IPv6 Structure Will Require New Security Policies and Tactics

IPv6 has a number of benefits built into its far-larger address space. But security managers will also encounter issues with securing the network from attackers as well as migrating existing security policies.

With the transition to IPv6 network addresses gaining momentum, organizations are checking their infrastructure to ensure they are ready.

The last blocks of IP addresses were allocated to Regional Internet Registries (RIR) in a public ceremony on Feb. 3. While each RIR has its own policies and rules for how these remaining addresses will be assigned, they are not expected to last out the year. In fact, the counter widget on IPv4 Address Report estimates the last address will be assigned sometime on Sept. 23.

The network switchover from the current IPv4 addresses to the newer 128-bit IPv6 addresses has security implications as well, according to several industry experts. The IPv6 namespace seems almost infinite in the possible number of addresses, with 340 undecillion possible addresses.

There's a lot of room for spammers to stretch out in, Qing Li, Chief Scientist at Blue Coat Systems, told eWEEK. There won't be any "new spam problem" with the move to IPv6, it will just be a more "emphasized problem" because of the sheer amount of available addresses, he said.

In fact, spammers, just like many other organizations, have already started migrating operations to IPv6. A weeklong study in March by RIPE Labs, the security arm of Europe's RIR, found that 3.5 percent of total e-mail received over IPv6 networks was spam. It's a trifling amount compared to the 31 percent received during the same period over IPv4, but it indicates the spammers have already started the transition. The amount of spam on IPv6 remains minuscule in terms of total volume, at 1.89 percent, RIPE Labs said. However, the RIPE study didn't include all the spam that never made it on to the network because the firewall blocked it based on blacklisted DNS hosts and greylist settings.

Blacklists and greylists are another area of concern, as there is only one maintained list at this time. Until reputation systems and blacklists become more common on IPv6, it will be difficult to filter out spam messages. Even so, the way reputation systems and blacklists are generated may need to be rethought, according to Li. An IPv6 address has two parts, the prefix assigned by the individual network, and the access assignment value dynamically generated by each device. As a result, a device can have its IPv6 address refreshed as often as every 24 to 48 hours, Li said. It's not the same as just blocking out a specific set of numbers, he said.

Reputation based mechanisms will need to be tweaked to rely more on e-mail content scanning methods and less on reputation.

The dynamically changing IP addresses also mean IT managers won't be able to just mechanically map existing security policies to apply to IPv6 networks, Li said. The IT manager has to rethink the way security policies within the organization was designed to fit with IPv6's new packet structure and how the addresses are generated.

Organizations have to test the firewall to ensure the new policies handle IPv6 correctly. Internet service providers can't treat IPv6 like it's the same as IPv4 with just more addresses, Asaf Greiner, vice-president of Commtouch, told eWEEK. IPv6 offers hierarchical addressing, where the addresses can be assigned to a single device, as well as to multiple devices within a group, he said.

The addresses also contain fields for quality-of-service support. IPv6 also allows mobile devices to dynamically change addresses as their locations change without losing existing connections to the network, he said. All these things need to be considered when developing firewall rules and network policies, he said.

IPv6 packets also have extension headers developed to improve performance by simplifying the overall structure. Since these headers are optional and can be used in different ways, security protocols on firewalls and other network devices need to be able to understand the variations, according to Greiner. Attackers can also manipulate the optional headers for their own uses, as well.

The dual stack being rolled out by various telecommunications carriers, where customers have both a IPv4 and IPv6 address, also pose security challenges, as network administrators have to remember to create firewall rules and security policies protecting both networks, said Li. Otherwise, attackers can just stroll right through the hole on the IPv6 side.