Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/2/2010
04:40 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

IPv6 Transition Poses New Security Threats

Next-generation IP protocol comes with more security as well as some potential flaws of its own

The countdown to the saturation of the IPv4 address supply is now down to a matter of months: and along with the vast address space of the next-generation IPv6 architecture comes more built-in network security as well as some new potential security threats.

IPv6 has been in the works for over a decade now, but with the exhaustion of the IPv4 address space expected anywhere from spring to June of 2011, the long transition to the new IP may finally be on the radar screen for some organizations. Unlike its predecessor, the "new" protocol was built with security in mind: it comes with IPSec encryption, for instance, and its massive address space could help prevent worms from propagating, security experts say.

But its adoption also poses new security issues, everything from distributed denial-of-service (DDoS) attacks to new vulnerabilities in IPv6 to misconfigurations that expose security holes.

Some experts expect implementing DNSSEC in an IPv6 network to be simpler than in existing IPv4 networks. "It eases the transition to DNSSEC. IPv6 lets you migrate to DNSSEC much more easily than trying to do so on an old IPv4 stack. The concern with DNSSEC has been you've got a lot of legacy IPv4 equipment out there, and some of it is non-standard, which is very difficult" to integrate with DNSSEC, says Michael Markulec, COO of Lumeta.

But Dan Kaminsky, chief scientist for Recursion Ventures, disagrees. He says DNSSEC isn't any easier to deploy in IPv6 than in an IPv4 environment.

Meanwhile, given that much of the IPv6 address space will be dark for some time as it rolls out and because of the vast address space it offers, a network worm attack in an IPv6 network would be inefficient because it would take much longer to crawl that massive address space than in today's IPv4 networks, says Mike Montecillo, senior threat analyst at IBM.

Kaminsky says the short-term risk with IPv6 will be the introduction of new vulnerabilities. "Is this new code going to break everything? The answer is all new code has that risk associated with it," he says. "We will deal with that in testing and fuzzing" and other code review, he says.

The longer-term risk with IPv6 is the age-old war between networking and security. It's either networking functionality and less security, or security and less network functionality. "I don't know where this is going to come down," Kaminsky says.

Cricket Liu, vice president of architecture for Infoblox, says the biggest threat will be organizations misconfiguring their IPv6 systems. "Until you understand it, you're not going to configure it right. So there are going to be a lot of mistakes, and [that will be] the source of a lot of vulnerabilities in the configurations."

When setting up tunneling between IPv4 and IPv6 networks, for instance, be careful what you allow to enter the tunnel, Liu says. "It's possible to misconfigure the tunnel and allow external traffic to flow through it without the proper scrutiny," he says.

There also will be the inevitable vulnerabilities discovered in IPv6 products. "Once we get past the teething phase [with IPv6] -- and that could take five- to 10 years -- there are a lot of tools there to make IPv6 more secure than IPv4 is," Liu says. "I worry about that transition: the pain of having vendors discover bugs in their implementations [for instance]. It's going to be a nasty period."

IPv6's large IP address space also has security advantages such as rotating IP addresses, Liu says. "The downside is it introduces an enormous amount of complexity to routers and endpoints that need to process IPv6," he says, which may expose security holes and new bugs.

And there's also the potential for inadvertent confusion among routers with the ability to change IP addresses, Liu says. "With the ability to change the IPv6 address, the generated traffic may look like a DDoS attack to an IPv4 firewall," he says.

The popular practice of using Network Address Translation (NAT) to extend IP address domains and to protect private IP addresses could cause some problems if used in IPv6, experts say. IBM's Montecillo says NAT provides a certain amount of protection for internal IP addresses, for instance. "With IPv6, that may not be the case. It requires proper configuration to prevent systems from going directly onto the Internet," he says.

Since most networks will still run IPv4 as well, organizations will have to maintain the two parallel networks. Nathan Myers, product manager at F5 Networks, says his firm is working on simplifying the problem of managing two sets of IP addresses for the same application. "We're working on here in the next version is a way to stuff IPv4 into IPv6. Then you only have to maintain one record in the DNS system," Myers says.

Meanwhile, IBM's Montecillo says IPv6 presents organizations with the opportunity for the first time to build security into their infrastructure from the ground up: "It's a chance to re-architect with security at the forefront, with a secure architecture versus something built out of necessity," he says.

He says any security glitches with IPv6 aren't about the technology itself, but in how an organization uses the technology. "It depends on how you implement the technology. If organizations carefully plan and consider how to put things on the network with IPv6, they will benefit" from it, he says. That means mapping out what security controls should be in place for both IPv4 and IPv6 in the transition, he says.

And IPv4 won't be completely eradicated, anyway, because organizations can still use NAT to recycle their IP addresses, for instance, security experts say. "IPv4 will become more difficult to obtain and register publicly routed IP addresses. creating complexities," IBM's Montecillo says.

In the end, the adoption of IPv6 may be more about economic reasons than address-space exhaustion ones. "IPv4 is a finite resource. We're going to run out of IPv4 space, but that doesn't mean you can't get on. It just becomes more expensive to get on the network," Recursion's Kaminsky says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26476
PUBLISHED: 2021-03-01
EPrints 3.4.2 allows remote attackers to execute OS commands via crafted LaTeX input to a cgi/cal?year= URI.
CVE-2021-26702
PUBLISHED: 2021-03-01
EPrints 3.4.2 exposes a reflected XSS opportunity in the dataset parameter to the cgi/dataset_dictionary URI.
CVE-2021-26703
PUBLISHED: 2021-03-01
EPrints 3.4.2 allows remote attackers to read arbitrary files and possibly execute commands via crafted JSON/XML input to a cgi/ajax/phrase URI.
CVE-2021-26704
PUBLISHED: 2021-03-01
EPrints 3.4.2 allows remote attackers to execute arbitrary commands via crafted input to the verb parameter in a cgi/toolbox/toolbox URI.
CVE-2021-27876
PUBLISHED: 2021-03-01
An issue was discovered in Veritas Backup Exec before 21.2. The communication between a client and an Agent requires successful authentication, which is typically completed over a secure TLS communication. However, due to a vulnerability in the SHA Authentication scheme, an attacker is able to gain ...