Companies shun, hide IPv6 rollouts due to security fears

Hundreds of Aussie companies have trialled or introduced IPv6 technology internally but are keeping mum due to concerns of appearing to take unnecessary security risks

Narelle Clark, a consultant with Pavonis Consulting and member of the board of trustees of the Internet Society (ISOC)

Narelle Clark, a consultant with Pavonis Consulting and member of the board of trustees of the Internet Society (ISOC)

Hundreds of Australian companies have trialled or introduced new IPv6 technology internally but are keeping silent out of concern that they’ll be seen to be taking unnecessary risks with the security of their networks, the Australian organiser of World IPv6 Day has revealed.

Speaking to an audience at the recent IPv6 Summit, Narelle Clark, a consultant with Pavonis Consulting and member of the board of trustees of the Internet Society (ISOC), said she had been "astounded" by the number of people that wanted to participate in World IPv6 Day, on June 8.

That event, organised globally by ISOC, saw more than 1000 major Web site operators switch over to IPv6-compatible main pages in the most extensive live run of the next-generation addressing protocol so far. The day was a massive technological success although the Internet's limited IPv6 usage was evident: Just 0.16% of Facebook users were IPv6 natives and 0.04% were using 6to4 tunnelling capabilities, delivering around 1 million IPv6 visitors over the course of the day.

Around two-thirds of the participants were so happy with the results they left IPv6 enabled to this date, but most were reluctant to let it be known publicly that they had participated, Clark said.

"I had one conversation, for example, with people who were happy to talk me through their project in complete confidentiality," she explained, "but when I asked 'can I make this public?' they were horrified and said 'no, what if something goes wrong?' It was happening behind the scenes, but they were concerned that someone would find out. In the end, I had many participants sign up that would not and could not go public."

Many organisations had legitimate restrictions due to their obligations under industry codes of practice or regulatory controls, while others were still wary of IPv6 accoutrements such as 6to4 tunneling: "Tunnelling causes security people to get real upset if they don't know where the tunnelling end points are and how to control them," said Tony Hain, director of Hain Global Consulting.

Indeed, security was the only area to see an increase in concerns from 2010 to 2011, as reported in GNKS Consult's Global IPv6 Deployment Monitoring (GIDM) Survey 2011 (PDF) at the recent Internet Governance Forum in Kenya.

While 70 percent of the 1656 ISPs and companies surveyed will adopt IPv6 by the end of next year, the proportion naming security as a significant concern increased over 2010. Fully 10 percent – double the proportion in 2010 – expect security will be the biggest hurdle in deploying IPv6.

These findings run against what Clark described as an unremarkable security experience on World IPv6 Day, when concerns that hackers would use the event to test new distributed denial of service (DDoS) attacks proved unfounded. "Security did not break on the Internet," she said. "There were no large-scale hacks that we found out about, and the Internet did not fall apart on the day because of IPv6."

Nonetheless, with perceived security risks rising and IPv6 seen by many as yet another Chicken Little proclamation from IT security types, it's tough to convince companies to move any faster. Many executives remain unwilling to shoulder the security and governance risks of a migration for which they still see no need, with numerous IPv6 Summit attendees saying executives had ignored repeated proposals for IPv6 migrations.

GIDM figures suggest around 43% of companies still see cost as a major obstacle to IPv6 deployment, and the lack of a perceived security imperative makes the protocol hard to push. "We have been waving the apocalypse fear story around as part of our armoury, but people haven't gone for it," Clark admitted. "We need to look for other motivations to do it other than a big stick, because we don't have a big stick."

Speaking during a subsequent panel session, IPv6 experts agreed that businesses needed to stop letting their fears about the protocol put them off. "Study and preparation are necessary to a point, but to keep studying and not do anything is worse than denial," Hain said.

Yet that is unlikely to happen soon, Tony Hain, CEO of Hain Global Consulting offered during a discussion that likened the business community to a pack of penguins – all of which would jump into the water once one or two brave souls took the first plunge.

"The Y2K thing really would have been a fiasco if a lot of people had never gone in," he offered. "But because it wasn't, everybody's saying it was a waste of time – and they're not going to jump into IPv6 first because the independent thinker has been devalued. The guy who comes along at the last moment and saves the day will win this score. We're fundamentally all looking for the crisis to save the day, so we can be the hero."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags network securitynarelle clarksecurityipv6World IPv6 Day

More about FacebookIPv6 Summit

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts