Close

Login

User name:

Password: Forget?

Remember


Registration

Preparing for the IPv6 Evolution and the Security Implications

Close

NewsLetter

E-mail:  

Company:  

Role:



In 2011, we saw the first IPv6 attacks on production networks. While IPv6 market penetration still lacks critical mass, with the last of the IPv4 addresses distributed last year, it is not a stretch to predict that IPv6 will start to ramp in terms of its deployment. According to the recent 7th Annual Infrastructure Security Report by Arbor Networks, 70% of respondents have deployed IPv6 in their networks with most using it for internal addressing of their network infrastructures. For mobile services, 50% of respondents plan to introduce IPv6 within the next 12 months, and 9.6% already have it. Cisco predicts (Visual Network Index Global Mobile Data Traffic Forecast) that by 2016 71% of all smart phones and tablets and 39% of all mobile devices will be IPv6capable.

As we all know, attackers go where the traffic is, so as more traffic is transported over IPv6 networks, it increasingly becomes a target for attackers. It is a mistake to think (perhaps because you haven’t started deploying IPv6 equipment) you are not at risk. The reality is most providers have enabled IPv6 in some capacity (often as a default option), and even if you haven’t started your transition, you likely have it in your network in some fashion. 

Today’s Very Real Risks

Let’s look at your IPv4 only routers and switches in your network. Currently, IPv6 traffic tends to be tunneled inside IPv4 traffic to ensure it can be transported across IPv4 only and hybrid networks. This means the IPv4 switch or router is “blind” to the traffic and basically being used as a “hop” to pass it along. With no real visibility, it may pass both good and bad traffic through your network, making you vulnerable to attacks hidden in the IPv6 traffic coming through IPv4.

In addition, given the number of potential addresses available with IPv6, you need to start to think differently about how you conduct some of your security activities. For example, reverse traces to find the source of attacks will become significantly harder; sweeps to scan for vulnerabilities will also become much more difficult (if not impossible) to do.

To get a better understanding of the IPv6 activity going on in your network you can identify and try to take a closer look at any encapsulated packets in your network and deploy IPv6 enabled devices and see what kind of traffic they get. The key is to start planning for the transition (if you haven’t already) to understand the impacts on your network, applications and services and proactively reduce any risks.

Top Three Transition Assumptions that Can Impact Security

As more adopt IPv6, it is important to not assume too much. To enable a smooth evolution, enterprises and operators must not fall into the following top three common transition traps that can impact the security of the network:

1. Assuming your security posture will remain the same over IPv6 as it was over IPv4.

The same attack can present itself differently when running over IPv4 versus IPv6. As a result, a security device that detects an attack over IPv4 may miss that same attack when delivered over IPv6, leaving your network and information assets vulnerable. Understanding your security posture over IPv6 requires understanding how your network will respond to different attacks, as well as the scaling limits for attacks that arrive in bulk.

Operators: To prevent surprises, you should look for certified IPv6 network protection devices and ensure the configuration you use actually blocks what it is supposed to be blocking. Make sure your default policies permit only the tunnels you intend to support, and ensure all supported tunnels block attacks, regardless of the IP version that carries them.

In 2011, we saw the first IPv6 attacks on production networks. While IPv6 market penetration still lacks critical mass, with the last of the IPv4 addresses distributed last year, it is not a stretch to predict that IPv6 will start to ramp in terms of its deployment. According to the recent 7th Annual Infrastructure Security Report by Arbor Networks, 70% of respondents have deployed IPv6 in their networks with most using it for internal addressing of their network infrastructures. For mobile services, 50% of respondents plan to introduce IPv6 within the next 12 months, and 9.6% already have it. Cisco predicts (Visual Network Index Global Mobile Data Traffic Forecast) that by 2016 71% of all smart phones and tablets and 39% of all mobile devices will be IPv6capable.

As we all know, attackers go where the traffic is, so as more traffic is transported over IPv6 networks, it increasingly becomes a target for attackers. It is a mistake to think (perhaps because you haven’t started deploying IPv6 equipment) you are not at risk. The reality is most providers have enabled IPv6 in some capacity (often as a default option), and even if you haven’t started your transition, you likely have it in your network in some fashion. 

Today’s Very Real Risks

Let’s look at your IPv4 only routers and switches in your network. Currently, IPv6 traffic tends to be tunneled inside IPv4 traffic to ensure it can be transported across IPv4 only and hybrid networks. This means the IPv4 switch or router is “blind” to the traffic and basically being used as a “hop” to pass it along. With no real visibility, it may pass both good and bad traffic through your network, making you vulnerable to attacks hidden in the IPv6 traffic coming through IPv4.

In addition, given the number of potential addresses available with IPv6, you need to start to think differently about how you conduct some of your security activities. For example, reverse traces to find the source of attacks will become significantly harder; sweeps to scan for vulnerabilities will also become much more difficult (if not impossible) to do.

To get a better understanding of the IPv6 activity going on in your network you can identify and try to take a closer look at any encapsulated packets in your network and deploy IPv6 enabled devices and see what kind of traffic they get. The key is to start planning for the transition (if you haven’t already) to understand the impacts on your network, applications and services and proactively reduce any risks.

Top Three Transition Assumptions that Can Impact Security

As more adopt IPv6, it is important to not assume too much. To enable a smooth evolution, enterprises and operators must not fall into the following top three common transition traps that can impact the security of the network:

1. Assuming your security posture will remain the same over IPv6 as it was over IPv4.

The same attack can present itself differently when running over IPv4 versus IPv6. As a result, a security device that detects an attack over IPv4 may miss that same attack when delivered over IPv6, leaving your network and information assets vulnerable. Understanding your security posture over IPv6 requires understanding how your network will respond to different attacks, as well as the scaling limits for attacks that arrive in bulk.

Operators: To prevent surprises, you should look for certified IPv6 network protection devices and ensure the configuration you use actually blocks what it is supposed to be blocking. Make sure your default policies permit only the tunnels you intend to support, and ensure all supported tunnels block attacks, regardless of the IP version that carries them.

2. Assuming your applications will immediately behave the same over IPv6 as they did over IPv4.

Given the criticality of the reliability and availability of all your applications and services, it is imperative they work over IPv6 just as well as they do over IPv4. Unfortunately, you cannot simply flip the switch and expect everything to behave the same. The change to a new underlying network protocol has far reaching implications; many applications have IP addresses embedded within them, and there are no existing standards for how they should handle this. As a result, applications often widely vary in terms of function, security, and scalability when they go from one transport protocol to the other.

Operators: Testing the applications over each network protocol is critical to understand and then address potential differences. You need to run the entire gamut of applications available on your network, and ensure they are behaving as expected over IPv6, which can be very difficult when applications and services are being introduced daily. Visibility to what is actually on your network, real-time will be crucial to ensure functionality is not compromised and supports a successful transition.

3. Assuming your regular development processes will be enough.

If you are developing new products, applications and services, you need to be mindful of how IPv6 will impact your functionality and security. For products, you probably follow the industry best practice of conducting conformance testing to understand what is going on at the unit level and during integration. However, when trying to determine what will happen at the system level, as you perform QA testing, it is critical to include security (sending abnormal and unexpected inputs) and scale tests to identify how the device will handle them.

This also applies for applications and services; when doing QA testing, make sure you understand how they will operate over IPv4 and IPv6 and how they handle a variety of interactions. This will ensure code is not only correct (for example, it can appropriately processes expected inputs when they arrive one at a time), but is also capable of handling and protecting against the unexpected and scaling to support many concurrent inputs.

Operators: You should ensure products have been tested beyond conformance tests because many products that pass conformance still have serious bugs that can impact performance over IPv6. This is not because IPv6 performance is inherently inferior to IPv4, but rather it is probably a bug that impacts IPv6 implementations. With comprehensive testing, this bug can be isolated and fixed, so IPv6 can achieve performance levels equivalent to IPv4.

For more information about
ACG Research's Security business and syndicated services, click here or contact sales@acgresearch.net.






Reports & Whitepapers

Aug 13, 2014 | by Michael Kennedy

Business Case for NFV/SDN Programmable Networks

Jun 2, 2014 | by Michael Kennedy

Business Case: Cisco ESP and NFV

Videos

Aug 13, 2014 | by Ray Mota

Role of SDN in the WAN

May 14, 2014 | by Ray Mota

High IQ Networks


Research Experts