Almost two years after ‘IPv6 day’ in 2011, security professionals cannot confidently manage security threats posed by the replacement to IPv4, according to the SANS Institute's Internet Storm Centre.
For a quick refresher, IPv6, which “launched” in June last year, is the proposed replacement to IPv4. The protocol with 4 billion address has already reached exhaustion in many regions across the world and IPv6 promises to solve this by offering 340 trillion trillion trillion addresses.
Despite a successful launch in June 2012 and an ultimate need to move to something bigger, hands on experience with the new internet protocol remains limited. That’s having a detrimental impact on the people charged with securing today’s networks, SANS Institute 'Internet Storm Centre' trainer Johannes Ullrich tells CSO Australia.
“In class, the one part that I find is missing the most - and causing the most angst - is the limited operational experience people have when it comes to IPv6,” Ullrich told CSO.com.au.
From a security equipment perspective, the transition to IPv6 poses a number of challenges to the way security practitioners protect networks under IPv4. Much of it stems from how manufacturers navigate the transitionary phase and is akin to introducing a new material to an industry: it impacts the entire supply chain.
Metasploit founder and Rapid7 CTO HD Moore told me at IPv6 Launch last June that devices in the DMZ -- firewalls, web servers, IDS and IPS -- may function as expected in IPv4 but are often poorly supported in IPv6.
On the other side, PC operating systems mostly do support IPv6 internet and tunneling, while equipment such as routers don’t properly support IPv6 firewall and packet filter functions. IPv6 therefore opens new risks to the network and security pros need hands-on experience dealing with these.
“If you think about IPv4, most practitioners got good doing it not by attending classes, but by making mistakes in the field. Network outages due to badly configured routers are the kind of operational experience we are missing when it comes to IPv6,” said Ullrich.
“I think we need to share more of these experiences to avoid having to make the same mistakes twice.”
To improve the situation, Ullrich has put a call out to security professionals to submit tales of success and defeat during IPv6 transitions.
- a security problem you ran into with IPv6
- a solution to a security problem (even better)
- found a tool that works really well (or not at all) with IPv6
- figured out a way to solve an IPv4 security problem by switching to IPv6
Ullrich is also looking for experiences with log analysis tools that were used to debug network problems or detecting security breaches.
“It’s really about information sharing, which is what we do at the Internet Storm Center,” said Ullrich.
The lack of hands-on experience would come as no surprise to the engineers responsible for managing and allocating regional internet address space.
At a recent conference in Canberra, Geoff Huston, the chief scientist for APAC’s regional registry APNIC lamented the lack of IPv6 uptake by fixed and mobile carriers, Lifehacker.com.au reported this week.
Fixed line operators, which hoarded IPv4 addresses, instead prefer to sweat existing network infrastructure with network address translation (NAT) equipment than migrate to IPv6.
“NAT is right now the preferred solution because people know how to do it, and people also know its limitations, so it is ‘understood’,” said Ullrich.