Patrick Lambert warns that when the IPv6 launch date officially arrives this June 6, it will be prudent to watch out for some security gaps in the initial days. Here are some issues to think about.
Last year, many may remember that the Internet Society, along with some major ISPs and content companies, set to run a breakthrough 24-hour test during what was then called World IPv6 Day. It was fairly short, and aimed to test whether or not the world was ready to move beyond version 4, and onto version 6 of the Internet Protocol. Overall, it was a success, and there were very few issues. All the major providers like Google and Facebook reported users could access their sites fine with an IPv6 address, and the major providers who participated were also running smoothly. Now, this year is the real deal. On June 6, the IPv6 switch gets turned on again, but this time it will stay on. But what does this mean for organizations and companies? Is everyone ready, and if not, will things break? Worse, are there security concerns that may arise from such a major event?
The basic reason to move to IPv6 is well known: we're running out of addresses. As soon as IPv4 addresses are all allocated, then that's it, no one else can get online. That's obviously a major problem, and while there are solutions, like using NAT filtering, the better way to go is to add a lot of new addresses, which is what IPv6 brings to the table. Also, the new protocol includes some added benefits, like the ability to do IPsec much more easily. In a world of only IPv6, we would see a much better infrastructure, and things would run much smoother, with no need for NAT routers, everyone using high security, and addresses aplenty. Of course, that's not what will happen. IPv4 will remain for years, probably decades, to support older systems, so what we really will end up with is a hybrid, with many complex translation processes.
And that's where the first problem may appear. There are currently a lot of different technologies in use to implement IPv6 and do the translation: 4to6, 6to4, ISATAP, Teredo, IPv6 brokers, and so on. It can be fairly complex to setup an entire network to run over IPv6 when these diverging technologies are used, and that in turn may bring mistakes, and security problems. While there's no evidence that anything more than "things not working" has occurred so far from misconfigured systems, it would be foolish to ignore the possibility. Right now, most ISPs are looking at allocating new customers with IPv6 addresses in the coming years, while keeping the majority of their network on IPv4. While I have all confidence that Comcast and AT&T will get their transition systems working, when some small provider finds out that they can't get another batch of IPv4 addresses from their upstream link, and instead get IPv6 addresses, and they need to rush to adapt, that may be a different story.
Another potential problem with IPv6 is the perceived security of having an endless list of addresses. One common attitude that's been shown is that because you end up with so many addresses, and NAT isn't needed anymore, administrators should assign public IPs to all systems. But NAT is useful for more than just a lack of Ips; it's also a big help with security to have private addresses on internal systems. In an IPv6 world, link-local addresses are provided in its place, but how many organizations will simply use their billion public addresses instead? If everyone has a public address, that means it's much easier for people on the Internet to access them, and exploit any vulnerability. The common retort to this is that it would be impossible to find which address has an active system, since you would have to scan billions of possible addresses, until you realize that many administrators end up simply assigning computers to addresses like 2001:470:1f10:deb::1, 2001:470:1f10:deb::2, 2001:470:1f10:deb::3, and so on, which is the equivalent of doing 10.0.0.1, 10.0.0.2, 10.0.0.3, etc. That's really easy to find out and exploit as long as you know at least one address, such as the corporate web server.
Then, there's all the local exploits that can be done on a stack that's new and not mature, and as such may have holes and security exploits unknown yet. Already it's been shown that it's fairly trivial to impersonate an IPv6 router, and because the recommended way to assign IPv6 addresses is with auto-configuration, which means the router gives out the information rather than having static IPs, then you end up compromising the whole network. Right now, the IPv6 targets are ridiculously small, and not worth bothering for hackers and script kiddies, but I fully expect we'll have a lot of growing pain down the road once version 6 becomes the dominant platform.
Overall, all of these issues shouldn't dissuade anyone from moving on with their IPv6 implementations, but it's good to remember that as World IPv6 Day approaches, and the big players like Comcast, AT&T, Facebook, Google, and so on are all on board, it's always the small players that are going to be playing catch up, and may get things wrong. And that's where a particular attention should be paid to implementation security, and making sure things are done right.
Have you thought of any other possible snags as we transition into IPv6?