Skip Links

Can Your Security Policy Handle IPv6?

The transition to IPv6 has finally become a reality. Is your security policy ready?

By Chris Jackson on Tue, 03/15/11 - 5:00pm.

The move to IPV6 got a shot in the arm with the February 3rd announcement that the last five /8 blocks of addresses were allocated by IANA, signaling that unallocated IPv4 addresses are now completely gone from the global pool. While this has NOT caused mass hysteria or prevented anyone from accessing World of Warcraft (a comforting thought to WoW junkies everywhere), it should be a wakeup call for businesses to start planning for the ultimate transition to IPv6.

IPv4 gave us roughly 4.3 billion IP addresses which considering the population of Earth, should have run out much sooner than now. Through the use of Network Address Translation we have managed to greatly extend the usefulness of that relatively small address space, but it wasn't a fix.  With the explosion of mobile devices it won't be long before you will need an IP address for your underwear, which means that a more robust addressing structure is required. Enter from stage right, IPv6.  There has been much written about the number of addresses that IPv6 gives us, with creative analogy after analogy of just how flippin' enormous this address space is. 340 undecillion (yes, this is actually a unit of measure) addresses is definitely enough to ensure that we never run out of addresses again!      

So it seems that if we move to v6 we get more addresses than we know what to do with signaling a new world harmony where even Democrats and Republicans start to work together. Problem solved, right? Not so fast says the paranoid security dude in the corner! What are the ramifications of IPv6 to security policy? Plenty. There are a ton of factors that businesses will have to wrestle with in order to make the switch, the most important of which is how do they continue services without killing access or opening the doors to vulnerabilities from another protocol. No one will need to make the switch overnight, but keeping a cool head and a solid plan can dramatically ease the process and ensure that you don't shoot yourself in the foot.

From a security prospective some of the top concerns are:

IPv6 firewall policy: Congratulations, Your firewall policy just doubled in size overnight. During the transition you will more than likely have to operate dual stacks of IPv4 and IPv6. While most of the upper layer protocols riding across both versions of IP still operate in a similar manner, device addressing structure and ICMP is different. This means you have to create rules for both protocols. Twice the work and twice the opportunity for errors to creep into your security policy.

Tunneling IPv6 in IPv4: Tunneling is typically the first step in migration. Many service providers are already doing this today, creating an alternative connection mechanism that could open your organization to attack from the outside if not properly controlled. Think of these tunnels like a vpn, it should be blocked unless you are using it and controlling the tunnel destination.

Hardware support: You know that ancient router sitting in the closet that was installed when you were still in diapers? It probably does not support IPv6. In fact many older devices in your network may not have hardware support for accelerated IPv6 packet handling. While it may be possible to enable it in software, the performance hit might make it unusable on your multi-gigabit network. Start identifying legacy equipment now so that you can plan your migration strategy accordingly. Everything from NIC cards with network offloading, to switches, routers, firewalls, and other appliances should be assessed for IPv6 support.

Network Address Translation: I don't have any statistics on this one, but I would bet that you would be hard pressed to find any organizations that are not doing NAT somewhere in the network. With 340 trillion groups of a trillion addresses, IPv6 makes NAT seem as archaic as 14th century plumbing. Every device will have a globally routable ip address, with policy handled at the firewall. While not preforming NAT may sound like heresy to security people, its value is really questionably in an IPv6 world. Typical network scanning tools like NMAP have no ability to scan an IPv6 subnet because of the sheer number of potential addresses. Network reconnaissance attacks will focus on DNS to find hosts to target. NAT will be used to translate between IPv4 and IPv6 during the migration, but after that its days are numbered. 

What are your plans for IPv6? Wait and see or starting the migration planning process now? Hit the comments down below and share your thoughts.

 

 

Blog Roll
Cisco Security Community
http://www.cisco.com/go/securitychannels
Cisco Collaboration Community
http://www.cisco.com/go/collaborationchannels