The many challenges of IPv6 migration

At the application and user level, many of the security challenges are common between IPv4 and IPv6. The difference is that many of the existing security appliances that are deployed in the field do not understand IPv6 and would bypass IPv6 traffic by default, allowing in any web threats in that traffic.

For example, if the user application is capable of IPv6, but the security appliance is incapable of processing IPv6 traffic, then the user application and machine may be at risk. For instance, if the user requests a URL that resolves to an IPv6 address, and this website is a source of malware, the user is vulnerable to malware infection unless a secure web gateway has the ability to request the IPv6 content, rate it, categorise the URL and examine the actual payload in the page.

Unless new IPv6-based web threats and malware sites can be detected in this manner and blocked, more web users will become vulnerable to these targeted attacks.

A secondary challenge exists around secure tunnels to the outside world. With IPv6, an organisation would have a bigger address space to assign each employee one unique global address. With this unique address, each user can create a secure tunnel, for example, using internet protocol security (IPsec) to the outside world.

Without visibility into these secure tunnels, there is a potential security risk and it would compromise the organisation's ability to manage bandwidth and prioritise traffic or prevent the leakage of sensitive corporate data. I don't believe anyone can accurately predict the worst-case scenario. However, based on our past experience, I can only guess there would be more zero-day attacks, more phishing sites and broader, faster penetration of malware. What are the other technical challenges the migration poses?

Although similarities exist, the migration challenges are different among ISPs, enterprises, government and the consumer sectors. If we look just at enterprises, there are three problems that stand out. First, in an enterprise, managing and assigning a large pool of public IPv6 addresses for individual employees is a significant problem.

Some IPv6 capabilities such as address privacy extensions can be a good technique for individual consumer users, but not for enterprise environments where visibility and control of employee traffic are required by the corporate usage policy. Many existing address-based security policies may need to be redesigned to operate with the same semantics in IPv6 environments. Second, some existing networking protocols, like WCCP (the protocol that addresses communication between routers and web caches for load balancing purpose) for example, may be designed to operate in IPv4 only.

Even when both the routers and web caches are IPv6 capable, some traffic may not be redirected due to the WCCP limitation. These types of problems are much more difficult during migration towards IPv6. Third, large organisations may have developed proprietary applications that run over proprietary protocols, further complicating the migration between IPv4 and IPv6 environments and the co-existence of mixed-mide users.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.