Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/24/2012
12:52 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

IP D-Day: Major Providers, Vendors To Go IPv6 June 6

IPv6 implementations 'scrutinized' for security issues so no panic necessary, experts say amid concerns of as-yet undiscovered bugs

It has been in the works for more than a decade, but the next-generation IPv6 protocol will officially go live in some major corners of the Internet this year: The Internet Society has deemed June 6 as World IPv6 Day, when Google, AT&T, Facebook, Comcast, Cisco, and others plan to flip the switch to the new IP protocol.

IPv6 has been available in most products for some time now, and various organizations and government agencies have test-run the protocol in their networks. Other nations, such as Japan and France, have already broadly rolled out IPv6. Meanwhile, IPv4 has outlasted some predictions that it would have run out of address space by now, and IPv6 has exponentially more address space that can better accommodate the explosion of IP devices.

And like any new technology rollout, security experts say the transition to IPv6 could introduce new bugs into the ecosystem. But security expert Dan Kaminsky says there’s no reason to panic: The major operating systems’ IPv6 stacks have been well-vetted.

“I'm not too worried about IPv6 security flaws. We've gotten almost lazy about calling bugs out just because code is new. But the bottom line is that the major OSes have had their IPv6 stacks scrubbed fairly hard, and most embedded devices that do support IPv6 are built on these major OSes,” Kaminsky says. “Things may go wrong, of course, but we'll survive.”

Among the companies participating in the IPv6 cutover on June 6 are Google, Facebook, Microsoft Bing, Yahoo!, AT&T, Comcast, Free Telecom, Internode, KDDI, Time Warner Cable, XS4All, Cisco, and D-Link.

The ISPs going to IPv6 -- AT&T, Comcast, Free Telecom, Internode, KDDI, Time Warner Cable, and XS4ALL -- will roll out the new protocol in their networks so that at least 1 percent of their wireline residential subscribers who visit other IPv6-enabled websites will get there via IPv6. They plan to make IPv6 a big part of their services, while new home routers from Cisco and D-Link will enable IPv6 by default; Web content giants Google, Facebook, Microsoft Bing, and Yahoo! will turn on IPv6 that day for their main websites.

But this doesn’t mean IPv4 is going anywhere any time soon. “IPv4 is not being turned off: We're really focusing on the deployment of IPv6, not the ‘transition to IPv6,’ per se. Part of the commitment the participants are making in deploying IPv6 for this activity is that it will be part of their production service offering,” says Leslie Daigle, chief Internet technology officer for the Internet Society. “The implication is that this will mean they have scrutinized security implications and are enabling their standard practices for ensuring security in their IPv6 networks.”

Daigle says the event is significant because IPv6 users will now be able to use IPv6 to get content because major content providers will offer it. “Since IPv4 is not being turned off in any case, the end user should seamlessly connect to any website, whether over IPv6 or IPv4,” he says.

[IPv6 brings some welcome security and other features, but there are some 'gotchas' for IP professionals that may not be immediately apparent when it comes to vulnerability scanning and penetration testing. See Tech Insight: Retooling Vulnerability Scanning, Penetration Testing For IPv6.]

Security concerns about IPv6 are mostly academic at this point because most firewalls and IDSes have been tuned to handle the new protocol, says Alain Fiocco, Cisco senior director and head of the IPv6 program.

“You have to have the same level of security monitoring and forensics on IPv6 [traffic] that you had before [with IPv4]," Fiocco says.

There really are no differences between IPv4 and IPv6 security for firewalls and IDSes, he says. “The way you define your security policy and access lists will work on IPv4 and on IPv6” with Cisco products, he says.

Fiocco says organizations should make sure that when they deploy their security appliances and tools that the products handle both versions of IP traffic similarly. “Otherwise, you will have different ways to operate, monitor, and troubleshoot. You want to make it as seamless and identical as possible,” he says.

But security experts point out other risks, such as the inevitable discovery of new vulnerabilities in IPv6, and organizations misconfiguring their IPv6 systems and leaving the door open for vulnerabilities and attacks.

One example of a dangerous misconfiguration is when setting up tunneling between IPv4 and IPv6. It’s possible to inadvertently allow external traffic to flow through the tunnel freely, for instance, according to some experts. Another is not allocating sufficient memory for the longer IPv6 addresses, which could lead to remote code execution, for example.

But participants in World IPv6 Day say their work during the past year and at last year’s interoperability event helped iron out an potential security holes in their implementations, anyway.

"World IPv6 Launch marks a watershed moment in Internet history. It breaks the limits of the original address space to open a vast new territory, trillions upon trillions of times larger, and reinforces the end-to-end architecture that made the Internet so powerful at the beginning,” said Vint Cerf, chief Internet evangelist for Google. “Google strongly supports this upgrade. We’re happy to see that everyone is moving to the 21st-century Internet.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tom LaSusa
50%
50%
Tom LaSusa,
User Rank: Apprentice
1/24/2012 | 7:48:41 PM
re: IP D-Day: Major Providers, Vendors To Go IPv6 June 6
great article, Kelly!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11496
PUBLISHED: 2020-10-19
Sprecher SPRECON-E firmware prior to 8.64b might allow local attackers with access to engineering data to insert arbitrary code. This firmware lacks the validation of the input values on the device side, which is provided by the engineering software during parameterization. Attackers with access to ...
CVE-2020-15822
PUBLISHED: 2020-10-19
In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.
CVE-2020-24375
PUBLISHED: 2020-10-19
A DNS rebinding vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.
CVE-2020-7193
PUBLISHED: 2020-10-19
A ictexpertcsvdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
CVE-2020-7194
PUBLISHED: 2020-10-19
A perfaddormoddevicemonitor expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).