Although IPv6 packets have started to flow, network engineers still tread lightly because of lingering security concerns. Here are the top six security risks in IPv6 network security today as voted by gogoNET members, a community of 95,000 network professionals.
* Lack of IPv6 security training/education. The No.1 risk today is the lack of IPv6 security knowledge. Enterprises must invest time and money in IPv6 security training upfront, before deploying. That or risk compromise and spending more time and more money on security later to plug the holes. Network security is more effective as part of the planning stage rather than after deployment. This is not an area to skimp on. According to Scott Hogg, IPv6 Security author and CTO of GTRI, “All security practitioners should learn about IPv6 now because all organizations have IPv6-capable and enabled operating systems in their environments. Failure to secure the IPv6 systems is like allowing a huge back-door to exist.”
* Security device bypass via unfiltered IPv6 and tunneled traffic. Only a lack of knowledge is considered a bigger risk than the security products themselves. Conceptually it’s simple, security products need to do two things – recognize suspicious IPv6 packets and apply controls when they do. However in practice this is hardly possible in v4 let alone an environment that may have rogue or unknown tunnel traffic. “There are 16 different tunnels and transition methods – not to mention upper layer tunnels like: SSH, IPv4-IPSec, SSL/TLS and even DNS,” says Joe Klein, Cyber Security Subject Matter Expert for the IPv6 Forum and Expert Cyber Architect at SRA International. “The first step is knowing what you’re looking for.” The current crop of security products used today, especially those converted from v4 to v6, haven’t necessarily matured enough to match the threat they’re protecting against.
* Lack of IPv6 support at ISPs and vendors. Thorough testing is critical until IPv6 security functionality and stability are on par with that of IPv4. A test network and a test plan for all protocols involved must be devised to test all equipment – especially new security tech from vendors. Every network is unique and requires a unique test plan however help can be found on Joe Klein’s and Scott Hogg’s blogs. Further complicating the issue is not having a native IPv6 connection from your provider. A tunnel connected to your interface further increases security complexity and provides an opening for man-in-the-middle and denial-of-service attacks. Demand native IPv6 from your upstream provider.
* Congruence of security policies in v4 & v6. Weak v6 security policies are a direct result of the current deficit in IPv6 security knowledge. Not only do the depth of the IPv6 security policies need to be equal to that of their IPv4 counterparts but their breadth must be wider to encompass new vulnerabilities that didn’t need to be considered in an IPv4 homogeneous environment.
* Bugs in new code. Along with any new code will be bugs. And in this case they can be found in the code around NICS, TCP/UDP and networking software libraries that don’t fully support IPv6 yet. Technologies such as SIP, VoIP and virtualization can also be vulnerable. At best bugs are an annoyance, at worst they can introduce new vulnerabilities in your network. The remedy, as before, is testing. A test network and a comprehensive test plan will expose defects well enough to isolate them, allow workarounds to be found or to shut down a deployment altogether until they’re repaired.
* Absence of NAT. The misconception of NAT is so widespread that its absence in IPv6 is misinterpreted to be a top security risk. It may be comforting to have NATs in v6 environments but in reality they don’t provide any added security. The statefulness of the firewall provides security, not the translation of network addresses.
IPv6 security cannot be a simple clone of what’s in place for IPv4 – that kind of thinking is dangerous. Training must occur, policies must be extended and new tech must be introduced into networks to ward off new threats. The transition from a homogeneous v4 network and network of networks to a heterogeneous v4/v6 reality brings with it new types of traffic and equipment that must be taken into account.
Furthermore since v6 is relatively new and the market for it just beginning, IPv6 security products cannot be expected to be as robust. This makes for interesting and dangerous times between now and when the security around v6 matures and its operators have gained the same level of experience as they currently have with IPv4.
To dig deeper into IPv6 security listen to The IPv6 Show podcast, episodes 3 and 4 on iTunes or attend the gogoNET LIVE! IPv6 conference on Nov. 14, 2013 online or onsite in San Jose for the discussion panel, “Top 6 Security Risks in IPv6 Today.”
Sinclair has been a part of the IPv6 market since 2006 and is CEO of gogo6, a provider of IPv6 products, community and services. Original market insights for his blogs are gathered from the gogoNET social network, consisting of over 95,000 registered network professionals. Bruce hosts "The IPv6 Show” podcast on iTunes and writes an IPv6 Market Intelligence newsletter for networking vendors.