Companies shun, hide IPv6 rollouts due to security fears

Narelle Clark, a consultant with Pavonis Consulting and member of the board of trustees of the Internet Society (ISOC)

Hundreds of Australian companies have trialled or introduced new IPv6 technology internally but are keeping silent out of concern that they’ll be seen to be taking unnecessary risks with the security of their networks, the Australian organiser of World IPv6 Day has revealed.

Speaking to an audience at the recent IPv6 Summit, Narelle Clark, a consultant with Pavonis Consulting and member of the board of trustees of the Internet Society (ISOC), said she had been "astounded" by the number of people that wanted to participate in World IPv6 Day, on June 8.

That event, organised globally by ISOC, saw more than 1000 major Web site operators switch over to IPv6-compatible main pages in the most extensive live run of the next-generation addressing protocol so far. The day was a massive technological success although the Internet's limited IPv6 usage was evident: Just 0.16% of Facebook users were IPv6 natives and 0.04% were using 6to4 tunnelling capabilities, delivering around 1 million IPv6 visitors over the course of the day.

Around two-thirds of the participants were so happy with the results they left IPv6 enabled to this date, but most were reluctant to let it be known publicly that they had participated, Clark said.

"I had one conversation, for example, with people who were happy to talk me through their project in complete confidentiality," she explained, "but when I asked 'can I make this public?' they were horrified and said 'no, what if something goes wrong?' It was happening behind the scenes, but they were concerned that someone would find out. In the end, I had many participants sign up that would not and could not go public."

Many organisations had legitimate restrictions due to their obligations under industry codes of practice or regulatory controls, while others were still wary of IPv6 accoutrements such as 6to4 tunneling: "Tunnelling causes security people to get real upset if they don't know where the tunnelling end points are and how to control them," said Tony Hain, director of Hain Global Consulting.

Indeed, security was the only area to see an increase in concerns from 2010 to 2011, as reported in GNKS Consult's Global IPv6 Deployment Monitoring (GIDM) Survey 2011 (PDF) at the recent Internet Governance Forum in Kenya.

While 70 percent of the 1656 ISPs and companies surveyed will adopt IPv6 by the end of next year, the proportion naming security as a significant concern increased over 2010. Fully 10 percent – double the proportion in 2010 – expect security will be the biggest hurdle in deploying IPv6.

These findings run against what Clark described as an unremarkable security experience on World IPv6 Day, when concerns that hackers would use the event to test new distributed denial of service (DDoS) attacks proved unfounded. "Security did not break on the Internet," she said. "There were no large-scale hacks that we found out about, and the Internet did not fall apart on the day because of IPv6."

Nonetheless, with perceived security risks rising and IPv6 seen by many as yet another Chicken Little proclamation from IT security types, it's tough to convince companies to move any faster. Many executives remain unwilling to shoulder the security and governance risks of a migration for which they still see no need, with numerous IPv6 Summit attendees saying executives had ignored repeated proposals for IPv6 migrations.

GIDM figures suggest around 43% of companies still see cost as a major obstacle to IPv6 deployment, and the lack of a perceived security imperative makes the protocol hard to push. "We have been waving the apocalypse fear story around as part of our armoury, but people haven't gone for it," Clark admitted. "We need to look for other motivations to do it other than a big stick, because we don't have a big stick."

Speaking during a subsequent panel session, IPv6 experts agreed that businesses needed to stop letting their fears about the protocol put them off. "Study and preparation are necessary to a point, but to keep studying and not do anything is worse than denial," Hain said.

Yet that is unlikely to happen soon, Tony Hain, CEO of Hain Global Consulting offered during a discussion that likened the business community to a pack of penguins – all of which would jump into the water once one or two brave souls took the first plunge.

"The Y2K thing really would have been a fiasco if a lot of people had never gone in," he offered. "But because it wasn't, everybody's saying it was a waste of time – and they're not going to jump into IPv6 first because the independent thinker has been devalued. The guy who comes along at the last moment and saves the day will win this score. We're fundamentally all looking for the crisis to save the day, so we can be the hero."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

• Tweet