Beyond Black Hats
Security goes beyond deflecting attacks. You must also guard against unintended side effects that can bring down portions of your network as effectively as any denial-of-service exploit. In the case of IPv6, there are two key nonmalicious threats to watch for.
First, don't assume that because you achieve a given performance level from a network system running IPv4 you will realize the same performance when you add IPv6. A router that processes and forwards IPv4 packets in hardware might process IPv6 packets in software. A firewall's CPU might slow significantly when it processes IPv6, particularly if extension headers are involved. The other major nonmalicious threat to your IPv6 network is lack of training. From the very different address format to the key protocol differences between IPv4 and IPv6, your network operators and engineers need to be prepared.
Watch For Bugs
IPv6 implementations almost always mean running code that hasn't yet undergone production vetting. A router vendor might have supported OSPFv2 for almost 20 years, but OSPFv3 for IPv6? It's new--and very likely buggy. Did your firewall vendor release IPv6 support only within the past couple of years--or even months? Then there are surprises awaiting you. This isn't an indictment of sloppy development work; we all depend on extensive production deployments to reveal problems. Yet worldwide, IPv6 is still in its early stages of use, meaning even IPv6 implementations that were written years ago may just be getting their first large-scale field tests.
Even standards bodies are occasionally guilty of overlooking security risks. Two infamous examples of early oversights in IETF specifications were an IPv6 source routing vulnerability that opened the possibility of amplification attacks and firewall bypasses, and an ICMPv6 vulnerability that allowed ping-pong attacks on point-to-point links. Both vulnerabilities were well known in IPv4 and had long been corrected in earlier standards, but were simply overlooked in initial IPv6 specifications. And while these mistakes have been corrected in newer versions of the protocol, you need to assume that some operating systems in your network incorporate the older, problematic standards--which brings us right back to awareness, communication, and testing.
New Opportunities
Neighbor Discovery Protocol
Heavier dependencey on ICMP
Flow labels
No NAT66--get over it
The transition from IPv4 to IPv6 is a major evolution. It's also unavoidable, unless retirement is in your near-term plans. And although IPv6 presents some new security challenges, none of them are insurmountable given the right preparation. In fact, smart CIOs are looking at the transition as an opportunity. Are your security practices and systems all that you want them to be? If not, an IPv6 deployment can be the perfect time to assess your situation and improve or replace your current security architecture and practices.
The transition to IPv6 is also an opportunity for us as a community to reconsider the way security is practiced. Are firewalls and intrusion detection systems sufficient protection? All of the 1,000-plus respondents to our latest InformationWeek Analytics Strategic Security Survey use firewalls, and 93% have intrusion detection/prevention systems in place. But walls have never truly protected us--maybe it's time to consider a new outlook, like moving to a model of end-to-end authentication and encryption, creating "zones of protection" around individual hosts and servers, and adding improved algorithms for threat analysis and interdiction. And maybe IPv6 can help us get there.
Jeff Doyle is president of Jeff Doyle and Associates. He specializes in IP routing protocols, MPLS, and IPv6 and has worked globally with large IP service provider networks.
Subsea cable alternatives can provide a level of comfort for those concerned about disruptions. Realistically, they will continue to play a small, but critical role in the short term.
Maintaining existing network infrastructures often incurs huge technical debt before newer technologies are adopted over time.
Amid ongoing regional uncertainties, telecom infrastructure in the Middle East has expand to include terrestrial low-latency network infrastructure, which offers resilience and agility in navigating political complexities without relying solely on undersea networks.
