Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/2/2010
04:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

IPv6 Transition Poses New Security Threats

Next-generation IP protocol comes with more security as well as some potential flaws of its own

The countdown to the saturation of the IPv4 address supply is now down to a matter of months: and along with the vast address space of the next-generation IPv6 architecture comes more built-in network security as well as some new potential security threats.

IPv6 has been in the works for over a decade now, but with the exhaustion of the IPv4 address space expected anywhere from spring to June of 2011, the long transition to the new IP may finally be on the radar screen for some organizations. Unlike its predecessor, the "new" protocol was built with security in mind: it comes with IPSec encryption, for instance, and its massive address space could help prevent worms from propagating, security experts say.

But its adoption also poses new security issues, everything from distributed denial-of-service (DDoS) attacks to new vulnerabilities in IPv6 to misconfigurations that expose security holes.

Some experts expect implementing DNSSEC in an IPv6 network to be simpler than in existing IPv4 networks. "It eases the transition to DNSSEC. IPv6 lets you migrate to DNSSEC much more easily than trying to do so on an old IPv4 stack. The concern with DNSSEC has been you've got a lot of legacy IPv4 equipment out there, and some of it is non-standard, which is very difficult" to integrate with DNSSEC, says Michael Markulec, COO of Lumeta.

But Dan Kaminsky, chief scientist for Recursion Ventures, disagrees. He says DNSSEC isn't any easier to deploy in IPv6 than in an IPv4 environment.

Meanwhile, given that much of the IPv6 address space will be dark for some time as it rolls out and because of the vast address space it offers, a network worm attack in an IPv6 network would be inefficient because it would take much longer to crawl that massive address space than in today's IPv4 networks, says Mike Montecillo, senior threat analyst at IBM.

Kaminsky says the short-term risk with IPv6 will be the introduction of new vulnerabilities. "Is this new code going to break everything? The answer is all new code has that risk associated with it," he says. "We will deal with that in testing and fuzzing" and other code review, he says.

The longer-term risk with IPv6 is the age-old war between networking and security. It's either networking functionality and less security, or security and less network functionality. "I don't know where this is going to come down," Kaminsky says.

Cricket Liu, vice president of architecture for Infoblox, says the biggest threat will be organizations misconfiguring their IPv6 systems. "Until you understand it, you're not going to configure it right. So there are going to be a lot of mistakes, and [that will be] the source of a lot of vulnerabilities in the configurations."

When setting up tunneling between IPv4 and IPv6 networks, for instance, be careful what you allow to enter the tunnel, Liu says. "It's possible to misconfigure the tunnel and allow external traffic to flow through it without the proper scrutiny," he says.

There also will be the inevitable vulnerabilities discovered in IPv6 products. "Once we get past the teething phase [with IPv6] -- and that could take five- to 10 years -- there are a lot of tools there to make IPv6 more secure than IPv4 is," Liu says. "I worry about that transition: the pain of having vendors discover bugs in their implementations [for instance]. It's going to be a nasty period."

IPv6's large IP address space also has security advantages such as rotating IP addresses, Liu says. "The downside is it introduces an enormous amount of complexity to routers and endpoints that need to process IPv6," he says, which may expose security holes and new bugs.

And there's also the potential for inadvertent confusion among routers with the ability to change IP addresses, Liu says. "With the ability to change the IPv6 address, the generated traffic may look like a DDoS attack to an IPv4 firewall," he says.

The popular practice of using Network Address Translation (NAT) to extend IP address domains and to protect private IP addresses could cause some problems if used in IPv6, experts say. IBM's Montecillo says NAT provides a certain amount of protection for internal IP addresses, for instance. "With IPv6, that may not be the case. It requires proper configuration to prevent systems from going directly onto the Internet," he says.

Since most networks will still run IPv4 as well, organizations will have to maintain the two parallel networks. Nathan Myers, product manager at F5 Networks, says his firm is working on simplifying the problem of managing two sets of IP addresses for the same application. "We're working on here in the next version is a way to stuff IPv4 into IPv6. Then you only have to maintain one record in the DNS system," Myers says.

Meanwhile, IBM's Montecillo says IPv6 presents organizations with the opportunity for the first time to build security into their infrastructure from the ground up: "It's a chance to re-architect with security at the forefront, with a secure architecture versus something built out of necessity," he says.

He says any security glitches with IPv6 aren't about the technology itself, but in how an organization uses the technology. "It depends on how you implement the technology. If organizations carefully plan and consider how to put things on the network with IPv6, they will benefit" from it, he says. That means mapping out what security controls should be in place for both IPv4 and IPv6 in the transition, he says.

And IPv4 won't be completely eradicated, anyway, because organizations can still use NAT to recycle their IP addresses, for instance, security experts say. "IPv4 will become more difficult to obtain and register publicly routed IP addresses. creating complexities," IBM's Montecillo says.

In the end, the adoption of IPv6 may be more about economic reasons than address-space exhaustion ones. "IPv4 is a finite resource. We're going to run out of IPv4 space, but that doesn't mean you can't get on. It just becomes more expensive to get on the network," Recursion's Kaminsky says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17513
PUBLISHED: 2019-10-18
An issue was discovered in Ratpack before 1.7.5. Due to a misuse of the Netty library class DefaultHttpHeaders, there is no validation that headers lack HTTP control characters. Thus, if untrusted data is used to construct HTTP headers with Ratpack, HTTP Response Splitting can occur.
CVE-2019-8216
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8217
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8218
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8219
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .