Security issues slowing IPv6 adoption
Security considerations must be taken into account when making the transition to IPv6.
By Max BurkhalterOctober 25, 2011
On a theoretical level, IPv6 is more secure than IPv4. It gives network operators the ability to improve security in meaningful ways, and offers major advantages over its predecessor. However, some of the design elements that make the protocol more secure also leave it vulnerable at present, as few organizations are equipped to handle the specific nuances created by IPv6.
Geoff Huston, chief scientist with the Asia Pacific Network Information Center, recently spoke at the IPv6 Summit in Melbourne, Australia, and told audiences to keep working to prepare for IPv6, but not to turn it on yet, CSO reported. The problem is that IPv6 introduces a completely new set of networking rules, and many traditional security options do not work with the new protocol.
Chief among these is plus-one scanning. Plus-one scanning is a process in which attackers poll each address in an IPv4 subnet until they find a vulnerable address. Huston explained such practices will be impossible in IPv6, as the sheer number of addresses is too large to make scans of this nature achievable. While this will make it more difficult for hackers to identify vulnerable devices, the high quantity of IPv6 addresses may make it somewhat easier for cyber criminals to accidentally access hackable system.
To overcome this, Huston said organizations should imbue their address deployments with some randomness, making it harder for hackers to stumble upon a vulnerable address within the network. However, he explained many administrators will still follow the same policies that worked in IPv4, which may actually make it easier for criminals to find vulnerable devices, even though IPv6 inherently makes it more difficult.
"But if you actually do the privacy addressing fields and leave it on, and as long as you build in decent randomness in the bottom 64 bits, you won't be discovered by accident. You will only be discovered because of something on the other side, and that makes the entire environment of accidental infection totally different in IPv6. I don't mean it will be totally virus-free, but the vector of infection will change," said Huston.
Dealing with the security issues surrounding IPv6 may need to happen fast, as a recent Technorati report said IPv6 migration needs to happen now. Even though IPv4 addresses are not completely exhausted, the new protocol's benefits and the challenges associated with migration makes it essential that organizations begin the transition as soon as possible.
Perle’s serial to Ethernet converters connect serial based equipment across an Ethernet network. The Perle IOLAN range of Console Servers, Device Servers and Terminal Servers feature built-in support for IPv6 along with a broad range of authentication methods and encryption technologies.
Geoff Huston, chief scientist with the Asia Pacific Network Information Center, recently spoke at the IPv6 Summit in Melbourne, Australia, and told audiences to keep working to prepare for IPv6, but not to turn it on yet, CSO reported. The problem is that IPv6 introduces a completely new set of networking rules, and many traditional security options do not work with the new protocol.
Chief among these is plus-one scanning. Plus-one scanning is a process in which attackers poll each address in an IPv4 subnet until they find a vulnerable address. Huston explained such practices will be impossible in IPv6, as the sheer number of addresses is too large to make scans of this nature achievable. While this will make it more difficult for hackers to identify vulnerable devices, the high quantity of IPv6 addresses may make it somewhat easier for cyber criminals to accidentally access hackable system.
To overcome this, Huston said organizations should imbue their address deployments with some randomness, making it harder for hackers to stumble upon a vulnerable address within the network. However, he explained many administrators will still follow the same policies that worked in IPv4, which may actually make it easier for criminals to find vulnerable devices, even though IPv6 inherently makes it more difficult.
"But if you actually do the privacy addressing fields and leave it on, and as long as you build in decent randomness in the bottom 64 bits, you won't be discovered by accident. You will only be discovered because of something on the other side, and that makes the entire environment of accidental infection totally different in IPv6. I don't mean it will be totally virus-free, but the vector of infection will change," said Huston.
Dealing with the security issues surrounding IPv6 may need to happen fast, as a recent Technorati report said IPv6 migration needs to happen now. Even though IPv4 addresses are not completely exhausted, the new protocol's benefits and the challenges associated with migration makes it essential that organizations begin the transition as soon as possible.
Perle’s serial to Ethernet converters connect serial based equipment across an Ethernet network. The Perle IOLAN range of Console Servers, Device Servers and Terminal Servers feature built-in support for IPv6 along with a broad range of authentication methods and encryption technologies.
Related Products:
