Biggest risks in IPv6 security today

Although IPv6 packets have started to flow, network engineers still tread lightly because of lingering security concerns. Here are the top six security risks in IPv6 network security today as voted by gogoNET members, a community of 95,000 network professionals.

Although IPv6 packets have started to flow, network engineers still tread lightly because of lingering security concerns. Here are the top six security risks in IPv6 network security today as voted by gogoNET members, a community of 95,000 network professionals.

Lack of IPv6 security training/education. The No.1 risk today is the lack of IPv6 security knowledge. Enterprises must invest time and money in IPv6 security training upfront, before deploying. That or risk compromise and spending more time and more money on security later to plug the holes. Network security is more effective as part of the planning stage rather than after deployment. This is not an area to skimp on. According to Scott Hogg, IPv6 Security author and CTO of GTRI, "All security practitioners should learn about IPv6 now because all organizations have IPv6-capable and enabled operating systems in their environments. Failure to secure the IPv6 systems is like allowing a huge back-door to exist."

Security device bypass via unfiltered IPv6 and tunneled traffic. Only a lack of knowledge is considered a bigger risk than the security products themselves. Conceptually it's simple, security products need to do two things recognize suspicious IPv6 packets and apply controls when they do. However in practice this is hardly possible in v4 let alone an environment that may have rogue or unknown tunnel traffic. "There are 16 different tunnels and transition methods not to mention upper layer tunnels like: SSH, IPv4-IPSec, SSL/TLS and even DNS," says Joe Klein, Cyber Security Subject Matter Expert for the IPv6 Forum and Expert Cyber Architect at SRA International. "The first step is knowing what you're looking for." The current crop of security products used today, especially those converted from v4 to v6, haven't necessarily matured enough to match the threat they're protecting against.

Lack of IPv6 support at ISPs and vendors. Thorough testing is critical until IPv6 security functionality and stability are on par with that of IPv4. A test network and a test plan for all protocols involved must be devised to test all equipment especially new security tech from vendors. Every network is unique and requires a unique test plan however help can be found on Joe Klein's and Scott Hogg's blogs. Further complicating the issue is not having a native IPv6 connection from your provider. A tunnel connected to your interface further increases security complexity and provides an opening for man-in-the-middle and denial-of-service attacks. Demand native IPv6 from your upstream provider.

Congruence of security policies in v4 & v6. Weak v6 security policies are a direct result of the current deficit in IPv6 security knowledge. Not only do the depth of the IPv6 security policies need to be equal to that of their IPv4 counterparts but their breadth must be wider to encompass new vulnerabilities that didn't need to be considered in an IPv4 homogeneous environment.

Bugs in new code. Along with any new code will be bugs. And in this case they can be found in the code around NICS, TCP/UDP and networking software libraries that don't fully support IPv6 yet. Technologies such as SIP, VoIP and virtualization can also be vulnerable. At best bugs are an annoyance, at worst they can introduce new vulnerabilities in your network. The remedy, as before, is testing. A test network and a comprehensive test plan will expose defects well enough to isolate them, allow workarounds to be found or to shut down a deployment altogether until they're repaired.

Absence of NAT. The misconception of NAT is so widespread that its absence in IPv6 is misinterpreted to be a top security risk. It may be comforting to have NATs in v6 environments but in reality they don't provide any added security. The statefulness of the firewall provides security, not the translation of network addresses.

IPv6 security cannot be a simple clone of what's in place for IPv4 that kind of thinking is dangerous. Training must occur, policies must be extended and new tech must be introduced into networks to ward off new threats. The transition from a homogeneous v4 network and network of networks to a heterogeneous v4/v6 reality brings with it new types of traffic and equipment that must be taken into account.

Furthermore since v6 is relatively new and the market for it just beginning, IPv6 security products cannot be expected to be as robust. This makes for interesting and dangerous times between now and when the security around v6 matures and its operators have gained the same level of experience as they currently have with IPv4.

To dig deeper into IPv6 security listen to The IPv6 Show podcast, episodes 3 and 4 on iTunes or attend the gogoNET LIVE! IPv6 conference on Nov. 14, 2013 online or onsite in San Jose for the discussion panel, "Top 6 Security Risks in IPv6 Today."

Sinclair has been a part of the IPv6 market since 2006 and is CEO of gogo6, a provider of IPv6 products, community and services. Original market insights for his blogs are gathered from the gogoNET social network, consisting of over 95,000 registered network professionals. Bruce hosts "The IPv6 Show" podcast on iTunes and writes an IPv6 Market Intelligence newsletter for networking vendors.

Read more about lan and wan in Network World's LAN & WAN section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityGTipv6LAN & WAN

More about LANScott CorporationSRA InternationalSSH

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bruce Sinclair, CEO, gogo6

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place