Currently a Check Point Fellow at Check Point Software and co-chair of the IPv6 working group at the Internet Engineering Task Force, Hinden is also chair of the IETF Administrative Support Activity, which is responsible for the fiscal and administrative support of the IETF standards process. He was previously at Nokia, Ipsilon Networks, Sun Microsystems and Bolt, Beranek and Newman, where he worked on a variety of Internet-related projects, including the first operational Internet router.
Network Computing: What role did you play in the development of IPv6, and when?
Hinden: I've been involved in the Internet from very early on, with Vint Cerf and the people who invented the Internet. When I was at Bolt, Beranek and Newman in the early '70s I did one of the early TCP/IP implementations.
We realized in 1991-92 that the use of IPv4 addresses was accelerating and knew we had to have a version with a larger address space. I and Steve Deering led the proposal that evolved to become IPv6.
I've been very fortunate to be at the place and time where this really began. Many people have been involved and made many contributions.
Converting to the 128-bit IPv6 standard is necessary because we have almost run out of 32-bit IPv4 addresses. Where IPv4 created a supply of 4 billion addresses, IPv6 provides more than 340 undecillion address combinations--34 followed by 34 zeros [340,000,000,000,000,000,000,000,000,000,000,000], a virtually unlimited supply.
Besides capacity, what were the key objectives of IPv6?
Hinden: The key design objective was the larger address space. The other IPv6 changes were incremental, things we could do better like autoconfigure for homes and small businesses, an attempt to make it more secure and things like that.
What about IPv6 security? How might it be exploited by attackers?
Hinden: IPv6 is about as secure as IPv4: It is not perfect, but it is more secure. The vulnerability in IPv6 is its now supported in most common operating systems ... the things people use every day. In many of these things it's turned on by default, or it's easy to create automatic tunnels to get out to the Internet.
Enterprises need to have security devices deployed now that can look at IPv6 traffic ... even if they don't have a current plan to deploy a lot of these devices. You can't stop what you can't see. There are good solutions from a range of security vendors.
What must security professionals do to secure their networks in preparation for the IPv6 transition?
Hinden: I run IPv6 at home... and just bought an Apple TV. I was trying to see how many connections were using Ipv6 and noticed that Apple TV was IPv6-enabled, and was using it. Because it's built into lots of devices, they'll use it, so enterprises need to understand that.
Are there other ways to proactively address IPv6 security vulnerabilities?
Hinden: Most of the uses of IPv6 are just a user wanting to try something out, and are not malignant. As a policy matter, it's better to block by default. There is a set of transition mechanisms that come with IPv6. I recommend that enterprise customers create default transmission protocols in their firewall to turn them off, requiring the creation of specific rules to turn those devices on.
What are some IPv6 transition concerns?
Hinden: If you were looking for malware before, you should be looking in IPv6. Whatever you were doing before with IPv4, you should be doing with IPv6.
Have there been any surprises along the way for you?
Hinden: I don't think I could have imagined the way people use the Internet today. The Internet of Things was easier to see; we've been talking about that for some time. I'm not surprised, but very pleased that we've changed the world.