As I ask the question I can hear the thud of exasperation from overworked network administrators. Surely not another awareness day or preparatory day for the masses; haven’t network administrators enough work to handle.
Well, I suspect they do, however World IPv6 Day does have a serious intent. World IPv6 Day is scheduled for June 8th and a number of notable sites such as Google, Facebook and the like will be enabling their web services to be served over IPv6 for a test
period of 24 hours.
Why? Well the internet is running out of network addresses; in fact they pretty well have and IPv6 is the solution. When IP was first developed, 4.3 billion addresses seemed sufficient; but with the number and diversity of devices looking to connect ever
increasing (think of the proverbial internet enabled fridge or power smartmeter) this is far too small. IPv6 provides far more addresses, 3.4 x 10 to the power of 38 to be exact. However IPv6 is far more than simply a greater address range, it is the next
generation of IP and has significant changes from the current IPv4 protocol stack.
So why do I raise this event on a security blog – surely it’s a network issue? Well, the World IPv6 Day is an indication of what will be coming downstream with regards to new technology and implementations. As has been learnt from the past, these tend to
lead to new vulnerabilities and weaknesses which hackers are quick to exploit.
Operating systems and network devices are already IPv6 enabled and have been for some time, so they are capable of working with the new protocols. As the switchover gains momentum, then issues will start to arise and a security manager will have to be on
their toes, and not just rely on updated standards.
Looking at the new PCI DSS v2.0 you will search in vain for a direct reference to IPv6 and why should it? PCI DSS requires that a merchant or service provider builds a secure network (irrespective of the protocol stack in use) and that an annual risk assessment
is carried out. For those people who look deeply at the standard, the wording for control 1.3.8 did subtly change from an explicit usage of Network Address Translation (NAT) to the requirement that private IP addresses and routing information should be prevented
from being disclosed to unauthorised external bodies. This I would suggest was partly brought about by an awareness of the design of an IPv6 based network.
If I was performing a PCI DSS audit I would expect that IPv6 would appear, for an organisation, within this year’s list of potential threats and risks. I include that, even if there are no plans for IPv6 internally, as it could still potentially impact the
traffic at the firewalls, both ingress and egress. Are you sure, for example that no internal servers are running IPv6 protocols stacks which are reached by tunnelling over IPv4? Is it explicitly excluded within your configuration guides for hardening of servers
and network devices?
So what are the likely issues, where will we see vulnerabilities? My own guess is it will be based around zero-day vulnerabilities as new systems are used in anger, immaturity of security products, the complexity of supporting a mixed environment for a period
of time and the development by the hacker community of specific IPv6 tools to take advantage of the new features.
In the longer term the benefits of IPv6 are that security was included within the design, rather than a later add-on as per IPv4, but of course that will only be a benefit if people use it and configure it properly. Let’s hope this is the case.