IPv6 taking on national-security implications

Network security products still lack IPv6 support, which makes June 2008 deadline tough

While the vast majority of networks today are based on the IPv4 protocol, the U.S. government is mandating that defense and civilian agencies are ready to accept IPv6-based traffic as well by June 2008. Those guiding the effort know the transition won’t be easy, especially given the lack of IPv6-based security products.

By this summer, says Frankel, NIST will issue for public comment a document titled “Secure Transition to IPv6.” The NIST document would be intended to offer guidance to agencies about making the transition into what will be a new world where IPv4 and IPv6 must coexist. It will be a world of dual-stack protocols, IPv4-to-IPv6 and IPv6-to-IPv4 tunneling. “For the civilian agencies, we have to express this coexistence,” Frankel says. “Each carries a burden in terms of processing and security, and there are pros and cons of each approach.”

It hasn’t been determined whether it will be mandatory for vendors to pass IPv6-related conformance tests in order to sell to the federal agencies, or whether agencies would have to adhere to any proposed NIST IPv6/IPv4 coexistence approach. The final word on that would come from the White House Office of Management & Budget and the General Services Administration, Frankel notes.

The Defense Department has a product-testing regime in place for IPv6 interoperability at the Joint Interoperability Test Command (JITC) at Fort Huachuca, Ariz. The DoD’s stated plan is to transition to IPv6 as a core protocol during 2008 and to purchase only IPv6-capable products.

“The DoD just grabbed 248 billion IPv6 address,” says James Collins, research-and-development engineer at the Air Force Information Operations Center, who spoke on the topic at the RSA Conference in February. “The DoD needs the address space in support of the war fighter and ‘net-centricity’ on the battlefield, where everyone and everything has a network address.” Collins said the military has a goal to be IPv6-ready in 2008, but he acknowledged it’s a race against the clock.

The JITC has approved the first round of IPv6-capable products for host software, routers, Web browsers and mail clients, with Microsoft in the lead on applications and Juniper in routing. But nary a single evaluated security product has yet to appear.

What’s the hold-up?

Although IPv6 is over a decade old, many vendors say it’s a chicken-and-egg problem where they won’t develop security products until they’re sure there’s solid customer demand.

“There is a kind of Catch-22 in the market today,” says Dave Arbeitel, chief technology officer at Lumeta, whose IPSonar product scans IPv4-based networks for discovery and device fingerprint, with IPv6 capability expected to be added next year. “Customers aren’t defining what they want to do, so it makes it hard for vendors to know what to do.”

That sentiment has been echoed by Cisco and Juniper. But both vendors are indicating a willingness to make sure their intrusion-detection and prevention systems and firewalls are equally as good in IPv6 security as today’s IPv4, even though official announcements have yet to come.

Juniper says the Juniper ISG 2000 firewall/VPN already supports full rules sets for IPv6 comparable to IPv4. But the Juniper intrusion-detection and -prevention products (IDP) only recognize IPv6 traffic and either permit or deny it based on policy.

“Juniper has plans to support full rule sets for IPv6 as comparable to IPv4 in the future for their stand-alone IDP and firewall/VPN products with integrated intrusion detection and prevention,” a Juniper spokesman states without offering a timetable as to when this might be done.

Other vendors

Other security vendors take a similar stance.

Fortinet’s FortiGate multipurpose security appliance “does not have 100% parity for IPv6,” acknowledges Anthony James, senior director of product management at Fortinet. While Fortigate can look at IPv6 traffic and allow or disallow it based on firewall rules, it can’t apply antispam, antivirus, content filtering or intrusion-prevention protections to IPv6 traffic. Fortinet expects to nail that sometime in 2008.

Some vendors, including Lancope and McAfee, decline to discuss the topic of IPv6.

Symantec’s senior director of product management, Brian Foster, says the consumer versions of Norton Anti-Virus and Norton Internet Security support IPv6 in the desktop firewall and antivirus scanning functions. But on the enterprise side, Symantec’s security products don’t yet offer the same IPv6 security functions.

Sohail Parekh, vice president of engineering at Vernier Networks, which makes the EdgeWall line of network-access control and content inspection appliances, says the equipment doesn’t support IPv6 today, but Vernier plans to add full IPv6 support in the second half of the year.

“The challenge as a security vendor is to support all the ins and outs of IPv6,” Parekh says. “You have to understand all the addressing schemes and encapsulation schemes.” These would include IPv4 to IPv6 over IPv6 to IPv4 “where there are multiple headers involved,” he noted. “The permutations of things you are looking for is significantly increased.”

During his presentation at the recent InfoSec Conference, Zot O’Connor, security researcher at the Microsoft Security Response Center, pointed out that both IPv4 and IPv6 are turned on in Vista, and a tunneling mechanism called Terado that allows IPv6 transport over IPv4 can be used. “Vista runs IPv6 really well and we use IPv6 in the IPSec layer,” he said.

Limited visibility?

Several makers of scanning products admit they have limited eyesight when it comes to IPv6.

At nCircle, chief technology officer Tim Keanini says the nCircle IP360 scanner will be able to recognize where IPv6-based devices are on the network but won’t be able to perform thorough scans comparable to IPv4.

Tenable, which makes both active and passive scanners, says it’s starting to see IPv6 more clearly. Tenable chief executive officer Ron Gula said the company’s ActiveScan Nessus scanner has “traditionally been a scanner for IPv4.” A beta version of the IPv6-capable Nessus 3.2 is available for download and review, with a final version expected out by this summer. Tenable host-based passive scanner doesn’t support IPv6 yet.

Gula says the lack of support often seen for IPv6 in security products today is directly related to the lack of customer demand. But he noted that with Microsoft’s Vista, which support IPv6 by default, enterprises will be adding IPv6 to their networks though they may not be fully aware of it.

“IPv6 is another attack surface,” says Adam Stein, vice president of product management at Mu Security, which has added IPv6-based analysis to its Mu-4000 Security Analyzer appliance over the last few months. The Mu-4000 looks for zero-day vulnerabilities in network equipment through a protocol mutation process. “The fourth-generation cellular phone networks are all designed to IPv6,” Stein added.

One thing to keep in mind about IPv6, Stein says, is that “history is repeating itself” in terms of host and network vulnerabilities, such as buffer-overflows, that the industry has had to battle in the IPv4-based products today. “Expect to see the same problems all over again,” Stein emphasized, saying Mu Security has uncovered five- or six-dozen vulnerabilities in carrier networks, though only disclosed about two dozen of them so far publicly.

While the lack of widespread deployment of IPv6 to date has made many security vendors turn a blind eye to IPv6, the good news is that they can become quickly motivated to become IPv6-capable when they think it’s time. Qualys, for instance, which just last month said it had no plans to adapt the IPv4-based QualysGuard vulnerability-assessment platform to IPv6, made an about-face, saying it would have be IPv6-capable by early next year, if not sooner.

Learn more about this topic

Core Security discovers IPv6-related flaw in OpenBSD


Demand builds for IPv6 products but where are the products


The Dept. of Defense list of IPv6 products

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

IT Salary Survey 2021: The results are in