As IPv6 Launches, It's Time to Worry About Security

Providers and large content sites turn on their IPv6 infrastructure on June 6. Experts urge companies to be cautious as they look to follow suit.

By: Robert Lemos

Providers, large Web content providers and home router makers teamed together on Wednesday to launch their services on the next-generation Internet Protocol version 6, or IPv6.

The effort, known as IPv6 World Launch Day, should change little for enterprise users and consumers, but IT groups at companies should take notice. Like any technology transition, the change to IPv6 can cause problems, including issues that can affect companies' security. Security researchers and some attackers have already started looking at IPv6 security and most enterprise security teams will be behind the curve, said John Spence, vice president of IP services for consulting firm Nephos6.

"One of the significant risks is that the hacker community is ahead-on exploiting V6-of the security professionals who are securing V6," he said. "So there is a temporary advantage [for the] attacker, because of the V6 transition that, hopefully, will get corrected."

On Wednesday, Facebook, Google, Microsoft's Bing and Yahoo all permanently enabled their presence on the IPv6 Internet. In addition, at least 65 Internet providers have committed to transitioning at least 1 percent of their subscribers to IPv6. Large home router manufacturers have also made IPv6 the default communications protocol for their hardware.

The Internet Society claimed that this new support for the protocol meant that adoption is taking off.

"IPv6 is not just a 'nice to have'; it is ready for business today and will very soon be a 'must have,'" Leslie Daigle, chief Internet Technology officer for the Internet Society, said in a statement on June 6.

Yet companies thinking of moving their infrastructure to IPv6 should beware of two major issues, said Nephos6's Spence.

Companies need to be mindful of the gap between their IT teams' knowledge of IPv4 and their lack of expertise with IPv6. The technology and corporate IT staff will not be ready to completely handle IPv6, and that could leave security lacking, he said. Companies should do their research and only deploy IPv6 technology when their staff is properly trained and the security software and appliances on which they rely are mature enough to provide protection similar to the level on IPv4.

"It is important not to deploy V6 in advanced of having the security tools at V6 at parity of the security tools for V4," he said.

Also, companies should beware of networking hardware and computing systems that are configured to be IPv6-friendly. In many cases, routers and operating systems will attempt to connect to any IPv6 devices first-a user-friendly situation for consumers, but a potential pitfall for enterprises. Many companies may have systems that have created inadvertent tunnels to the IPv6 Internet, effectively a backdoor that could be exploited by hackers, Spence said.

Making devices easy to set up on home networks "is probably a good thing in an unmanaged environment," he said. "But you don't want PCs in the enterprise to build back doors to the IPv6 Internet [just] because they're trying to be helpful."