Broader Digital Landscape Means More Places To HideWith IPv6, a deluge of new top-level domains, and DNSSEC all coming, the Internet will become a much bigger place. Defenses that worked in the past won't work in the future
With the slow transition to a trio of technologies -- IPv6, the domain name system security extensions (DNSSEC), and the coming sale of hundreds of global top-level domains -- the Internet is undergoing more changes than it has in three decades.
Some security experts are wary of what the changes could mean for security technologies that are based on today's communication standard, IPv4, and the far more limited number of top-level domains. The move from the relatively scarce resources of the current Internet to the nearly unlimited IPv6 address space will cause fundamental problems for security technologies, a pair of security researchers plan to argue at the Black Hat USA conference next month.
"The existing scarcity of IPv4 is something that is built into the attacker's and defender's mindset," says Alex Stamos, chief technology officer at security technology firm Artemis. "Finding vulnerable servers is easy. Scanning and attacking every addressable machine on the Internet is totally doable."
Yet a move to IPv6 may mean that attackers can no longer build databases of vulnerable servers because the address space is too big to scan. To put it in perspective, when a system is assigned a dynamic IP address, it gets to choose from two to 40 different options under IPv6 -- a larger set of addresses than the entire current IPv4 address space.
For systems that attempt to detect malicious traffic by assigning IP addresses a certain reputation, the move to IPv6 could spell trouble, Stamos argues. Because attackers can quickly change their IP addresses, the reputation model breaks down.
"Because IP addresses are rare and valuable [today], someone owns it and someone is responsible for the IP address," he says. "That model is going to completely go away."
In a similar way, the expansion of the top-level domain system may make it harder for people to recognize bad sites and easier for attackers to hide in a larger ocean of domain names, he says.
[ The spotty support of the next-generation Internet routing protocol, IPv6, has left companies with a network security problem that has largely passed unnoticed. See Monitoring, Policies Needed To Catch Rogue IPv6 Traffic. ]
That's true for systems that only track negative reputation, but not if the concept of reputation is more malleable, responds Matthew Prince, CEO of Web security firm CloudFlare. Good reputation should be unaffected by the move to IPv6 because good websites will rarely change their IP addresses. In addition, by focusing on different granular levels of the network, security companies will be able to assign a reputation to certain neighborhoods of the IPv6 Internet.
"You are taking whatever information you have," he says. "It's not binary. It is not good or bad. Every visitor has a whole series of data points which give us a reputation, and it's that reputation that helps us make a decision."
While IPv6 may theoretically cause issues for future technology, on a practical level the move is already causing issues with enterprise hardware today, Stamos says. The researchers have tested many security appliances in the lab and found that they generally do not support IPv6 very well.
"These products have been deployed in IPv4 networks for decades," Stamos says. "It will take IPv6 a similar period of time to get to the same level."
That's a problem for companies, many of which already have IPv6 running in their networks, even if they do not know it. The latest versions of Windows, Linux, and the Mac OS all try to create IPv6 networks, as do many routers. This means companies likely have IPv6 traffic that could create a vulnerability.
The lesson for companies is that they should create an IPv6 security team, even if they do not plan to transition in the near future, says Bob Hinden, co-inventor of IPv6 and a fellow at firewall maker Check Point Software.
"I think enterprises need to be upgrading and running the IPv6 side of their operations now, even though they might not be actively running anything on IPv6," he says. "The warning for companies is, 'You can't stop what you can't see.'"
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.