Google, Facebook, and Yahoo are just some of the companies sponsoring World IPv6 Day, which is a 24-hour test flight of the new Internet addressing system that will provide an almost limitless supply of IP addresses. The current IPv4 addresses are expected to be exhausted in the near future.
But this plethora of IP addresses poses some information security challenges, according to security experts.
Jay Bavisi, president of the EC-Council, identifies five main security concerns posed by the IPv6 transition: translating from IPv4 to IPv6 could result in poor, faulty implementations, or present an opportunity for hackers to exploit potential vulnerabilities; flooding issues are a potential concern for IPv6, due to broadcast amplification smurf (distributed denial of service) attacks on multicast traffic; there will be IPv6-IPv4 dual stacks during the transition, which increases the potential for attacks, by introducing the specific security issues of both protocols; header manipulation and spoofing are still possible, allowing hackers to evade intrusion detection and prevention systems and firewalls; and due to the configuration process that comes with IPv4-to-IPv6 migration, misconfigured systems will likely be the root cause of many security failures.
Asaf Greiner, vice president of products at Commtouch, a provider of anti-spam and anti-virus products, agrees that the transition to IPv6 will pose security risks, particularly from the perspective of spam protection. Greiner noted that the increased address space available in IPv6 significantly reduces the effectiveness of traditional blacklisting methods, making it harder to associate a rogue computer with its source address.
“There are some significant security issues related to disguising your identity, things like distributed denial of service or spam from botnets, or fraud, such as hiding behind compromised machines or hiding behind a proxy. These are things for which IPv6 is going to be a game changer”, Greiner told Infosecurity.
“For example, today in spam, it is efficient to block malicious computers through lists of IP addresses….In an IPv6 environment, where each machine is going to get a huge amount of IP addresses, working with the same mechanism is not feasible. These are the types of challenges that security devices are doing to have to face”, he added.
Greiner estimates that the transition to IPv6 is probably going to take a decade or more. Both IP address systems are going to work in tandem for a considerable time period, he noted. “The IPv4 and IPv6 will coexist and work side by side with a lot of connection points, a lot of machines working with both networks, with interconnectivity between the two networks, exposing them to the complexity of managing this transition.”
Patrick Bedwell, vice president of product marketing at network security appliance provider Fortinet, warned that there is confusion over which network security companies will support IPv6 and when that support will be available.
“The challenge that companies face is that IPv6 is a separate protocol and requires significant R&D to bring products up to IPv6 capability. There hasn’t been a uniform effort in the security industry to do that”, Bedwell said in an April interview with Infosecurity.
“When security vendors talk about compliance with IPv6, there is a wide range of support. We are recommending that our customers look under the hood and verify that the products that claim to be IPv6 compatible” are in fact compatible, he added.