Skip to comments.World IPv6 Launch Day: A Security Risk?
Posted on 06/06/2012 5:49:08 AM PDT by ShadowAce
When World IPv6 Launch Day dawns on June 6th, IPv6 services will be enabled on thousands of sites around the world and left on. As the 32-bit IPv4 address space has been exhausted, there is a need for global carriers to move to the larger 128-bit address space that IPv6 provides. But will your organization be ready for the new security issues raised by IPv6?
In an interview with eSecurity Planet, Chief Security Officer Danny McPherson of VeriSign cautioned that IPv6 is both an opportunity and a potential security risk. VeriSign is responsible for two of the 13 root DNS servers that sit at the heart of the Internet's core infrastructure, as well as the .com and .net Top Level Domains -- and as such, the company holds a critical role to play in the safety and security of the Internet.
Although IPv6 is already available as an addressing system on a large number of devices, the new security challenges derive from a lack of IPv6 security visibility, McPherson said.
"A lot of security devices and controls for Internet infrastructure don't have the same functional parity as IPv4," McPherson said. "So what happens is that you now have systems out there that are listening and accessible with the exact same content as IPv4, but you don't have the same visibility and control to protect those resources."
So how should an enterprise organization navigate the IPv6 transition? McPherson emphasizes that visibility and controls for IPv6 should be in place on the network before IPv6 is enabled by default.
"If you don't have that visibility into IPv6, you should probably consider explicitly disabling IPv6 on your systems until you can take a very concerted approach to enabling IPv6 in a secure manner," McPherson said.
Currently, there is no standard plug-and-play method for ensuring IPv6 security. That said, McPherson said that the upshot of having the World IPv6 Launch event is that there is more interest in IPv6 and vendors are beginning to build better technologies as adoption grows.
"At VeriSign we've had various aspects of IPv6 enabled for the better part of a decade," McPherson said. "What we've realized is that more networking equipment vendors are now beginning to provide better IPv6 capabilities out-of-the-box," McPherson said.
Auditing IPv6 Security
Determining whether or not an IPv6 deployment is secure is a somewhat different process than IPv4. Since the address space of IPv6 is so much larger than IPv4, scalability is a significant hurdle to overcome. McPherson noted that while many IPS and firewall technologies today support IPv6, the bigger question for him is if they can support IPv6 at scale. To compensate for vendor shortcomings, VeriSign has had to over-invest in their IPv6 infrastructure in order to achieve Internet scale.
With IPv4, it was also possible for a security professional to scan an entire subnet and see what was happening. With IPv6, that's no longer possible as the subnets are vastly larger. So what McPherson recommends is that security professionals couple active measurement and access control to the infrastructure with scanning.
"So anytime something is attached to a port, you need to figure out why and who was given access to that port," McPherson said. "The minute that port becomes active you need to understand and know what every reachable device is from that port."
VeriSign conducts this IPv6 auditing by way of custom-built network access control tools. Access control is strictly managed to make sure that explicit control is granted to devices on the network. For VeriSign, it's a mix of intelligence that ensures that all access is well understood in terms of who is using what and when.
IPv6 data packets also provide additional headers, known as Extension Headers, that can potentially make it easier to manage access.
"Some Extension Headers should never leave the local access network and some shouldn't go beyond a scope domain," McPherson said. "It's important that you have explicit policies in place for Extension Headers that mimic your overall security policy."
Although VeriSign has not seen any significant attacks at scale against IPv6, that's likely to change in the future.
"As the target density gets richer, IPv6 will get attacked," McPherson said.
Is there some significance to launching IPv6 on the anniversary of D-Day?
IPv6 -- 6/6/12 seems to be the more likely significance.
I predict that at 4:32 PC CST that the entire WWW will come crashing down, because of this. Upon investigation,after society has rebuilt from the chaos that ensued after “the Great DNS Failure of Ought 12”, it will be determined that it was caused by some low level developer that was working late on a Friday night, who would have rather been drinking Red Bull and playing Modern Warfare 3, than sitting at work. His name will be reviled for centuries, becoming a viscous slur in the post-modern lexicon.
How did you get my password??
I’m just good that way... :)
25 years ago, we had Ronald Reagan, Johnny Cash, and Bob Hope.
If you can't appreciate the pure beauty of the violin after hearing this, something's wrong with your ears.
Or you can get raw with these strings.
How about this gamechanger from America's Got Talent (which they SHOULD have won).
Either way, the violin is sweet yet lethal.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.