Skip Links

Demand building for IPv6 but where are the security products?

Cisco, Juniper and others still hammering out details of IPv6 security

By , Network World
March 01, 2007 05:32 PM ET

Network World - The U.S. government wants civilian and defense agencies to adapt their networks by mid-2008 to support IPv6-based traffic, but the lack of security products to support this transition is causing problems.

The National Institute of Standards and Technology (NIST), the Gaithersburg, Md.-based agency that sets information technology standards, is circulating a draft report that sounds the alarm over the absence of IPv6-based commercial security products in the market, including firewalls, intrusion-detection/prevention systems (IDS/IPS), and other kinds of security gear.

IPv6 and security for feds
NIST wants federal government IPv6 technology for non-classified systems to:

Pass conformance tests.

Support IPSec v.3, IKEvx, HMAC-SHA-256 and the IPv6 Management Information Base specified in RFC4293, with routers supporting Forwarding Table and Tunnel MIBs.

Feature network protection devices that are "just as capable as their IPv4 counterparts."

Allow dual IPv4 and IPv6 stacks and handle all IPv4/IPv6 tunneling schemes.

Provide a configurable capability to detect suspicious traffic based on known attack patterns, detect malformed packet types, port scanning and detect threat patterns even when packet data contents are embedded with multiple headers.

Include IPv6-based intrusion-prevention systems that provide the means to stop or attenuate detected attacks.

Source: Draft of Special Publications 500-267 "A Profile for IPv6 in the U.S. Government — Version 1.0," published Jan. 31.

Click to see: IPv6 and security for the feds

The NIST Special Publication 500-267, “A Profile for IPv6 in the U.S. Government – Version 1.0” indicates NIST wants to take the lead in setting security requirements for IPv6 and require conformance testing for IPv6-based infrastructure, such as routers, and security network devices.

“Additional efforts are required to ‘raise the bar’ in these areas to ensure the safety of IPv6 deployments and in operational Federal IT systems,” NIST states.

The IPv6 protocol is over a decade old, and while applauded for benefits such as easier administration, tighter security and an enhanced addressing scheme over IPv4, experts say what’s lacking is the constellation of security gear that protects IPv4 networks.

There’s no way to know exactly how much IPv6-based networking there is in the world, but it’s fair to say it’s still new, says Jim Bound, chair of the North American IPv6 Task Force, a volunteer organization that promotes IPv6. The U.S. government is making the most visible effort on IPv6 to date, but “hasn’t spent a lot of money yet,” says Bound, who supports the idea of NIST evaluating IPv6 security and infrastructure gear if it can be done efficiently.

“Very few IDS/IPS vendors are supporting IPv6 natively,” says John Pearce, associate in the consulting firm Booz Allen Hamilton. The way products inspect traffic is superficial at best because they don’t look at actual payloads and fail to determine whether traffic has been encapsulated multiple times. Encapsulation involves tunneling IPv6 traffic inside IPv4, or vice versa, in order to transfer data across mixed IPv4 and IPv6 networks coexisting together. Most industry observers anticipate so-called 4to6 and 6to4 networks will become a way of life for many years.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News