Five of the biggest IPv6-based threats facing CIOs

The IETF has identified many security threats related to IPv6, the long-anticipated upgrade to the Internet's main communications protocol.

See what's driving a Florida university to IPv6.

Security concerns around IPv6 deployment are real, although the number of IPv6-based attacks remains small.

"Obviously, as the protocol gets adopted, we're going to see more attacks," says Greg Brown, senior director of McAfee's Network Defense business unit. "Because IPv6 is not broadly deployed, we haven't seen a lot of attacks."

Nonetheless, the number of IPv6-based attacks is on the rise, experts say.

"We're not seeing denial-of-service attacks on IPv6 because most of the targets that people want to attack aren't IPv6,'' says Jason Schiller, senior Internet network engineer, Global IP Network Engineering for the Public IP Network at Verizon Business. But Schiller says he is seeing "quite a bit" of botnet command and control traffic using IPv6.

Invisible IPv6 traffic poses serious network threat 

Schiller says most IPv6 security risks come from bugs in the code, protocol weaknesses and poor implementation by vendors. He says these risks are the result of the network industry not having as much familiarity with IPv6 as it does with IPv4, which has been around for 30 years.

"You turn on IPv6 and don't realize that your firewall doesn't process IPv6 traffic. It just passes it blindly through. Or you forget to set up filters," Schiller explains. "People have to consciously go in and take all the security infrastructure that's been created in IPv4 and mirror image it in IPv6."

Here's a list of the most common IPv6 threats that network vendors are hearing about from their enterprise customers:

1. Rogue IPv6 traffic

Organizations that aren't running IPv6 and don't plan to run it anytime soon, should use their firewalls to block IPv6 traffic from coming in and out of their networks. Most experts say this should be a temporary measure because an increasing amount of Internet traffic is IPv6-based, and organizations don't want to limit access to customers or business partners around the world that will be using IPv6. "What customers need to do within their intrusion-prevention systems or within their firewalls is to explicitly look for IPv6 traffic and drop it,'' says Tim LeMaster, director of systems engineering for Juniper's Federal group.

2. IPv6 tunnels

Three types of IPv6 tunnels —Teredo, 6to4 and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) -- allow IPv6 packets to be encapsulated inside IPv4 packets that can be sent through IPv4-enabled firewalls or network address translation devices. To a network manager, tunneled IPv6 packets look like normal IPv4 traffic. That's why network managers need deep packet inspections systems that can peer into tunnels to examine what's inside of them. Brown says you need to have firewalls and intrusion-prevention systems that "support IPv6 but they also need to support full inspection for the tunneling mode." Brown says he's seen "traditional IPv4 attacks" that take advantage of IPv6 tunneling to enter networks where tunneling traffic wasn't being inspected.