Demand building for IPv6 but where are the security products?

Cisco, Juniper and others still hammering out details of IPv6 security

The U.S. government wants civilian and defense agencies to adapt their networks by mid-2008 to support IPv6-based traffic, but the lack of security products to support this transition is causing problems.

The National Institute of Standards and Technology (NIST), the Gaithersburg, Md.-based agency that sets information technology standards, is circulating a draft report that sounds the alarm over the absence of IPv6-based commercial security products in the market, including firewalls, intrusion-detection/prevention systems (IDS/IPS), and other kinds of security gear.

IPv6 and security for feds

NIST wants federal government IPv6 technology for non-classified systems to:

Pass conformance tests.

Support IPSec v.3, IKEvx, HMAC-SHA-256 and the IPv6 Management Information Base specified in RFC4293, with routers supporting Forwarding Table and Tunnel MIBs.

Feature network protection devices that are "just as capable as their IPv4 counterparts."

Allow dual IPv4 and IPv6 stacks and handle all IPv4/IPv6 tunneling schemes.

Provide a configurable capability to detect suspicious traffic based on known attack patterns, detect malformed packet types, port scanning and detect threat patterns even when packet data contents are embedded with multiple headers.

Include IPv6-based intrusion-prevention systems that provide the means to stop or attenuate detected attacks.

Source: Draft of Special Publications 500-267 "A Profile for IPv6 in the U.S. Government — Version 1.0," published Jan. 31.

The NIST Special Publication 500-267, “A Profile for IPv6 in the U.S. Government – Version 1.0” indicates NIST wants to take the lead in setting security requirements for IPv6 and require conformance testing for IPv6-based infrastructure, such as routers, and security network devices.

“Additional efforts are required to ‘raise the bar’ in these areas to ensure the safety of IPv6 deployments and in operational Federal IT systems,” NIST states.

The IPv6 protocol is over a decade old, and while applauded for benefits such as easier administration, tighter security and an enhanced addressing scheme over IPv4, experts say what’s lacking is the constellation of security gear that protects IPv4 networks.

There’s no way to know exactly how much IPv6-based networking there is in the world, but it’s fair to say it’s still new, says Jim Bound, chair of the North American IPv6 Task Force, a volunteer organization that promotes IPv6. The U.S. government is making the most visible effort on IPv6 to date, but “hasn’t spent a lot of money yet,” says Bound, who supports the idea of NIST evaluating IPv6 security and infrastructure gear if it can be done efficiently.

“Very few IDS/IPS vendors are supporting IPv6 natively,” says John Pearce, associate in the consulting firm Booz Allen Hamilton. The way products inspect traffic is superficial at best because they don’t look at actual payloads and fail to determine whether traffic has been encapsulated multiple times. Encapsulation involves tunneling IPv6 traffic inside IPv4, or vice versa, in order to transfer data across mixed IPv4 and IPv6 networks coexisting together. Most industry observers anticipate so-called 4to6 and 6to4 networks will become a way of life for many years.

While Cisco has supported IPv6 in its routers for several years, the industry giant says it still has work to do to adapt its IDS/IPS, firewall and its Unified Communications, including VoIP, for IPv6.

“We have a basic architecture for the transition, and we are running that by our customers,” says Jonathan Gohstand, director of product marketing at Cisco. “We are trying to figure out what customers want to implement.”

One of the main challenges is that the protocol offers so many options for tunneling and addressing, the case for building it all into security products without clear demand from customers poses difficulties, Gohstand notes.

Juniper, which also supports IPv6 in its routers, recently had its router certified for use by the Department of Defense product-evaluation lab, the Joint Interoperability Test Command in Fort Huachuca, Ariz.

But IPv6 security is still more a work in progress.

Juniper expects to make its VPN/firewall “fully-featured with a rule set for IPv6 by the end of the year,” says Tim LeMaster, director of systems engineering at Juniper’s federal division.

Right now Juniper firewalls can recognize IPv6 traffic but not apply a rule set to it. At present, the Juniper IPS, which is integrated into its firewall, is limited to IPv4 traffic.

Meanwhile Check Point says it has an IPv6-capable version of its Firewall-1, developed mainly on behalf of Asian telecommunications providers. “We can take apart traffic that’s encapsulated and look at it, and apply rules,” says Bill Jensen, Check Point’s marketing manager. “We’re going to further develop this based on what we’ve learned.”

“The NIST draft document, along with the JITC, is giving us some idea of what to use as a baseline,” says LeMaster. “We need to know what we should be implementing.”

“There is a kind of Catch-22 in the market today,” says Dave Arbeitel, chief technology officer at Lumeta, whose IPSonar product scans IPv4-based networks for discovery and device fingerprint. IPv6 support will be added sometime next year. “Customers aren’t defining what they want to do so it makes it hard for vendors to know what to do.”

Some security vendors say their products don’t support IPv6, nor do they have specific plans to do so. One is Qualys, which makes the QualysGuard vulnerability-assessment scanning tool and service.

“IPv6 hasn’t been adopted yet by customers,” says Amol Sarwate, manager of vulnerability research at Qualys. He says Qualys would have to completely redesign its scanner for IPv6 and there are no plans to do so.

Although there are few commercial licensed IPv6 vulnerability assessment tools, some say the hacker community has already been laboring to come up with their own means to crack IPv6-based networks.

Internet Security Systems, which can monitor IPv6 in its network-based intrusion-detection systems, has published a paper entitled “The Security Implications of IPv6.”

The paper’s author, senior researcher Michael Warfield, points out, “The Internet underground maintains IPv6 IRC sites and servers, IPv6 Web sites and IPv6 FTP sites, indicating that elite hackers and crackers have been on top of IPv6 for some time. Several IPv6-based hacker tools are known to be available, such as relay6, 6tunnel, nt6tunnel, asybo and 6to4DDos.”

Some of these tools are legitimate freeware misused for attack purposes. But 6To4DDos is a distributed denial-of-service attack tool designed to attack IPv6 sites and to attack IPv4 by using 6to4 tunneling, Warfield notes.

IPv6 back doors and Trojan horse programs are starting to surface, though network administrators today largely discount an IPv6 attack possibility because they think their networks are all IPv4. But that could be a mistake, Warfield emphasizes.

Microsoft’s increasing support for IPv6 means enterprises are likely to become more IPv6-capable whether they realize it or not. Microsoft Vista has IPv6 turned on by default mode and IPv6 will be a big part of Microsoft’s next server code-named Longhorn.

Learn more about this topic

Survey: U.S. foot-dragging on IPv6 setting country back

11/07/06

IPv6: Behind the hype

10/30/06

Feds lack plans, funding for IPv6

06/26/06

Moonv6 Web Site

NAv6TF Security Papers

IPv6 Forum World Congress

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies