Wednesday is World IPv6 Launch Day, when major internet service providers, home networking equipment makers, and web companies are permanently enabling IPv6 for their products and services.
The transition to IPv6 is designed to open up the internet to a seemingly unlimited number of IP addresses – 340 trillion, trillion, trillion addresses, according to the Internet Society. “Today we launch the 21st century internet: You ain’t seen nothin’ yet”, enthused Vint Cerf, Google’s chief internet evangelist.
But the transition from IPv4 to IPv6 will take a while, perhaps a decade. And during the transition, new vulnerabilities will open up as both IPv4 and IPv6 are supported.
According to a recent paper by researcher Fernando Gont with the UK Centre for the Protection of National Infrastructure, the transition will be bumpy from an information security perspective.
"Most general-purpose operating systems implement and enable by default native IPv6 support and a number of transition-co-existence technologies. In those cases in which such devices are deployed on networks that are assumed to be IPv4-only, the aforementioned technologies could be leveraged by local or remote attackers for a number of (illegitimate) purposes", Gont explained in the paper he submitted to the Internet Engineering Task Force, which developed both protocols.
Gont cited as an example a network intrusion detection system, designed for IPv4 traffic, which might be unable to detect attack patterns when transition technology is used. Also, a firewall might enforce a specific security policy in IPv4, but be unable to enforce that same policy in IPv6.
Also, “some transition/co-existence mechanisms (notably Teredo) are designed to traverse network address translators (NATs), which in many deployments provide a minimum level of protection by only allowing those instances of communication that have been initiated from the internal network. Thus, these mechanisms might cause an internal host with otherwise limited IPv4 connectivity to become globally reachable over IPv6, therefore resulting in increased (and possibly unexpected) host exposure”, he warned.
To mitigate these vulnerabilities, Gont recommended that organizations enforce security controls on native IPv6 traffic and on IPv4-tunneled traffic. Such controls would include enforcement of filtering policies to block malicious traffic.