News

Security Will Not Come Naturally to IPv6

• By William Jackson
• September 17, 2009

The next generation of Internet protocols has some security features built into it, but IPv6 is not inherently more secure than the current IPv4 now in use, said Brett Thorson, network and security architect at Excivity and a security adviser to the North American IPv6 Task Force.

IPv6 can be used to block, shield and hide data on your network, and the hackers already are learning to take advantage of this.

"This is what black hats are doing right now: They are planning their attacks for IPv6," Thorson said Thursday at the Next Generation Internet Conference in Washington hosted by the Digital Government Institute.

Although IPSec security is included in all IPv6 products, it is not enabled by most users, Thorson said. And when it is used, its effectiveness can vary because there are multiple ways to implement it.

However, the transition to IPv6 also offers opportunities for improving security. Greenfield installations can allow planners to design secure architectures, and features such as longer IP addresses can provide unique identifiers that can help identify every individual, device and process on a network, said Dale Geesey, principal with Auspex Technologies.

However, Geesey added, "there are a lot of challenges associated with the transition."

IT administrators and network architects have several years to plan before IPv6 traffic and applications become a reality on networks. Some organizations have enabled their network backbones to handle IPv6 traffic, but little if any use is being made of the new protocols.

But as the existing pool of IPv4 address space is depleted over the next two years, growth in the public side of the Internet will increasingly come with new IPv6 addresses, said John Curran, president of the American Registry for Internet Numbers, one of five regional Internet registries. Three-quarters of the available IPv4 address space has been allocated, and less than 11 percent remains available, he added. (Another 14 percent is unavailable for a variety of reasons.)

IT administrators will not necessarily have to transition their internal networks to IPv6 because they can continue to use IPv4 addresses, but public-facing servers will need to be enabled to use the new protocols as outside traffic increasingly uses IPv6, Curran said.

Many operating systems and other software now are enabled to accept IPv6 traffic by default, which can create problems if administrators are not aware of this. Ignoring the protocols because a network is not yet using IPv6 can be dangerous, Thorson said: "IPv6 is eventually going into your network whether you know it or not."

Security has traditionally been added after the fact in networks, devices and applications, and this has proved to be inefficient, ineffective and expensive. The increasing complexity, size and speed of development for networks, applications and services will make it more important than ever that security be built-in from the beginning, Geesey said.

Standards for IPv6 compliance are just now being completed, and products conforming to the government's IPv6 profile are not expected to begin arriving until July 2010. How and how well many security products -- such as logs, firewalls, anti-virus, intrusion detection and other monitoring, blocking and filtering devices -- will handle IPv6 packets is unknown. One vendor's approach to handling IPv6 was to simply drop the packets, Geesey said.

Some features in IPv6 can make security management easier in theory, but how well any one feature on any single device will work and play with other applications in a network is not easy to guess.

"You need a person to sit there and turn one thing on at a time and see what happens," Thorson said.

Organizations need to use the next two years to make it clear what they need and expect in IPv6 conformance and security, Geesey said.

"You have an opportunity to come to vendors and service providers and say, 'This is what I need,'" he added. "Vendors will respond."