In the technological and legal scramble to make the Internet more secure and reliable, we offer a simple suggestion: Try IPv6. The basic protocol of the Internet, the long-in-the-tooth IPv4, mocks attempts to guarantee availability, integrity or privacy of data. IPv4 is intrinsically vulnerable to all manner of mischief: an unacceptable crack in our crucial network foundation.
Its almost regrettable that IPv4s hard limits, such as 32-bit addresses, are being successfully finessed by technologies such as dynamic address assignment. This postpones the day when network operators will face a technical imperative to adopt the long-defined but slow-to-spread IPv6, with its more deeply integrated security as well as its more capacious 128-bit address space.
Like putting seat belts in cars, the rollout of IPv6 is taking too long because site-by-site decisions are based on individual benefit versus cost. The picture would be different if there were a common mandate to make the needed investment across the board.
A legal mandate would follow the pattern of other crucial infrastructures such as trucking, air transport and even HDTV. The governments nose is already well into the tent of defining acceptable IT practice: HIPAA mandates personal data confidentiality, the USA Patriot Act mandates auditability and disclosure to government agencies on demand, and Californias July 1 law mandates disclosure of unauthorized data leaks.
These rules have avoided unduly prescriptive detail, which would be a recipe for almost-immediate obsolescence. For example, the California law merely requires “encrypted” data storage, rather than specifying protocol and implementation.
This leaves us in need, however, of accepted standards of due care and faces us with the gloomy prospect of waiting for case law to provide them. Its time for industry participants to take, instead, a leadership role in developing codes of secure IT practice.
When legislators use loose labels like “encrypted,” IT vendors and service providers must come forward and speak with one voice whether through existing trade organizations or through new bodies formed for this purpose, rather than waiting for judges to rule. Meanwhile, enterprise users should likewise define and promote multitier standards of security with branding programs. The public may not understand IPv6, but it can understand a logo that says “Built for Secure Computing.”
Simply deploying IPv6 everywhere would give the Internet a jump toward vaulting over every legislative mandate yet proposed.
The improvement in network reliability would build the confidence of both enterprise and individual users in the integrity of network transactions. That would certainly yield high returns.
Send your comments to [email protected].