IPv6 Security Risks and Busines Benefits
31 July 2014





It is nearly 20 years (1995) since the standard for IPv6 was proposed in RFC1883. Even back in 1995 it was obvious that the 32bit IPv4 address space would become exhausted due to the exponential growth of the internet. The problem was exacerbated as enterprises began to use TCP/IP technology internally within their businesses without connecting to the internet or any external entity. This internal use of TCP/IP meant that the IPv4 address space exhaustion would quickly become a significant problem. A solution was needed and IPv6 was devised. The 128bit IPv6 address provides an astronomical number of IP addresses. To put the number in perspective IPv6 can provide every person on the planet with billions of addresses. Around the same time IPv6 was proposed another standard was proposed in RFC1631. This RFC entitled, 'The IP Network Address Translator' (NAT), aimed to provide a short term solution to the problems with IPv4. NAT was intended to be a short term solution pending the development and maturity of IPv6.

Unfortunately IPv4 NAT along with 'Address Allocation for Private Internets' (RFC1918) has become a primary factor inhibiting transition to IPv6. As time moved on, network security slowly became an area of increasing concern for network administrators. A side-effect of NAT was perceived to provide a certain amount of network protection by hiding addresses of network devices within the perimeter boundary of an organisation. This helped prevent external attacks directly targeting the endpoint IP addresses. To this day this side-effect of IPv4 NAT is incorrectly considered by some to be a primary benefit of NAT, so much so that a common question about IPv6 is, “Does IPv6 support NAT?”. A fundamental principle of IPv6 is to reinstate the original concept of end-to-end TCP/IP connectivity that NAT broke.

There has never been a significant business driver to move to IPv6 since NAT solved many of the problems associated with IPv4 from a business perspective. Even with the complete exhaustion of IPv4 address block allocation in 2011, the adoption of IPv6 does not appear to have gained significant traction within business and enterprise. In addition to the lack of a key business driver, moving from IPv4 to IPv6 is not trivial. There is no backwards compatibility between IPv6 and IPv4 and the migration options available are not clean or easy to implement. One other area of technology currently gaining traction may change the aversion to IPv6 adoption. That technology is the Internet of Things (IoT). If the true potential of the IoT is to be realised IPv6 will need to become widely adopted. The success of the IoT will depend on IPv6, its massive address space and the end-to-end TCP/IP connectivity it reinstates. The global appetite for consumer electronics and the giant corporations behind their development appear to influence the direction of technology more than the technology requirements of business. This influence and growing consumer appetite for always-connected domestic and consumer devices may ultimately drive businesses to adopt and migrate to IPv6.

The difficult transition path from IPv4 to IPv6 can be made significantly easier and secure if businesses prepare now. The main high level transition options are, tunnelling, translation and dual stack. Beneath these options there exists many mechanisms including, 6to4, 4in6, 6in4, ISATAP, Teredo and more Unfortunately the difficulties do not stop at the point a transition mechanism is selected. There are also many security risks associated with the transition process. While understanding the IPv6 protocol format and its attributes may be straight forward for a network engineer to grasp the inherent problems that will impact businesses and security should not be underestimated. The key factors that need considered include;

- Scarce availability of skilled IPv6 network resource.
- Scarce availability of IPv6 skilled security resource.
- Different connectivity model, i.e. no NAT.
- Traditional IPv4 style trouble shooting using IP address probably infeasible.
- Poor legacy device IPv6 support.
- High likelihood of misconfiguration.
- Existing network tool-set and utilities may not be suitable or support IPv6.
- Unknown legacy component behavior leading to security control bypass.
- Immature IPv6 stack implementations will lead to a high rate of bugs and vulnerabilities.
- Cyber criminals already prepared and skilled to exploit IPv6 vulnerabilities.

Businesses need to raise IPv6 awareness and nurture talent now in readiness. Once the IoT gains consumer traction and carrier support for domestic IPv6 internet access emerges we will see and industry frenzy to leverage the marketing benefits and revenue generating opportunities associated with IoT. This leverage will depend on IPv6 and the skill base available. It is imperative that businesses now consider the impact IPv6 may have on their business in the near and medium term future. Activities to raise awareness of IPv6 across all internal technology areas should start now. More focused training should be provided to key stakeholders, i.e. network architects, network designers and all security personnel. An IPv6 compatibility review should be conducted for all infrastructure, systems and applications. Preparing for IPv6 migration will be a significant undertaking but much of the preparatory work can begin now.

The IoT will change the dynamics of how consumers interact with businesses. These changes will be more rapid than we have seen in recent years with the shift from PC to laptop to tablet and mobiles. The opportunities for business will be equally fluid and preparation for IPv4 to IPv6 migration will be paramount to capitalise on what the IoT will bring. Historically there appears to have been a 'head-in-the-sand' attitude to IPv6 and that attitude is still common across industry today. Unfortunately the dependancy on IPv6 to support the IoT will open up a pandoras box of threats, vulnerabilities and risks but industry cannot afford to ignore IPv6 any longer.

varlogsecurity blog
The place where I share my personal opinion and observations on the world of IT security.

© 2013

Modified heading photo. Original photo by Rick Audet. Creative Commons Attribution