IPV6 ar­rives, but not every­where

Last month marked a ma­jor milestone as IPV6 went live on the In­ter­net — a look at some po­ten­tial se­cu­rity hur­dles for en­ter­prises

InformationWeek - - Contents - By Kelly Jack­son Hig­gins

Last month marked a ma­jor milestone as IPv6 went live on the In­ter­net — a look at some po­ten­tial se­cu­rity hur­dles for en­ter­prises

June 6 may have been the first of­fi­cial day of IPV6 op­er­a­tion on the in­ter­net, but not ev­ery­one is ready yet to adop the new pro­to­col. Only about 1 per­cent for so of the In­ter­net is now run­ning on IPV6 the day af­ter the switch to the new pro­to­col was flipped per­ma­nently. But that's ac­tu­aly a big jump, with 150 per­cent growth in IPV6 over the past year, ac­cord­ing to Google, which es­ti­mates that half of all In­ter­net users will be on­line via IPV6 in the next six years.

Gart­ner pre­dicts that by 2015, 17 per­cent of users world­wide will use IPV6, and 28 per­cent of new In­ter­net con­nec­tions will be IPV6.

Vint Cerf, con­sid­ered the fa­ther of the In­ter­net, says he ex­pects faster adop­tion rates now for IPV6, which has been in the mak­ing for more than two decades. “I an­tic­i­pate rapid growth now that it is turned on and we left it on,” says Cerf, who is chief In­ter­net evan­ge­list at Google.

“There are no more ex­cuses. You have to be able to run IPV4 and IPV6 all the time, any time. For any ISP or edge provider or clients or servers, if you’re not ca­pable of run­ning IPV6, you are on no­tice,” Cerf said in an IPV6 Day post­mortem press brief­ing that was con­ducted via an IPV6- con­nected We­bex. “You have to get go­ing and get IPV6 run­ning.”

For most en­ter­prises, IPV6 adop­tion is not a done deal yet if they al­ready have plenty of IP ad­dresses and aren’t un­der any pres­sure to de­ploy it. And if it’s not de­ployed prop­erly, it can in­cur se­cu­rity risks — an­other rea­son for tak­ing it slowly, se­cu­rity ex­perts ad­vise.

ISPs and net­work equip­ment providers, es­pe­cially those in the con­sumer mar­ket, have led the charge to IPv6. Among the or­ga­ni­za­tions that of­fi­cially adopted IPv6 on IPv6 Day were Akamai, AT&T, Bing for Mi­crosoft, Cisco, Com­cast, Face­book, Google, In­tern­ode, and Ya­hoo.

So what should en­ter­prises watch out for se­cu­rity-wise when mak­ing the switch? Fail­ing to re- con­fig­ure or up­grade fire­walls and perime­ter de­fenses to sup­port the new pro­to­col is one big no-no, ac­cord­ing to James Lyne, Direc­tor of Tech­nol­ogy Strat­egy at Sophos. He ad­vises or­ga­ni­za­tions to dis­able IPv6 al­to­gether un­less they are truly ready to go there so that at­tack­ers don’t ex­ploit de­vices that run IPv6 by de­fault.

And there’s also the in­evitable

Or­ga­ni­za­tions should dis­able IPv6 al­to­gether un­less they are truly ready to go there to pre­vent any at­tacks on de­vices that run IPv6 by de­fault

dis­cov­ery of new vul­ner­a­bil­i­ties in IPv6, as well as or­ga­ni­za­tions mis­con­fig­ur­ing their IPv6 sys­tems and leav­ing the door open for vul­ner­a­bil­i­ties and at­tacks. One ex­am­ple of a dan­ger­ous mis­con­fig­u­ra­tion is when set­ting up tun­nel­ing be­tween IPv4 and IPv6: It’s pos­si­ble to inad­ver­tently al­low ex­ter­nal traf­fic to flow through the tun­nel freely, for in­stance.

There are some other gotchas that IPv6 pioneers are ex­pe­ri­enc­ing. Ryan Laus, Net­work Man­ager at Cen­tral Michigan Univer­sity (CMU), is work­ing on an IPv6 roll­out at CMU that will of­fi­cially launch this sum­mer. Like many univer­si­ties, the cat­a­lyst for go­ing IPv6 has been the ex­plo­sion in mo­bile de­vices join­ing the cam­pus net­work. “The last three years, we have seen such a huge growth in wire­less de­vices that it was start­ing to re­ally stretch [our IP ad­dress] al­lo­ca­tion to the breaking point,” Laus says.

CMU al­ready has IPv6 en­abled on its edge routers, and is work­ing on en­sur­ing its in­fra­struc­ture can han­dle IPv6 both on the router and fire­wall end. Its in­tru­sion de­tec­tion sys­tem (IDS) is also IPv6- ca­pable. “We want to make sure we have vis­i­bil­ity into the IPv6 net­work as we’re build­ing it out” for se­cu­rity and per­for­mance rea­sons, Laus says.

One big con­cern is pre­vent­ing traf­fic from tun­nel­ing IPv6 traf­fic through the univer­sity’s net­work. “The big­gest thing is vis­i­bil­ity,” he says. “We need to see what peo­ple might and might not be us­ing and make sure IPv6 is han­dled in hard­ware. We can see that with [Lan­cope] StealthWatch, and can clas­sify traf­fic on the IPv6 tun­nel.”

Laus says some or­ga­ni­za­tions ac­tu­ally block IPv4/IPv6 tun­nel­ing al­to­gether, but that wouldn’t work for CMU be­cause many Asian coun­tries use only IPv6, and the univer­sity needs to al­low that traf­fic for re­search and op­er­a­tions rea­sons with users there. “[ When] I feel con­fi­dent that we have the se­cu­rity and mon­i­tor­ing things han­dled, [we will] roll out IPv6” fully, he says. For now, the in­ter­nal net­work is hy­brid IPv4/IPv6, and by the end of the sum­mer CMU’s web­site and ex­ter­nal traf­fic will be IPv6- en­abled.The univer­sity has ex­pe­ri­enced a few se­cu­rity hic­cups with IPv6, in­clud­ing an odd in­ci­dent where a user’s home Win­dows Vista lap­top with the In­ter­net Con­nec­tion Shar­ing (ICS) fea­ture en­abled con­nected to the cam­pus net­work via both the wired net­work and via wire­less adapters. In­ter­net Con­nec­tion Shar­ing lets users share out their ma­chines like a home router, and can an­swer DNS queries.

The ma­chine’s wired adapter had been reg­is­tered on the cam­pus net­work, but the wire­less one was not. Be­cause Win­dows Vista and Win­dows 7 by de­fault se­lect wire­less over wired and IPv6 over IPv4, things got in­ter­est­ing.

“[Shar­ing] does funny things to DNS re­quests,” he says. “It was shar­ing out its con­nec­tion, and other ma­chines on the same lo­cal net­work” with IPv6 en­abled were di­rected to the lap­top, which re­ceived their DNS re­quests, he says.

Be­cause wire­less takes prece­dence over wired in IPv6 here, the ma­chine re­turned the DNS re­sponse pro­vided by the wire­less card, which was the URL for CMU’s net­work de­vice reg­is­tra­tion page. “Es­sen­tially, all wired ma­chines on that lo­cal sub­net with IPv6 en­abled were only able to view the reg­is­tra­tion page, no mat­ter what URL was typed into the browser. Ma­chines with IPv6 dis­abled were not af­fected,” Laus says.

But ex­perts say se­cu­rity and other bumps like th­ese come with the new ter­ri­tory. Chris Smithee, net­work se­cu­rity man­ager at Lan­cope, says it’s hard to say whether IPv6 will bring more se­cu­rity over­all to the In­ter­net. It seems to be a toss-up: “From a high level, it does ap­pear to be more se­cure in the way hosts com­mu­ni­cate,” Smithee says. “But there are not enough peo­ple try­ing to ex­ploit it” right now to be sure, he says.

“I feel any­time you make an ad­vance­ment with some­thing, it is a lit­tle more se­cure,” he says.

If or­ga­ni­za­tions mis­con­fig­ure their IPv6 sys­tems, they leave the door open for vul­ner­a­bil­i­ties and at­tacks

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.