IPv6 - 8 security concerns

 

Feb. 3, 2011, came and went without much fanfare, but it was a milestone for Internet stakeholders, whether they knew it or not. On that Thursday, the last available IPv4 addresses were allocated by the Internet Assigned Numbers Authority (IANA). Though some Regional Internet Registries (RIRs) have a reasonable inventory of IP addresses that could last another year or two, the days of "new" IPv4 address allocations are largely over.



 

Now that we're out of IPv4 allocations, it's time to get serious about adopting the next generation of Internet Protocol, IPv6. With a 128-bit address space (compared to IPv4's 32-bit space), IPv6 can accommodate the ongoing and exponential growth of the Internet, which currently is adding about a million new devices every hour. In fact, compared with the 4.3 billion IP addresses that IPv4 allows, IPv6 will enable another 340 trillion, trillion, trillion addresses -- enough to accommodate global Internet demand for the foreseeable future.



 

Coupled with the continued deployment of DNS Security Extensions (DNSSEC), IPv6 will ultimately provide the stable and secure base for the future Internet. But for the transition from IPv4 to IPv6 to be successful, everyone from infrastructure operators and service providers to application developers and users will have to work together on a range of activities, including:



 

• supporting and developing IPv6 capabilities and establishing functional IPv4 parity;



 

• debugging issues with new IPv6-only software and applications;



 

• refining interworking and transitional co-existence with IPv4.



 

A crucial part of that effort will involve security. IPv6 represents new territory for most Internet stakeholders, and its rollout will introduce some unique security challenges. While the following list is by no means comprehensive, it does point to eight considerations and problem areas that the industry will need to address as IPv6 adoption continues. Because we're still in the early stages, the solutions to some of these risks will only come after real-world use leads to proven best practices.



 

* Translating from IPv4 to IPv6, transactions may become vulnerable. Because IPv4 and IPv6 are not "bits on the wire" compatible, protocol translation is seen as one path to wider deployment and adoption. Translating traffic from IPv4 to IPv6 will inevitably result in mediating transactions as they move through the network. Think of a mail sorter at a post office transfer facility that must open every IPv4 envelope to put each letter in an IPv6 one to ensure it reaches the correct address, at times changing content in the documents contained within in order to coincide with the new IPv6 external envelop information. Each time this happens, an opportunity arises for a poor implementation or a bad actor to tickle or exploit a potential vulnerability. Additionally, it compromises the end-to-end principle by introducing middle boxes that must maintain transaction state and complicates the network. In general, security staff should pay attention to security aspects of all translation and transition mechanisms (to include tunneling), and only enable such mechanisms explicitly after they have been thoroughly evaluated.