informa
/
Perimeter
News

IPv6 Arrives, But Not Everywhere

This week marked a major milestone as IPv6 went live on the Internet -- a look at some potential security hurdles for enterprises
Yesterday may have been the first official day of IPv6 operation on the Internet, but not everyone is ready yet to adopt the new protocol.

Only about 1 percent or so of the Internet is now running on IPv6 the day after the switch to the new protocol was flipped permanently. But that's actually a big jump, with 150 percent growth in IPv6 over the past year, according to Google, which estimates that half of all Internet users will be online via IPv6 in the next six years.

Gartner predicts that by 2015, 17 percent of users worldwide will use IPv6, and 28 percent of new Internet connections will be IPv6.

Vint Cerf, considered the father of the Internet, says he expects faster adoption rates now for IPv6, which has been in the making for more than two decades. "I anticipate rapid growth now that it is turned on and we left it on," says Cerf, who is chief Internet evangelist at Google.

"There are no more excuses. You have to be able to run IPv4 and IPv6 all the time, any time. For any ISP or edge provider or clients or servers, if you're not capable of running IPv6, you are on notice," Cerf said in an IPv6 Day postmortem press briefing that was conducted via an IPv6-connected WebEx. "You have to get going and get IPv6 running."

For most enterprises, IPv6 adoption is not a done deal yet if they already have plenty of IP addresses and aren't under any pressure to deploy it. And if it's not deployed properly, it can incur security risks -- another reason for taking it slowly, security experts today.

ISPs and network equipment providers, especially those in the consumer market, have led the charge to IPv6. Among the organizations that officially turned IPv6 "on" yesterday on IPv6 Day were Akamai, AT&T, Bing for Microsoft, Cisco, Comcast, Facebook, Google, Internode, and Yahoo.

So what should enterprises watch out for security-wise when making the switch? Failing to reconfigure or upgrade firewalls and perimeter defenses to support the new protocol is one big no-no, according to James Lyne, director of technology strategy at Sophos. He advises organizations to disable IPv6 altogether unless they are truly ready to go there so that attackers don't exploit devices that run IPv6 by default.

And there's also the inevitable discovery of new vulnerabilities in IPv6, as well as organizations misconfiguring their IPv6 systems and leaving the door open for vulnerabilities and attacks. One example of a dangerous misconfiguration is when setting up tunneling between IPv4 and IPv6: It’s possible to inadvertently allow external traffic to flow through the tunnel freely, for instance.

[ Google, Facebook, and Big Bird participate in first high-profile test flight of new IP protocol amid DDoS threat backdrop. See IPv6 Graduation Day. ]

There are some other gotchas that IPv6 pioneers are experiencing. Ryan Laus, network manager at Central Michigan University (CMU), is working on an IPv6 rollout at CMU that will officially launch this summer. Like many universities, the catalyst for going IPv6 has been the explosion in mobile devices joining the campus network. "The last three years, we have seen such a huge growth in wireless devices that it was starting to really stretch [our IP address] allocation to the breaking point," Laus says.

CMU already has IPv6 enabled on its edge routers, and is working on ensuring its infrastructure can handle IPv6 both on the router and firewall end. Its intrusion detection system (IDS) is also IPv6-capable. "We want to make sure we have visibility into the IPv6 network as we're building it out" for security and performance reasons, Laus says.

One big concern is preventing traffic from tunneling IPv6 traffic through the university's network. "The biggest thing is visibility," he says. "We need to see what people might and might not be using and make sure IPv6 is handled in hardware. We can see that with [Lancope] StealthWatch, and can classify traffic on the IPv6 tunnel."

Laus says some organizations actually block IPv4/IPv6 tunneling altogether, but that wouldn't work for CMU because many Asian countries use only IPv6, and the university needs to allow that traffic for research and operations reasons with users there. "[When] I feel confident that we have the security and monitoring things handled, [we will] roll out IPv6" fully, he says. For now, the internal network is hybrid IPv4/IPv6, and by the end of the summer CMU's website and external traffic will be IPv6-enabled.

The university has experienced a few security hiccups with IPv6, including an odd incident where a user's home Windows Vista laptop with the Internet Connection Sharing (ICS) feature enabled connected to the campus network via both the wired network and via wireless adapters. Internet Connection Sharing lets users share out their machines like a home router, and can answer DNS queries.

The machine's wired adapter had been registered on the campus network, but the wireless one was not. Because Windows Vista and Windows 7 by default select wireless over wired and IPv6 over IPv4, things got interesting.

"[Sharing] does funny things to DNS requests," he says. "It was sharing out its connection, and other machines on the same local network" with IPv6 enabled were directed to the laptop, which received their DNS requests, he says.

Because wireless takes precedence over wired in IPv6 here, the machine returned the DNS response provided by the wireless card, which was the URL for CMU's network device registration page. "Essentially, all wired machines on that local subnet with IPv6 enabled were only able to view the registration page, no matter what URL was typed into the browser. Machines with IPv6 disabled were not affected," Laus says.

But experts say security and other bumps like these come with the new territory. Chris Smithee, network security manager at Lancope, says it's hard to say whether IPv6 will bring more security overall to the Internet. It seems to be a toss-up: "From a high level, it does appear to be more secure in the way hosts communicate," Smithee says. "But there are not enough people trying to exploit it" right now to be sure, he says.

"I feel anytime you make an advancement with something, it is a little more secure," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5