IPv6 has a number of benefits built into its far-larger address space. But security managers will also encounter issues with securing the network from attackers as well as migrating existing security policies.
With the transition to IPv6 network addresses gaining
momentum, organizations are checking their infrastructure to ensure they are
blocks of IP addresses were allocated to Regional Internet Registries (RIR)
in a public ceremony on Feb. 3. While each RIR has its own policies and rules
for how these remaining addresses will be assigned, they are not expected to
last out the year. In fact, the counter widget on IPv4 Address Report
estimates the last address will be assigned sometime on Sept. 23.
The network switchover from the current IPv4 addresses to
the newer 128-bit IPv6 addresses has security implications as well, according
to several industry experts. The IPv6 namespace seems almost infinite in the
possible number of addresses, with 340 undecillion possible addresses.
There's a lot of room for spammers to stretch out in, Qing
Li, Chief Scientist at Blue Coat Systems, told eWEEK. There won't be any "new
spam problem" with the move to IPv6, it will just be a more "emphasized problem"
because of the sheer amount of available addresses, he said.
In fact, spammers, just like many other organizations, have already
started migrating operations to IPv6. A weeklong study in March by RIPE Labs,
the security arm of Europe's RIR, found that 3.5 percent of total e-mail
received over IPv6 networks was spam. It's a trifling amount compared to the 31
percent received during the same period over IPv4, but it indicates the
spammers have already started the transition. The amount of spam on IPv6
remains minuscule in terms of total volume, at 1.89 percent, RIPE Labs said. However, the RIPE study didn't include all the
spam that never made it on to the network because the firewall blocked it based
on blacklisted DNS hosts and greylist settings.
Blacklists and greylists are another area of concern, as
there is only one maintained list at this
time. Until reputation systems and blacklists become more common on IPv6, it
will be difficult to filter out spam messages. Even so, the way reputation
systems and blacklists are generated may need to be rethought, according to Li.
An IPv6 address has two parts, the prefix assigned by the individual network,
and the access assignment value dynamically generated by each device. As a
result, a device can have its IPv6 address refreshed as often as every 24 to 48
hours, Li said. It's not the same as just blocking out a specific set of
numbers, he said.
Reputation based mechanisms will need to be tweaked to rely
more on e-mail content scanning methods and less on reputation.
The dynamically changing IP addresses also mean IT managers
won't be able to just mechanically map existing security policies to apply to
IPv6 networks, Li said. The IT manager has to rethink the way security policies
within the organization was designed to fit with IPv6's new packet structure
and how the addresses are generated.
Organizations have to test the firewall to ensure the new
policies handle IPv6 correctly. Internet service providers can't treat IPv6
like it's the same as IPv4 with just more addresses, Asaf Greiner,
vice-president of Commtouch, told eWEEK. IPv6 offers hierarchical addressing,
where the addresses can be assigned to a single device, as well as to multiple
devices within a group, he said.
The addresses also contain fields for quality-of-service
support. IPv6 also allows mobile devices to dynamically change addresses as
their locations change without losing existing connections to the network, he
said. All these things need to be considered when developing firewall rules and
network policies, he said.
IPv6 packets also have extension headers developed to
improve performance by simplifying the overall structure. Since these headers
are optional and can be used in different ways, security protocols on firewalls
and other network devices need to be able to understand the variations,
according to Greiner. Attackers can also manipulate the optional headers for
their own uses, as well.
The dual stack being rolled out by various
telecommunications carriers, where customers have both a IPv4 and IPv6 address,
also pose security challenges, as network administrators have to remember to
create firewall rules and security policies protecting both networks, said Li.
Otherwise, attackers can just stroll right through the hole on the IPv6 side.