Prepare security networks for IPv6: Internode

IT managers should be working on new security policies now, urges Internode's Mark Newton

With the death rattle of internet protocol version 4 (IPv4) getting louder, a key proponent of the protocol's successor has warned IT managers not to take a "lock down" approach to migration.

The global internet registry, Internet Assigned Numbers Authority, has warned that the last global allocation of IPv4 addresses ran out in February. Regional internet registries are likely to follow suit with Australia's provider, APNIC, set to run out first.

Its successor, IPv6, is already widely supported by both networking hardware and software but is yet to receive adoption en masse by many companies.

With a migration to the new protocol ultimately inevitable, Mark Newton, network engineer at Internode, has warned managers not to take the "lock down" approach to the protocl.

"It is going to be a core critical part of the internet infrastructure," he said. "It’s not in the same class as some of the other things that corporate IT managers might lock down such as banning Facebook. IT managers really need to start getting their teeth into it and work out ways to allow it, rather than just blocking it."

From his experience, local enterprises are starting to deploy IPv6 due to increased publicity.

“It’s being stymied in the past by lack of hardware or software support but that’s largely a solved problem now. The iApocalypse publicity earlier this year focused attention on it and we’ve seen a big upsurge since then."

Internode currently has 500 customers currently involved in an IPv6 trial first opened in 2008, up 150 per cent since February 2011. It is currently in the process of migrating to a production-ready dual stack environment for the protocol which will be offered as standard to users along with its remaining stock of IPv4 addresses.

"It’s still geeks and techies who are upgrading but these are the same guys who thought three months ago it would be on their to-do list and are now actually getting into it," Newtown said.

However, for companies still looking to change, Newtown warned of new threat models that enterprises needed to be aware of.

“What an organisation needs to do is make sure their security policy isn’t specific to IPv4," he said. "While IPv6 doesn’t bring in new threats as such, it does provide new ways of exploiting old threats. When an organisation writes a security policy, it’s best to write it so that the network protocol is agnostic. Then you can use the same policy to control a service regardless of whether it’s implemented or comes on in IPv4 or IPv6."

Newton warned exploitation vectors could be lurking in the network under lax security policies; security managers might have closed off avenues of attack on IPv4 or IPv6 but not both.

The first step for security managers to get IPv6 running on the network was to ensure the firewall supports the protocol as well as using a local ISP that supports IPv6 too.

"You should also install IPv6 on your internal routers and switches. Some enterprises may already be running IPv6 and not knowing about it because it is turned by default in most operating systems these days."

While he acknowledged that only four per cent of end user client devices use IPv6 at present, this was not to say more devices support it.

“We’re getting close to 100 per cent of devices supporting IPv6 if it is capable of running in the environment that the device is placed into. Windows, Mac OS, Unix and Linux supports it. Even the iPhone will use IPv6 if it is available," he said.

In addition to security measures, Newton said the incoming IPv6 was an opportunity for security managers and vendors to think about ways they approach networks as this was a reset point where, to an extent, the internet had started over.

"A lot of the decisions that we might have been living with over the last 20 years, we get to look at them and say `do we want to keep doing things this way or do we want to make policy changes to make sure that things will be done the right way rather than the wrong way in future'."

The National Broadband Network (NBN) rollout could also offer an advantage for Australia to be more IPv6 ready than some other countries.

"As the NBN comes along it’s going to force every single household that is connected to the internet to buy a new modem," he said. "That's because your Asymmetric Digital Subscriber Line (ADSL) modem won’t work on the new network and as long as we can make sure the device vendors support IPv6 out of the box, then we'll be well prepared."

Newton is scheduled to present at the upcoming security conference AusCERTin May.

IDG Communications is an official media partner for AusCERT 2011.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the CSO newsletter!

Error: Please check your email address.

Tags securityinternodeipv6Mark Newton

More about CERT Australiaf2FacebookIDGIDG CommunicationsIDG CommunicationsIDG CommunicationsInternodeLinuxNIC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Hamish Barwick

Latest Videos

More videos

Blog Posts