Attacks/Breaches
9/2/2010
04:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

IPv6 Transition Poses New Security Threats

Next-generation IP protocol comes with more security as well as some potential flaws of its own

The countdown to the saturation of the IPv4 address supply is now down to a matter of months: and along with the vast address space of the next-generation IPv6 architecture comes more built-in network security as well as some new potential security threats.

IPv6 has been in the works for over a decade now, but with the exhaustion of the IPv4 address space expected anywhere from spring to June of 2011, the long transition to the new IP may finally be on the radar screen for some organizations. Unlike its predecessor, the "new" protocol was built with security in mind: it comes with IPSec encryption, for instance, and its massive address space could help prevent worms from propagating, security experts say.

But its adoption also poses new security issues, everything from distributed denial-of-service (DDoS) attacks to new vulnerabilities in IPv6 to misconfigurations that expose security holes.

Some experts expect implementing DNSSEC in an IPv6 network to be simpler than in existing IPv4 networks. "It eases the transition to DNSSEC. IPv6 lets you migrate to DNSSEC much more easily than trying to do so on an old IPv4 stack. The concern with DNSSEC has been you've got a lot of legacy IPv4 equipment out there, and some of it is non-standard, which is very difficult" to integrate with DNSSEC, says Michael Markulec, COO of Lumeta.

But Dan Kaminsky, chief scientist for Recursion Ventures, disagrees. He says DNSSEC isn't any easier to deploy in IPv6 than in an IPv4 environment.

Meanwhile, given that much of the IPv6 address space will be dark for some time as it rolls out and because of the vast address space it offers, a network worm attack in an IPv6 network would be inefficient because it would take much longer to crawl that massive address space than in today's IPv4 networks, says Mike Montecillo, senior threat analyst at IBM.

Kaminsky says the short-term risk with IPv6 will be the introduction of new vulnerabilities. "Is this new code going to break everything? The answer is all new code has that risk associated with it," he says. "We will deal with that in testing and fuzzing" and other code review, he says.

The longer-term risk with IPv6 is the age-old war between networking and security. It's either networking functionality and less security, or security and less network functionality. "I don't know where this is going to come down," Kaminsky says.

Cricket Liu, vice president of architecture for Infoblox, says the biggest threat will be organizations misconfiguring their IPv6 systems. "Until you understand it, you're not going to configure it right. So there are going to be a lot of mistakes, and [that will be] the source of a lot of vulnerabilities in the configurations."

When setting up tunneling between IPv4 and IPv6 networks, for instance, be careful what you allow to enter the tunnel, Liu says. "It's possible to misconfigure the tunnel and allow external traffic to flow through it without the proper scrutiny," he says.

There also will be the inevitable vulnerabilities discovered in IPv6 products. "Once we get past the teething phase [with IPv6] -- and that could take five- to 10 years -- there are a lot of tools there to make IPv6 more secure than IPv4 is," Liu says. "I worry about that transition: the pain of having vendors discover bugs in their implementations [for instance]. It's going to be a nasty period."

IPv6's large IP address space also has security advantages such as rotating IP addresses, Liu says. "The downside is it introduces an enormous amount of complexity to routers and endpoints that need to process IPv6," he says, which may expose security holes and new bugs.

And there's also the potential for inadvertent confusion among routers with the ability to change IP addresses, Liu says. "With the ability to change the IPv6 address, the generated traffic may look like a DDoS attack to an IPv4 firewall," he says.

The popular practice of using Network Address Translation (NAT) to extend IP address domains and to protect private IP addresses could cause some problems if used in IPv6, experts say. IBM's Montecillo says NAT provides a certain amount of protection for internal IP addresses, for instance. "With IPv6, that may not be the case. It requires proper configuration to prevent systems from going directly onto the Internet," he says.

Since most networks will still run IPv4 as well, organizations will have to maintain the two parallel networks. Nathan Myers, product manager at F5 Networks, says his firm is working on simplifying the problem of managing two sets of IP addresses for the same application. "We're working on here in the next version is a way to stuff IPv4 into IPv6. Then you only have to maintain one record in the DNS system," Myers says.

Meanwhile, IBM's Montecillo says IPv6 presents organizations with the opportunity for the first time to build security into their infrastructure from the ground up: "It's a chance to re-architect with security at the forefront, with a secure architecture versus something built out of necessity," he says.

He says any security glitches with IPv6 aren't about the technology itself, but in how an organization uses the technology. "It depends on how you implement the technology. If organizations carefully plan and consider how to put things on the network with IPv6, they will benefit" from it, he says. That means mapping out what security controls should be in place for both IPv4 and IPv6 in the transition, he says.

And IPv4 won't be completely eradicated, anyway, because organizations can still use NAT to recycle their IP addresses, for instance, security experts say. "IPv4 will become more difficult to obtain and register publicly routed IP addresses. creating complexities," IBM's Montecillo says.

In the end, the adoption of IPv6 may be more about economic reasons than address-space exhaustion ones. "IPv4 is a finite resource. We're going to run out of IPv4 space, but that doesn't mean you can't get on. It just becomes more expensive to get on the network," Recursion's Kaminsky says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web