More secure IPv6 won't stop vulnerability bugbear

Next-generation Internet addressing promises more IP addresses and better security, but moving to IPv6 won’t cure today’s vulnerabilities and could even introduce some new threats.

This month the IT industry witnessed the last allocation of IPv4 network addresses to the Asia Pacific Network Information Centre (APNIC) and, by some estimates, full depletion could happen within a year.

People are rushing to IPv6 without understanding it so there will be a lot of broken implementations

The transition to IPv6 will require changes to networking infrastructure and software, which will result in a lot of newer code being pushed into production environments, potentially resulting in new vulnerabilities.

President of the IPv6 Forum in Australia, Michael Biber, said the basic problem is the industry has had 30 years of fine-tuning the IPv4 internet “but we’ve only had a year with the IPv6 Internet”.

“So some of the things that are well-protected in IPv4 are only becoming available in IPv6,” he said.

“There are definitely vulnerabilities, but it’s not really any different to the existing protocol.”

Mark Wallis, network administrator with Westpac-owned payment processing company Qvalent, recommends the first thing to do is to look at IPv6 out to the Internet from the internal network.

“There is a lot of fear mongering with IPv6 and a lot of people are rushing to IPv6 without understanding it so there will be a lot of broken implementations,” Wallis said.

Part of Wallis’ role is to secure Qvalent’s database of payment card details, which are stored encrypted and only transferred through encrypted connections.

“We use F5 equipment which gives us a nice way to segregate for IPv4 and IPv6.”

IPv6 offers native IPSec for encryption and each packet has authentication built in, properties which give it a reputation for a higher level of security than IPv4.

F5 Networks’ senior director of product management, Jason Needham, said app security won’t go away with IPv6, nor will it solve denial-of-service type attacks.

“IPv6 could even make application security problems worse as the end-to-end encryption gives an attacker the ability to mask what they are doing,” Needham said.

Biber said such tunnelling problems will be a concern with both protocol versions and there are there are tools and techniques to work around these problems.

“One issue that comes up is operating systems that have IPv6 turned on by default,” he said. “Anyone who has Windows 7, a Mac, or some versions of Linux is running IPv6 without knowing. And tunnels may circumvent the control people have in place.”

“Tunnels could be created by people or by malware. The only way to combat that is to become IPv6 aware and make sure the security tools are IPv6 aware.”

Regarding the wave of new “IPv6-enabled” products and services that will flood the market, Biber says security concerns are “not a non-issue”, but in recent years developers have become better at abstracting the network layer.

“IPv6 is part of the arsenal that makes it harder for attackers to find vulnerabilities,” he said.

“We’re never going to win against the black hats in a definitive way, but we can keep the impact to a minimum. It’s a continuous battle as there will always be an attraction to vandalism. IPv6 is by no means a solution, but part of the arsenal.”

The annual IPv6 Summit is scheduled for Melbourne in October and a proposal to run a security workshop has been submitted to the organisers.

Follow Rodney Gedda on Twitter: @rodneygedda

Follow TechWorld Australia on Twitter: @Techworld_AU

Copyright © 2011 IDG Communications, Inc.

Shop Tech Products at Amazon