Demand building for IPv6 but where are the security products?

The U.S. government wants civilian and defense agencies to adapt their networks by mid-2008 to support IPv6-based traffic, but the lack of security products to support this transition is causing problems.

The National Institute of Standards and Technology (NIST), the Gaithersburg, Md.-based agency that sets information technology standards, is circulating a draft report that sounds the alarm over the absence of IPv6-based commercial security products in the market, including firewalls, intrusion-detection/prevention systems (IDS/IPS), and other kinds of security gear.

The NIST Special Publication 500-267, “A Profile for IPv6 in the U.S. Government – Version 1.0” indicates NIST wants to take the lead in setting security requirements for IPv6 and require conformance testing for IPv6-based infrastructure, such as routers, and security network devices.

“Additional efforts are required to ‘raise the bar’ in these areas to ensure the safety of IPv6 deployments and in operational Federal IT systems,” NIST states.

The IPv6 protocol is over a decade old, and while applauded for benefits such as easier administration, tighter security and an enhanced addressing scheme over IPv4, experts say what’s lacking is the constellation of security gear that protects IPv4 networks.

There’s no way to know exactly how much IPv6-based networking there is in the world, but it’s fair to say it’s still new, says Jim Bound, chair of the North American IPv6 Task Force, a volunteer organization that promotes IPv6. The U.S. government is making the most visible effort on IPv6 to date, but “hasn’t spent a lot of money yet,” says Bound, who supports the idea of NIST evaluating IPv6 security and infrastructure gear if it can be done efficiently.

“Very few IDS/IPS vendors are supporting IPv6 natively,” says John Pearce, associate in the consulting firm Booz Allen Hamilton. The way products inspect traffic is superficial at best because they don’t look at actual payloads and fail to determine whether traffic has been encapsulated multiple times. Encapsulation involves tunneling IPv6 traffic inside IPv4, or vice versa, in order to transfer data across mixed IPv4 and IPv6 networks coexisting together. Most industry observers anticipate so-called 4to6 and 6to4 networks will become a way of life for many years.