At the application and user level, many of the security challenges are common between IPv4 and IPv6. The difference is that many of the existing security appliances that are deployed in the field do not understand IPv6 and would bypass IPv6 traffic by default, allowing in any web threats in that traffic.
For example, if the user application is capable of IPv6, but the security appliance is incapable of processing IPv6 traffic, then the user application and machine may be at risk. For instance, if the user requests a URL that resolves to an IPv6 address, and this website is a source of malware, the user is vulnerable to malware infection unless a secure web gateway has the ability to request the IPv6 content, rate it, categorise the URL and examine the actual payload in the page.
Unless new IPv6-based web threats and malware sites can be detected in this manner and blocked, more web users will become vulnerable to these targeted attacks.
A secondary challenge exists around secure tunnels to the outside world. With IPv6, an organisation would have a bigger address space to assign each employee one unique global address. With this unique address, each user can create a secure tunnel, for example, using internet protocol security (IPsec) to the outside world.
Without visibility into these secure tunnels, there is a potential security risk and it would compromise the organisation's ability to manage bandwidth and prioritise traffic or prevent the leakage of sensitive corporate data. I don't believe anyone can accurately predict the worst-case scenario. However, based on our past experience, I can only guess there would be more zero-day attacks, more phishing sites and broader, faster penetration of malware. What are the other technical challenges the migration poses?
Although similarities exist, the migration challenges are different among ISPs, enterprises, government and the consumer sectors. If we look just at enterprises, there are three problems that stand out. First, in an enterprise, managing and assigning a large pool of public IPv6 addresses for individual employees is a significant problem.
Some IPv6 capabilities such as address privacy extensions can be a good technique for individual consumer users, but not for enterprise environments where visibility and control of employee traffic are required by the corporate usage policy. Many existing address-based security policies may need to be redesigned to operate with the same semantics in IPv6 environments. Second, some existing networking protocols, like WCCP (the protocol that addresses communication between routers and web caches for load balancing purpose) for example, may be designed to operate in IPv4 only.
Even when both the routers and web caches are IPv6 capable, some traffic may not be redirected due to the WCCP limitation. These types of problems are much more difficult during migration towards IPv6. Third, large organisations may have developed proprietary applications that run over proprietary protocols, further complicating the migration between IPv4 and IPv6 environments and the co-existence of mixed-mide users.
-
What is TCP/IP?In-depth How this protocol from the 1970s keep the internet operational
-
Netmask flaw allows hackers to bypass server access controlsNews The vulnerability could leave thousands of networks open to server-side request forgery
-
What is IPv6?In-depth IPv6 may seem complicated, but it doesn't have to be
-
Whatever happened to IPv6?In-depth It was the talk of the town a few years ago, but we now appear to have enough IP addresses for everyone – what happened?
-
Plusnet to share customer IP addressesNews Trials set to take place to share IP addresses as IPv6 fails to take off in the UK.
-
HP: Enterprise driving European take-up of IPv6News Hardware giant claims competitive pressures are driving adoption within mainland Europe.
-
Firms warned over IPv6 security risksNews Industry players urge end users to step up security as IPv6 adoption grows.
-
Are you ready to launch IPv6 securely?In-depth Davey Winder says that despite the unnecessary scare stories, businesses need to think about migrating to IPv6 securely now.
