (e.g. 2001:0DB8:AC10:FE01::) which is much larger than its predecessor of 32 bits in 4 groups of 8 bits (e.g. 172.16.254.1). This, along with changes to the communication protocols, will change the way devices talk to each other over the Internet.

BENEFITS DELIVERED TO YOUR DOOR

While the two Internet protocols are quite similar, IPv6 introduces an array of security benefits that organisations should take into account when considering a transition. These include built-in Internet Protocol Security (IPSec), Secure Neighbor Discovery protocol and better control of corporate security policies across all company devices.

IPv6 has built-in IPSec. This is the mechanism responsible for encrypting and authenticating data. While it was an add-on for IPv4, it wasn’t always implemented - creating network vulnerabilities. With IPv6, IPSec just works, making man-in-the-middle attacks far more difficult for hackers.

IPv6 also supports more secure name resolution. The Secure Neighbor Discovery (SeND) protocol is capable of enabling cryptographic confirmation that a host is who it claims to be at connection time. This significantly increases the difficulty of naming-based attacks on corporate networks, helping to keep data more secure.

With the massive increase in the number of IP addresses with IPv6, companies can easily assign one to each of their devices whether they’re PCs, laptops or mobile devices. By having an IP address for each device, organisations have better control over implementation of their security policies. This decreases the risk of many attacks and is a good example of better identity and access management.

A CHANGING THREAT LANDSCAPE

Despite its many benefits, IPv6 presents a lot of technical vulnerabilities across the areas of people, process and technology. Thankfully, given its relative infancy, cyber criminals have currently paid little attention to IPv6 systems. However, we’ve already seen widespread malware with IPv6 command-and-control capabilities. As more and more organisations move to IPv6, the threats will increase and the security community must work together to combat these.

One of the biggest issues is in network deployment. If IT managers use the same techniques they have always used for IPv4 then their systems will be vulnerable to attack. The nature of IPv6 requires a complete rethink in network design from firewalls to troubleshooting. This can be achieved through a properly designed deployment plan.

In order to deal with the transition from IPv4 to IPv6, many organisations are using tunnelling techniques in which IPv6 data is encapsulated in an IPv4 datastream for routing through older devices. This has many risks associated including the reduction in security systems’ ability to identify attacks.

Company infrastructure can often be missed in system upgrades. Many routers and switches may become obsolete with the implementation of IPv6. It is more important than ever that IT administrators should check system infrastructure to understand what needs to be replaced and which need firmware and software upgrades are required.

IPv6 is new and, as such, there are likely many flaws that are yet to be discovered. Looking at the history of IPv4 this is nothing new - eventually these flaws are patched and the protocol is made more secure. However, to benefit from this it is important that all users of organisations adopting IPv6 architecture stay up to date with patches from their respective vendors.

OTHER POINTS TO CONSIDER

Though IPv6 is the way of the future, many organisations are clinging to IPv4 where their business necessitates it. For example, some large corporations have acquired IP addresses by purchasing bankrupt organisations. Going further, there is even a market for this in which you can buy and sell addresses. Another common workaround is the usage of Network Address Translation (NAT) in which many computers share one address - though this has the disadvantage of breaking end-to-end connectivity. So while the move to IPv6 is something to consider, the business case to stay with IPv4 may be justified, at least in the short term.

For countries with large populations (e.g. India, China, Brazil) IPv4 addresses can quickly become an expensive way to operate because of the purchasing requirements, so organisations in these countries have been the quickest to adopt this new technology. These same countries tend to be developing countries meaning that rather than transitioning from IPv4 they have the benefit of starting fresh with IPv6. It is important to note that organisations that continue to do business in these countries must have a solid IPv6 framework in place, otherwise they risk losing market share quickly.

MAKE THE RIGHT DECISIONS NOW

Most importantly, organisations should not enable IPv6 until they are ready. On many devices it comes pre-installed and enabled. If the proper security measures are not in place, then this can mean that data is free to flow in and out of networks via the IPv6 protocol, skipping firewalls and other defences put in place for IPv4. Proper attention to each of the points described above should be given before any organisation begins to make the transition. As a consultant working in the security sector, it is important to ensure that organisations are well informed of the risks and benefits associated with IPv6.