IPv6 implementations 'scrutinized' for security issues so no panic necessary, experts say amid concerns of as-yet undiscovered bugs

It has been in the works for more than a decade, but the next-generation IPv6 protocol will officially go live in some major corners of the Internet this year: The Internet Society has deemed June 6 as World IPv6 Day, when Google, AT&T, Facebook, Comcast, Cisco, and others plan to flip the switch to the new IP protocol.

IPv6 has been available in most products for some time now, and various organizations and government agencies have test-run the protocol in their networks. Other nations, such as Japan and France, have already broadly rolled out IPv6. Meanwhile, IPv4 has outlasted some predictions that it would have run out of address space by now, and IPv6 has exponentially more address space that can better accommodate the explosion of IP devices.

And like any new technology rollout, security experts say the transition to IPv6 could introduce new bugs into the ecosystem. But security expert Dan Kaminsky says there’s no reason to panic: The major operating systems’ IPv6 stacks have been well-vetted.

“I'm not too worried about IPv6 security flaws. We've gotten almost lazy about calling bugs out just because code is new. But the bottom line is that the major OSes have had their IPv6 stacks scrubbed fairly hard, and most embedded devices that do support IPv6 are built on these major OSes,” Kaminsky says. “Things may go wrong, of course, but we'll survive.”

Among the companies participating in the IPv6 cutover on June 6 are Google, Facebook, Microsoft Bing, Yahoo!, AT&T, Comcast, Free Telecom, Internode, KDDI, Time Warner Cable, XS4All, Cisco, and D-Link.

The ISPs going to IPv6 -- AT&T, Comcast, Free Telecom, Internode, KDDI, Time Warner Cable, and XS4ALL -- will roll out the new protocol in their networks so that at least 1 percent of their wireline residential subscribers who visit other IPv6-enabled websites will get there via IPv6. They plan to make IPv6 a big part of their services, while new home routers from Cisco and D-Link will enable IPv6 by default; Web content giants Google, Facebook, Microsoft Bing, and Yahoo! will turn on IPv6 that day for their main websites.

But this doesn’t mean IPv4 is going anywhere any time soon. “IPv4 is not being turned off: We're really focusing on the deployment of IPv6, not the ‘transition to IPv6,’ per se. Part of the commitment the participants are making in deploying IPv6 for this activity is that it will be part of their production service offering,” says Leslie Daigle, chief Internet technology officer for the Internet Society. “The implication is that this will mean they have scrutinized security implications and are enabling their standard practices for ensuring security in their IPv6 networks.”

Daigle says the event is significant because IPv6 users will now be able to use IPv6 to get content because major content providers will offer it. “Since IPv4 is not being turned off in any case, the end user should seamlessly connect to any website, whether over IPv6 or IPv4,” he says.

[IPv6 brings some welcome security and other features, but there are some 'gotchas' for IP professionals that may not be immediately apparent when it comes to vulnerability scanning and penetration testing. See Tech Insight: Retooling Vulnerability Scanning, Penetration Testing For IPv6.]

Security concerns about IPv6 are mostly academic at this point because most firewalls and IDSes have been tuned to handle the new protocol, says Alain Fiocco, Cisco senior director and head of the IPv6 program.

“You have to have the same level of security monitoring and forensics on IPv6 [traffic] that you had before [with IPv4]," Fiocco says.

There really are no differences between IPv4 and IPv6 security for firewalls and IDSes, he says. “The way you define your security policy and access lists will work on IPv4 and on IPv6” with Cisco products, he says.

Fiocco says organizations should make sure that when they deploy their security appliances and tools that the products handle both versions of IP traffic similarly. “Otherwise, you will have different ways to operate, monitor, and troubleshoot. You want to make it as seamless and identical as possible,” he says.

But security experts point out other risks, such as the inevitable discovery of new vulnerabilities in IPv6, and organizations misconfiguring their IPv6 systems and leaving the door open for vulnerabilities and attacks.

One example of a dangerous misconfiguration is when setting up tunneling between IPv4 and IPv6. It’s possible to inadvertently allow external traffic to flow through the tunnel freely, for instance, according to some experts. Another is not allocating sufficient memory for the longer IPv6 addresses, which could lead to remote code execution, for example.

But participants in World IPv6 Day say their work during the past year and at last year’s interoperability event helped iron out an potential security holes in their implementations, anyway.

"World IPv6 Launch marks a watershed moment in Internet history. It breaks the limits of the original address space to open a vast new territory, trillions upon trillions of times larger, and reinforces the end-to-end architecture that made the Internet so powerful at the beginning,” said Vint Cerf, chief Internet evangelist for Google. “Google strongly supports this upgrade. We’re happy to see that everyone is moving to the 21st-century Internet.”

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights