It all started in 1993. That’s when the Internet Engineering Task Force launched a call for white papers (via Request For Comments 1550) on "IP: Next Generation”, which would later become IPv6.
At the time, many of us were still just discovering the Internet, IPv4 protocol, and related security issues.
the imminent arrival of IPv6
Almost 20 years later, IPv4 address exhaustion is a reality. IPv6 has officially been launched, and setting up IPv6 networks and services has therefore become a top priority for operators, equipment providers and companies.
But don’t hold your breath: IPv6 is no revolution in terms of security. A cursory reading of the Requests for Comments does make it seem like Internet Protocol Security will be the cornerstone of IPv6 security, but we can’t jump to that conclusion quite yet.
assessing risk with IPv6
If we assume that total security risk equals the sum of “probability x criticality” for each threat, how does IPv6 measure up?
For now, the threats identified for IPv6 do not seem to be evolving very much, so probability is not changing greatly. At the same time, because security products have not fully integrated IPv6 (battery management by the central processing unit as opposed to an Application-Specific Integrated Circuit or ASIC, for example), threats tend to be much more critical.
This all means that IPv6 threats are riskier than IPv4 threats—at least during this transition phase. So just managing a simple Transmission Control Protocol flood can become a total nightmare for network and security admins.
primary IPv6 threats
Take all the IPv4 threats we already know about (spoofing, flooding, denial of service, etc), get rid of a couple (network address translation, Address Resolution Protocol, etc), add a bit of IPv6 (Type 0 Routing Header, IPv4-IPv6 tunneling), and your new technical playing field is up and running.
And don’t forget to train security teams, office teams and users if they will be using IPv6 addresses:
- "Can you confirm that your IP address is 2001:db8:0:85a3::ac1f:8001?"
- "No, it’s 2001:0db8:0000:85a3:0000:0000:ac1f:8001!"
a little more reading
While we wait for more articles to be published on IPv6 security, here is a list of links (the most informative in my opinion) for further reading. I know it’s short, but if you search you’ll see that writing on the topic is pretty repetitive.
essential:
- IPv6 Security Considerations and Recommendations (Microsoft)
- IPv6 Security (Cisco)
- IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation (Sean Convery)
- About IPv6 Security (STIndustries)
products and services
open call to seasoned experts
Obviously, the above list is anything but exhaustive and should only be used as a starting point for researching the topic.
Any of you who have already done additional reading or research can tell us more and share links in the “comments” section.
image © so47Fotolia.com
I work for Orange Business as a security leader within Products and Services Development. My previous jobs as a technical "worker bee" lead me to pay specific attention to the difficulties of implementing companies' security strategies and policies. Security, efficiency and pragmatism are my main pillars.