Attacks/Breaches

1/24/2012
12:52 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

IP D-Day: Major Providers, Vendors To Go IPv6 June 6

IPv6 implementations 'scrutinized' for security issues so no panic necessary, experts say amid concerns of as-yet undiscovered bugs

It has been in the works for more than a decade, but the next-generation IPv6 protocol will officially go live in some major corners of the Internet this year: The Internet Society has deemed June 6 as World IPv6 Day, when Google, AT&T, Facebook, Comcast, Cisco, and others plan to flip the switch to the new IP protocol.

IPv6 has been available in most products for some time now, and various organizations and government agencies have test-run the protocol in their networks. Other nations, such as Japan and France, have already broadly rolled out IPv6. Meanwhile, IPv4 has outlasted some predictions that it would have run out of address space by now, and IPv6 has exponentially more address space that can better accommodate the explosion of IP devices.

And like any new technology rollout, security experts say the transition to IPv6 could introduce new bugs into the ecosystem. But security expert Dan Kaminsky says there’s no reason to panic: The major operating systems’ IPv6 stacks have been well-vetted.

“I'm not too worried about IPv6 security flaws. We've gotten almost lazy about calling bugs out just because code is new. But the bottom line is that the major OSes have had their IPv6 stacks scrubbed fairly hard, and most embedded devices that do support IPv6 are built on these major OSes,” Kaminsky says. “Things may go wrong, of course, but we'll survive.”

Among the companies participating in the IPv6 cutover on June 6 are Google, Facebook, Microsoft Bing, Yahoo!, AT&T, Comcast, Free Telecom, Internode, KDDI, Time Warner Cable, XS4All, Cisco, and D-Link.

The ISPs going to IPv6 -- AT&T, Comcast, Free Telecom, Internode, KDDI, Time Warner Cable, and XS4ALL -- will roll out the new protocol in their networks so that at least 1 percent of their wireline residential subscribers who visit other IPv6-enabled websites will get there via IPv6. They plan to make IPv6 a big part of their services, while new home routers from Cisco and D-Link will enable IPv6 by default; Web content giants Google, Facebook, Microsoft Bing, and Yahoo! will turn on IPv6 that day for their main websites.

But this doesn’t mean IPv4 is going anywhere any time soon. “IPv4 is not being turned off: We're really focusing on the deployment of IPv6, not the ‘transition to IPv6,’ per se. Part of the commitment the participants are making in deploying IPv6 for this activity is that it will be part of their production service offering,” says Leslie Daigle, chief Internet technology officer for the Internet Society. “The implication is that this will mean they have scrutinized security implications and are enabling their standard practices for ensuring security in their IPv6 networks.”

Daigle says the event is significant because IPv6 users will now be able to use IPv6 to get content because major content providers will offer it. “Since IPv4 is not being turned off in any case, the end user should seamlessly connect to any website, whether over IPv6 or IPv4,” he says.

[IPv6 brings some welcome security and other features, but there are some 'gotchas' for IP professionals that may not be immediately apparent when it comes to vulnerability scanning and penetration testing. See Tech Insight: Retooling Vulnerability Scanning, Penetration Testing For IPv6.]

Security concerns about IPv6 are mostly academic at this point because most firewalls and IDSes have been tuned to handle the new protocol, says Alain Fiocco, Cisco senior director and head of the IPv6 program.

“You have to have the same level of security monitoring and forensics on IPv6 [traffic] that you had before [with IPv4]," Fiocco says.

There really are no differences between IPv4 and IPv6 security for firewalls and IDSes, he says. “The way you define your security policy and access lists will work on IPv4 and on IPv6” with Cisco products, he says.

Fiocco says organizations should make sure that when they deploy their security appliances and tools that the products handle both versions of IP traffic similarly. “Otherwise, you will have different ways to operate, monitor, and troubleshoot. You want to make it as seamless and identical as possible,” he says.

But security experts point out other risks, such as the inevitable discovery of new vulnerabilities in IPv6, and organizations misconfiguring their IPv6 systems and leaving the door open for vulnerabilities and attacks.

One example of a dangerous misconfiguration is when setting up tunneling between IPv4 and IPv6. It’s possible to inadvertently allow external traffic to flow through the tunnel freely, for instance, according to some experts. Another is not allocating sufficient memory for the longer IPv6 addresses, which could lead to remote code execution, for example.

But participants in World IPv6 Day say their work during the past year and at last year’s interoperability event helped iron out an potential security holes in their implementations, anyway.

"World IPv6 Launch marks a watershed moment in Internet history. It breaks the limits of the original address space to open a vast new territory, trillions upon trillions of times larger, and reinforces the end-to-end architecture that made the Internet so powerful at the beginning,” said Vint Cerf, chief Internet evangelist for Google. “Google strongly supports this upgrade. We’re happy to see that everyone is moving to the 21st-century Internet.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tom LaSusa
50%
50%
Tom LaSusa,
User Rank: Apprentice
1/24/2012 | 7:48:41 PM
re: IP D-Day: Major Providers, Vendors To Go IPv6 June 6
great article, Kelly!
Microsoft Fixes 11 Critical, 39 Important Vulns
Kelly Sheridan, Staff Editor, Dark Reading,  6/12/2018
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Cisco Talos Summit: Network Defenders Not Serious Enough About Attacks
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12580
PUBLISHED: 2018-06-19
library/DBTech/Security/Action/Sessions.php in DragonByte vBSecurity 3.x through 3.3.0 for vBulletin 3 and vBulletin 4 allows self-XSS via $session['user_agent'] in the "Login Sessions" feature.
CVE-2018-12578
PUBLISHED: 2018-06-19
There is a heap-based buffer overflow in bmp_compress1_row in appliers.cpp in sam2p 0.49.4 that leads to a denial of service or possibly unspecified other impact.
CVE-2018-1061
PUBLISHED: 2018-06-19
python before versions 2.7.15, 3.4.9, 3.5.6 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.
CVE-2018-1073
PUBLISHED: 2018-06-19
The web console login form in ovirt-engine before version 4.2.3 returned different errors for non-existent users and invalid passwords, allowing an attacker to discover the names of valid user accounts.
CVE-2018-12557
PUBLISHED: 2018-06-19
An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents of the loop items would be printed in the console. This could ...