So you heard as well that IPv6 is going to make the Internet more secure? Well, think again... In my opinion IPv6 is going to add a lot of complexity to our networks, and generally security goes DOWN when complexity increases.
Let me expand on this a bit. First of all, IPv6 doesn't change anything fundamental for security. IPv6 follows exactly the same paradigms as IPv4; you won't be able to trust the source address for example either. IPsec was meant to be a differentiator, but by now IPsec is equally deployed for IPv4. Equally? Actually, much more than for IPv6.
This means, that whatever you did for IPv4 security so far, you will have to replicate for IPv6. Note: Replicate - Not replace! Or do you think you can get rid of IPv4? Dream on - At best (although you may argue whether this is really "best") you can run "dual stack", ie both protocols in parallel.
Then you will need:
- Packetfilters for IPv4 *and* IPv6
- Firewalling for IPv4 *and* IPv6
- IDS for IPv4 *and* IPv6
- Host security for IPv4 *and* IPv6
- ... (you get the idea).
Ever complained about the length of a firewall config? Well, you'll have to practically double that with IPv6. Or the performance of your IDS system? Well, with IPv6 it'll have to do twice the analysis - it's going to be slower, of course!
On top of that, you'll have to take care of various "transition mechanisms". I put this term in quotes, because in my opinion I won't live to see the "end" of the IPv4 Internet. So what is commonly called "transition" will be more like a permanent fixture in the Internet. There are lots of different ways to go from v4 to v6 and vice versa. Including all sorts of fun tunneling mechanisms. Tunneling is a great way to bypass security, as we all know. And, you'll have to controll *all* of the potential transition mechanisms, to be secure. Forget one and you have a hole.
So in summary: You'll have to completely duplicate all security mechanisms you have in place for IPv4 also for IPv6. Completely. Are you ever sure you haven't forgotten something for IPv4? Well, your chances of making a mistake have now at least doubled. I would argue it's actually worse, given the transition mechanisms.
Looks like IPv6 may come at some point. Probably we'll have no choice. And we'll manage, of course we'll manage. But easy it's not going to be. And more secure? No way, quite the opposite if we're not VERY VERY careful...
Latest software headlines from Network World:
Quick fix for Firefox 3 bug with Yahoo Mail
Google extends Apps Premier credit for Gmail outages
Cisco strengthens UC story with PostPath buy
|
Does Verizon's Voyager stack up to the iPhone? |
|
|
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]
|
|
Rethink, not copy/paste
> This means, that whatever you did
> for IPv4 security so far, you will
> have to replicate for IPv6.
While many of the issues touched on in this article are accurate, this is not good advice for enterprises, as IPv6 is not Y2K. The adoption of IPv6 is an opportunity to rethink how security is done and build new, holistic solutions. Simple copy-paste exercises will probably do more harm than good because the security models that many networks were designed for have changed. The simple "perimeter defense" of the 1990s is holding less and less water as we step into the future.
Rethink security with ipv6
With adopting IPv6 you can rethink your networking structure:
- more appropriate subnetting
- proper policy enforcement
Your statement are strange:
- host intrusion detection for IPv6? Even for IPv4? I think HID s nothing to do with networking.....
Totally off the mark
One of the great things of IPv6 is lowered complexity. Unless you are referring to a lack of understanding which makes anything seem complex ;)
Imagine all the broadcasts and fractured subnets that pollute and drastically affect BGP routing tables world wide being reduced by many factors. Imagine a Telco that's announcing 20 class Bs now only announcing one summary IPv6 route.
I won't even get into the packet improvements for security. Will there be security concerns? Of course, but compared to IPv4, it makes IPv4 look like a nightmare. There are many options for Telcos and providers on turning it up. Only the foolish will push tunneling concerns down to the end customer.