On World IPv6 Day, I am doing something that makes my security-obsessed self cringe: I am surfing the Web without any kind of security software on my laptop.
More than 400 organizations, including Internet service providers, businesses, educational institutions and government agencies will enable the next generation IPv6 standard on their main Websites for 24 hours on June 8. Organized by the Internet Society, the goal for the June 8 experiment was to educate businesses about IPv6 and the need to migrate over to the new protocol.
The Internet runs on IP addresses, the 32-bit numbers assigned to every computer online. There aren’t many of those left, since the available pool of 4.3 million addresses ran out back in February when each region was assigned the last of the addresses. The In April, the Asia Pacific region ran out of its allocation, and the organization that handles IP address distribution in North America expects to do so this fall. IPv6, with its obscenely large number of addresses, will fix that problem.
To check out how the global experiment was going, I surfed various sites, such as Facebook and Google, to see if IPv6 was turned on. But oddly enough, it seemed my laptop wasn’t actually broadcasting its IPv6 address despite having one assigned and being on an IPv6 network.
Some troubleshooting and Google searches later, I turned off the company-required Symantec Endpoint Protection on the laptop. And voila! IPv6!
What’s going on? Well, it turns out Symantec thought it was doing me a favor by disabling IPv6 and forcing me to use IPv4. Here’s Symantec’s statement, in its entirety:
“The default policy in Symantec Endpoint Protection (SEP) 11 blocks IPv6 traffic. This is intentional because in SEP 11 we can’t filter IPv6 traffic, so allowing it is a potential security risk. In SEP 12.1 we can filter IPv6 traffic, so there is no risk in allowing it. Thus, in SEP 12.1 we allow IPv6 by default. Please note that even with SEP 11, however, IPv6 traffic can allowed by disabling the firewall rule that blocks IPv6. In short, both SEP 11 and SEP 12.1 can be configured to allow or block IPv6 traffic.“
On one hand, that’s smart security, since it’s true that malware and attackers can sneak onto IPv6 networks if “>not properly filtered. On the other hand, it’s a very obscure policy since even after some digging in the Settings panel, I am having trouble figuring out which one to disable. Considering that IPv6 traffic is going to increase (someday?), it shouldn’t be this difficult to block or unblock the traffic.
So here’s a lesson to take away from World IPv6 Day: It’s not just the networking folks who need to pay attention. The security professionals need to step up and make sure users aren’t getting blocked from reaching sites or using IPv6 because of a security policy.
Just hope I don’t stumble upon a rogue site today.