For last two days I have been at an IPv6 conference. Not knowing much about the protocol, like many of us my daily troubles lay in the IPv4 space, I was looking forward to learning exactly what the big deal was. More importantly how it affects security and what the implications for our clients are. As one of the speakers said "some security issues will be worse, some better and most of them the same", filling me with hope that I'll still be employed in the IPv6 world.
The first hurdle is to remember that it is just another protocol. Think of it like IPX, SNA, Appletalk, Decnet, take your pick. It is a convenient way of getting traffic from point A to point B. The main reason for changing to IPv6 is the increase in the number of available addresses. IPv4 addresses according to the presentations will run out in the next 6 years or so.
A second hurdle is to remember the difference between end-to-end addressability and end-to-end connectivity. A number of the presentations saw IPv6 as a way of providing the latter, which tends to scare security people. Peer 2 Peer processing, across firewalls, networks etc (I can hear the squeals of protest "not over my network you don't"). As far as I understand it, IPv6 will provide end to end addressing, which is different. Knowing how to get to a device is one thing. Being allowed to do so is another. It will also make the need to NAT obsolete.
Now for the security side of things, IPSEC is mandatory. So if you wish, you can secure communications from end to end, between two addressable (and reachable devices). If you have ever set up a VPN between two different vendor products you know that it can be a challenge. The second part of the problem is this, are you comfortable allowing IPSEC tunnels through your perimeter? BTW I'm not saying the IPSEC features are bad, I just think there will be some challenges to overcome.
One of the presenters today mentioned that reconnaissance and malware propagation will be more difficult in the IPv6 world. There is such a large address space that needs to be checked, it would take such a long time to scan the address range that the effort is not worth while (think several thousand years). However IPv6 does rely heavily on two things, DHCP and DNS, DHCP to allocate addresses and DNS to find things in the network. That in itself is interesting as it provides two convenient targets on an IPv6 network. Randomly scanning for available hosts may not be required as you may be able to get all the information you need from one of these devices. I think malware will just take advantage of what is available.
As for other threats there are many that will not change much, if at all. You can still sniff the network. Application layer attacks don't change, rogue devices can still be inserted into the network and may even be more difficult to detect. Man in the middle attacks still work. Flooding, spoofing and a whole host of other attacks are all still possible.
As a final thought, one of the presentations mentioned that There is much more to IPv6 than the above, but I'll leave that for another time, I'm still digesting all the information
As a final thought, one of the presentations mentioned that
There is much more to IPv6 than the above, but I'll leave that for another time, I'm still digesting all the information
ISC Handler on Duty
Dec 6th 2006
1 decade ago