The arrival of a slew of new and upgraded operating systems, smartphones and tablets that are enabled for IPv6 has the potential to open new and unrecognized security weaknesses in otherwise secure environments.
According to Johannes Ullrich, PhD, chief research officer for the SANS Institute, “One of the problems is the accidental implementation of IPv6. You may already have IPv6 on your network without knowing about or configuring it.”
Internet Protocol Version 6 (IPv6) is designed to succeed Internet Protocol version 4 (IPv4) and was developed by the Internet Engineering Task Force (IETF) and ratified in 1998. The new protocol adds additional features as well as offering a 128-bit address range. Its future adoption is almost certain as available IPv4 addresses are likely to be exhausted within two years based on current consumption rates.
The growth of mixed IPv4 and IPv6 networks, in some cases without the knowledge of IT security teams, can introduce a variety of potential security risks. Attacks designed to exploit IPv6 enabled devices could also be missed by intrusion detection systems that have not been correctly configured to deal with IPv6 traffic.
Ullrich believes that organizations have failed to grasp the full impact of a move to IPv6 or the amount of time needed to plan, test and secure any migration strategy.
“Many organizations will look at their own networks and not see a big problem staying on IPv4,” he explains. “But say you need to connect to a supplier network in China and they have been forced to move to IPv6 due to running out of addresses, your organization may have to switch over very quickly.”
Ullrich believes that it will take at least about a year for larger organizations to move over to IPv6. Although most modern routers and switches are capable, supporting SIEM, IDS, IPS and monitoring tools will need reconfiguration. The application layer is more problematic: “It is comparable to the Y2K problem, and there may well be many complex or custom applications that are affected by switching over that need to be tested.”
Ullrich, who is currently responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold programme, will be covering IPv6 as part of the SECURITY 503 Intrusion Detection In-Depth course at SANS London this November. Ullrich is also running an evening briefing session, which will go into more depth on the subject for attendees of the event.