Attacks/Breaches

1/24/2012
12:52 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

IP D-Day: Major Providers, Vendors To Go IPv6 June 6

IPv6 implementations 'scrutinized' for security issues so no panic necessary, experts say amid concerns of as-yet undiscovered bugs

It has been in the works for more than a decade, but the next-generation IPv6 protocol will officially go live in some major corners of the Internet this year: The Internet Society has deemed June 6 as World IPv6 Day, when Google, AT&T, Facebook, Comcast, Cisco, and others plan to flip the switch to the new IP protocol.

IPv6 has been available in most products for some time now, and various organizations and government agencies have test-run the protocol in their networks. Other nations, such as Japan and France, have already broadly rolled out IPv6. Meanwhile, IPv4 has outlasted some predictions that it would have run out of address space by now, and IPv6 has exponentially more address space that can better accommodate the explosion of IP devices.

And like any new technology rollout, security experts say the transition to IPv6 could introduce new bugs into the ecosystem. But security expert Dan Kaminsky says there’s no reason to panic: The major operating systems’ IPv6 stacks have been well-vetted.

“I'm not too worried about IPv6 security flaws. We've gotten almost lazy about calling bugs out just because code is new. But the bottom line is that the major OSes have had their IPv6 stacks scrubbed fairly hard, and most embedded devices that do support IPv6 are built on these major OSes,” Kaminsky says. “Things may go wrong, of course, but we'll survive.”

Among the companies participating in the IPv6 cutover on June 6 are Google, Facebook, Microsoft Bing, Yahoo!, AT&T, Comcast, Free Telecom, Internode, KDDI, Time Warner Cable, XS4All, Cisco, and D-Link.

The ISPs going to IPv6 -- AT&T, Comcast, Free Telecom, Internode, KDDI, Time Warner Cable, and XS4ALL -- will roll out the new protocol in their networks so that at least 1 percent of their wireline residential subscribers who visit other IPv6-enabled websites will get there via IPv6. They plan to make IPv6 a big part of their services, while new home routers from Cisco and D-Link will enable IPv6 by default; Web content giants Google, Facebook, Microsoft Bing, and Yahoo! will turn on IPv6 that day for their main websites.

But this doesn’t mean IPv4 is going anywhere any time soon. “IPv4 is not being turned off: We're really focusing on the deployment of IPv6, not the ‘transition to IPv6,’ per se. Part of the commitment the participants are making in deploying IPv6 for this activity is that it will be part of their production service offering,” says Leslie Daigle, chief Internet technology officer for the Internet Society. “The implication is that this will mean they have scrutinized security implications and are enabling their standard practices for ensuring security in their IPv6 networks.”

Daigle says the event is significant because IPv6 users will now be able to use IPv6 to get content because major content providers will offer it. “Since IPv4 is not being turned off in any case, the end user should seamlessly connect to any website, whether over IPv6 or IPv4,” he says.

[IPv6 brings some welcome security and other features, but there are some 'gotchas' for IP professionals that may not be immediately apparent when it comes to vulnerability scanning and penetration testing. See Tech Insight: Retooling Vulnerability Scanning, Penetration Testing For IPv6.]

Security concerns about IPv6 are mostly academic at this point because most firewalls and IDSes have been tuned to handle the new protocol, says Alain Fiocco, Cisco senior director and head of the IPv6 program.

“You have to have the same level of security monitoring and forensics on IPv6 [traffic] that you had before [with IPv4]," Fiocco says.

There really are no differences between IPv4 and IPv6 security for firewalls and IDSes, he says. “The way you define your security policy and access lists will work on IPv4 and on IPv6” with Cisco products, he says.

Fiocco says organizations should make sure that when they deploy their security appliances and tools that the products handle both versions of IP traffic similarly. “Otherwise, you will have different ways to operate, monitor, and troubleshoot. You want to make it as seamless and identical as possible,” he says.

But security experts point out other risks, such as the inevitable discovery of new vulnerabilities in IPv6, and organizations misconfiguring their IPv6 systems and leaving the door open for vulnerabilities and attacks.

One example of a dangerous misconfiguration is when setting up tunneling between IPv4 and IPv6. It’s possible to inadvertently allow external traffic to flow through the tunnel freely, for instance, according to some experts. Another is not allocating sufficient memory for the longer IPv6 addresses, which could lead to remote code execution, for example.

But participants in World IPv6 Day say their work during the past year and at last year’s interoperability event helped iron out an potential security holes in their implementations, anyway.

"World IPv6 Launch marks a watershed moment in Internet history. It breaks the limits of the original address space to open a vast new territory, trillions upon trillions of times larger, and reinforces the end-to-end architecture that made the Internet so powerful at the beginning,” said Vint Cerf, chief Internet evangelist for Google. “Google strongly supports this upgrade. We’re happy to see that everyone is moving to the 21st-century Internet.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tom LaSusa
50%
50%
Tom LaSusa,
User Rank: Apprentice
1/24/2012 | 7:48:41 PM
re: IP D-Day: Major Providers, Vendors To Go IPv6 June 6
great article, Kelly!
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.