IPv6 - The devil you don't know...

This is the first in a four-part series of articles on IPv6 security issues.

“Better the devil you know than the devil you don't”. No matter how bad something is, knowing about it is half the battle won. So when something new comes along, like IPv6, its very newness is an issue.

Where IPv6 works the same as IPv4, our knowledge translates quite directly. But there are fundamental differences; it will take time and operational experience to understand their subtleties.

The basic problem is that you don't yet know what those differences are. Nor do your suppliers, staff, or service providers. Even where differences are known about, there is no feel yet for how they will play out operationally. Ignorance means risk that cannot be managed, but equally importantly for IPv6, opportunity that cannot be grasped.

The fact that IPv6 has more addresses seems simple enough, but it has game- changing effects. IPv4 address planning always starts with “how many hosts?” In IPv6 we work with subnets and can forget the addresses. This is a hugely liberating thing, but it takes real effort to get over the assumption, born of many years of IPv4 address scarcity, that we must conserve addresses.

Another game-changer is that there is no longer any need for NAT (network address translation). NAT too was born of address scarcity, which with IPv6 is a thing of the past. NAT does stateful packet inspection as a side-effect, but that can be had independently of NAT – global addressability is not the same as global reachability! What are the risks and opportunities where end-to-end transparency is ubiquitous?
If we model our IPv6 networks on our IPv4 networks we may end up with something that works, but we will be tying ourselves to old topologies and blocking our ability to innovate.

Another new aspect of IPv6 is stateless address autoconfiguration (SLAAC). In the presence of an IPv6 router, an IPv6 interface will give itself a globally-routable IPv6 address, completely automatically. It builds the address from a prefix supplied by the router and locally held information – by default, the hardware identifier of the interface.

This means that the hardware identifier of the interface (typically a MAC address) is visible to any host that receives a packet from you. And as long as you don't change the hardware, the last part of your address will stay the same, even as you move from network to network.

Whether this is a security issue is debatable. My own opinion is that information about host network hardware is rarely of significant advantage to an attacker; and in any case only if the host is reachable, which most enterprise hosts will not be. From a privacy point of view, however, an autoconfigured address is a sort of super-cookie. It allows a particular host to be tracked wherever it goes.

IPv6 allows you to avoid this by using “privacy addresses”. With privacy addressing, a host builds its address using a random sequence of bits instead of a hardware identifier. It changes the random sequence every so often, making it very hard to track the host.

Autoconfiguration takes place without any policy hooks and without any logging. For these and other reasons (including privacy concerns), DHCP is likely to retain a place in most enterprises, either as an adjunct to or instead of SLAAC.
Stateless address autoconfiguration is a good example of something new in IPv6 that needs to be thought about and considered as you deploy IPv6.

©Copyright 2011 Karl Auer

About the author: Karl is technical manager atIPv6Now a company specialising in helping organisations get into and get the most out of IPv6.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityipv4online newsIPv6 securityAutoconfigurationNAT (network address translation)ipv6

More about etwork

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Karl Auer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place