Ittechtips.com’s Blog

A failure to quickly operationalize Internet Protocol version 6 (IPv6) could have a profound effect on the Internet, breaking it up into islands of connectivity and threatening cybersecurity in the process. There are two main issues here – taking too long to activate IPv6 as IPv4 resources dwindle could leave us with a gap in services that affects availability, and failure to quickly upgrade security as many IPv6 devices have been deployed is already leaving us vulnerable to malicious use of IPv6 to compromise integrity and confidentiality. There is a bit of a chicken and egg problem here since planned IPv6 activation is being delayed by a lack of security, and security isn’t being properly addressed because of a lack of deployment. This article will give you a glimpse of both sides of the problem and the effect on cybersecurity.

As the IPv4 free address pool continues to dwindle, enterprises will have to deal with a series of inconvenient “bandaids” that affect service availability as we try to extend the life of IPv4 while upgrading to IPv6 hosts, services, and routing. The use of network translators and proxies, and NATing carrier cores ala “Carrier Grade NAT” will be necessary but this will cause us to break and reengineer many services that today rely on carrier’s ability to provide end-to-end addressing - such as “server-push” messaging to Blackberrys and smart phones. Another scheme to buy IPv4 more time is reclaiming poorly used IPv4 address spaces to split up and redistribute the existing large IPv4 address blocks through some sort of trading market. This splitting and redistributing will “de-aggregate” core routing, causing routers to look through millions of addresses to decide where to route a packet, and slowing down the performance of key services like VOIP and video over the Internet. If the Internet core works poorly, carrier edge networks and enterprise networks will essentially become islands with poor connectivity between them lowering the availability, performance and customer experience for services that users access across the Internet - such as cloud computing, eCommerce & eGov sites, and search portals like Google.

The failure to properly pilot, test, and deploy IPv6 security ahead of all of the IPv6 devices and operating systems already deployed in our networks today currently compromises the integrity and confidentiality of millions of Internet connected computers. The problem is that we don’t yet have proper cybersecurity policy, training, and tools for ensuring that IPv6 networks have security parity with current IPv4 networks. A few people already have the knowledge and tools to properly secure most commercial and unclassified government networks, but we need a concentrated push to disseminate that knowledge. On the classified side, we have the same problems plus we have deploy a lot of specialized security tools, encrypters, and IA devices out of the normal tech refresh cycles – at a higher expense. In order to ensure IPv6 security parity with current networks, some part of the US Federal government or industry is going to have to create a security certification and accreditation (C&A) application toolkit and the guidance for how to use IPv6 testing tools for FISMA, DIACAP and other C&A programs. Tools that are commonly used for C&A audits, like Retina vulnerability scanner, are mostly blind to IPv6 vulnerabilities. Hacker community sites are already offering tools such as relay6, 6tunnel, nt6tunnel, netcat6, VoodooNet, etc. that can be used to create IPv6 covert channels and hacking toolkits such as THC6 for IPv6 hijacking and DOS. As we demonstrated with our smart-phone hacks last year (Ref: Klein IPv6 HOPE), if we don’t properly secure both versions of Internet services installed on million of devices today, we compromise both the current generation and the next-generation of the Internet at the same time.

In order to address these challenges we need a concentrated push to move IPv6 cybersecurity forward so we are ready to extensively activate IPv6 upgrades everywhere in the next few years. If your users interact across the Internet with external servers (WWW, email, DNS) or provides services to customers across the Internet, you need to begin now to dual-stack your servers, client computers, applications, routers, and especially security to address IPv6 before 2012 when the “operational challenges” really begin as we try to stretch IPv4 scaling. The need to continue Internet operations and security in a dual-stacked mode is going to increase the operational cost (+15% in many estimates) and be a drain on our economy until we get the proper security and infrastructure in place to support IPv6-only networks.

This entry was posted on Monday, February 23rd, 2009 at 7:59 pm and is filed under General News. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.