There’s no denying it: IPv4 is running out of addresses. IANA, the organisation that assigns IP addresses to regional providers, gave away the last set in February 2011. IPv6 will replace it, but are companies ready to secure it?
Many of the new devices in use are already IPv6-enabled. More hardware and software vendors are supporting it in their products, especially as the US Government plans to have switched entirely to IPv6 by the end of this year. Unless companies learn how to manage and configure this new protocol, they won’t know how to secure it adequately, and that could lead to gaping security holes. Many of these devices can already bypass the security controls you have in place for IPv4.
Many of these potential holes are down to the fundamentally different nature of IPv6. For one it uses a much larger address space, solving the problem of address shortages. In an IPv6-enabled world, every blade of grass on the planet could theoretically be connected to the Internet, and there would still be many addresses to spare.
This wealth of addresses has changed the architecture of IPv6 compared to its predecessor, IPv4. It means that IPv6 doesn’t require network address translation (NAT). A NAT device cloaks the IP addresses used behind it, making them harder to identify from outside the organisation, and therefore reducing accountability.
Conversely, devices using IPv6 can have public addresses, which makes them more identifiable, and so more accountable. Devices can also have multiple complex addresses making it harder to scan for critical servers. Administrators need to be careful of how addresses are allocated, and to use the address space to their advantage by ‘hiding’ critical servers behind complex addresses.
Because many security devices have not been configured to secure IPv6, companies may find IPv6-enabled devices communicating covertly over their network, even though the IPv4 protocol is correctly secured. These endpoints could be using video and social networking connections that are against corporate policy. Organisations such as Facebook and Google already support IPv6 connections.
The neighbourhood discovery and automatic configuration features built into IPv6 need careful management, and assigning unique addresses to devices makes it far easier to identify individuals. This effectively destroys privacy and anonymity for enterprise IPv6-enabled devices operating over an incorrectly configured network.
It will be necessary to support both protocols in the enterprise for at least the short to medium term. Most organisations will opt for tunnelling of one form or another. As with any tunnel, it is difficult to see what is going on, and mistakes and security holes can be created if not implemented with care.
The good news is that along with security challenges, IPv6 also brings some useful security features. For example, it includes IPSEC by default, offers the secure neighbour discovery (SEND) protocol, and uses cryptographically generated addresses. Because you can use multiple addresses for the same device, you can also allocate addresses to devices according to their use, such as unique local addresses (ULAs) that hide local devices from the Internet – and vice versa.
But administrators must understand how to configure these features properly if they are to be useful, while also looking for the inevitable problems that will arise as attackers get to grips with IPv6.
The protocol may fix the address space problem, but it does not fix the other problems that have plagued the Internet for decades. Distributed denial of service (DDoS) attacks, application attacks, and man-in-the-middle attacks are all still possible.
In some cases, IPv6 enables new exploits in these categories. For example, ‘ping-pong’ attacks use the huge address space to send packets from one non-existent connection to another, which generates a flood of error messages and bogs down the network.
Complexity will be a part of an IPv6-enabled work, and so it is important for companies to educate their administrators now, in advance of its widespread implementation. Putting in the groundwork early will lead to a more flexible, functional, and secure network in the future.