IPv6 is Coming and Bringing Security Challenges Too
As Y2K fades into a distant memory we have a new technological problem on our hands – we are running out of Internet Protocol (IP) addresses. IPv4 protocol addresses that is.
It is estimated that by 2012 we will have exhausted all the available IPv4 addresses. In fact, TMCnet predicts that “by the beginning of August 2010, there were only 6 percent of IPv4 addresses remaining.” IPv4 gave us 35 good years of addresses, but now we must look to a new protocol to keep up with the Internet's substantial growth.
The expected solution is the new IPv6 protocol, which will allow for substantially more IP addresses -- trillions upon trillions of new addresses. IPv6, however, is still in its infancy and is not yet widely deployed.
According to Cisco, there has been much security testing and development of mechanisms to secure the protocol. Many commercial security testing tools have been updated to support the IPv6 protocol; many others have it on their road maps. Various security concerns around IPv6 have already been identified, such as insecure neighbor discovery, tunneling, and auto-configuration.
RFC 3971 Secure Neighbor Discovery Protocol (SEND) and RFC 3972 Cryptographically Generated Addresses (CGAs) are two outcomes of early security research. It is possible that they may help mitigate the weaknesses with the default neighbor discovery process. A key challenge, however, is that not all devices support these new standards.
One potentially straight-forward way to combat the threat posed by IPv6 is to educate your IT staff that the process of switching to the standard should not be done without thorough testing and researching of potential vulnerabilities. No firm should assume that because the new standard is solving one problem, it isn’t creating others.
Risk Alert: Cisco’s Take
In Cisco’s 2010 Midyear Security Report they predicted a “Perfect Storm” technological change. The following paragraphs outline Cisco’s risk alert for today’s firms.
IPv4 address exhaustion and the move to IPv6, the need to implement DNSSEC, and the switch from 2-byte to 4-byte Autonomous System Numbers (ASNs), which marks a change to the Internet’s inter-domain routing structure, will ultimately change the way the Internet functions. Any one of these changes represents a significant architectural and operational challenge for network operators. Together, they create a “perfect storm”— described as “the greatest and potentially most disruptive set of circumstances in the history of the Internet, given its growth in importance to worldwide communications and commerce.”
Of course, this means that enterprises are at risk as well. The question: Is your enterprise prepared for the arrival of these “multiple, simultaneous, and large-scale changes”? The storm is approaching fast—but organizations have known for years that it was coming. Therefore, your security team already should be carefully planning for these changes and making necessary updates so they can help minimize the organization’s security exposure and ensure the network infrastructure, from routers to firewalls to switches to software, is protected as the transition to each new service occurs.
Expect to see many businesses preparing for the storm in the coming year. They will likely need to expend a great deal of time, money, and resources on adapting to these significant changes, which are inconveniently culminating post-recession, when IT resources are already limited at many organizations.
U.S. government organizations are likely to be particularly preoccupied with getting up to speed, as many failed to comply with the December 31, 2009, deadline set by the U.S. Office of Management and Budget to deploy new authentication mechanisms (for example, digital signatures for DNSSEC) on their websites that would help prevent hackers from hijacking web traffic and redirecting it to bogus sites.
Download the complete Cisco 2010 Midyear Security Report here.
Or, contact us to learn more about how we’re helping clients prepare for IPv6.