Of late we all have been listening that IPV6 is going to be the future and is designed to succeed IPv4 as IPv4 addresses are being exhausted at a rapid pace.
We also saw few months back that the Internet Society marking June 8th 2011 as "IPV6 Day" and many companies including Google, Facebook, Akamai etc participated in the event to basically test the readiness of the Internet for the latest protocol.
All said and done, security is always one of the major concerns for everyone when it comes to implementing or deploying any new protocol or design etc and for IPV6 it is no special.
Some of the major changes in IPV6 vs IPV4 are:
• Larger address (128 bits vs 32 bits)
• IPv6 allows for multiple addresses per host
• ARP is replaced by NDP (Neighbor Discovery Protocol)
Also IPv6 has a feature called Stateless Address Auto Configuration which allows IPv6 host to configure themselves automatically when connected to a routed IPv6 network using ICMP router discovery messages.
Coming to the security aspect of IPv6, it is being told that IPv6 is better as IPSec which is the protocol for encryption and security is mandatory in IPv6. However there could be still some security issues like the ones mentioned below to be looked into:
1. There are attackers who have used IPv6 technology for quite some time and are aware of the possible misuse.
2. Lack of visibility to unknown or unauthorized IPv6 vulnerability.
3. Added complexity of running both IPv6 and IPv4 at the same time.
4. Lack of IPv6 focused security products.
Apart from the issues mentioned above, organizations could also come across some of the threats mentioned below:
1. Malicious IPv6 traffic: As of now not many organizations aren't running IPv6, but once the migration takes place and IPv6 protocol is adapted, they could see more of IPv6 based attacks or rogue IPv6 traffic .
2. IPv6 Tunneling: This allows IPv6 packets to be encapsulated within IPv4 packets that can be sent through IPv4 enabled firewalls. This could cause a security concern as tunneled IPv6 packets might look like normal IPv4 packets.
3. IPv6 device: As mentioned above the IPv6 has a feature called auto-configuration which allows the bad guy or the attacker to define a rogue device. This device can assign IP address to other devices on the network. Once that is done, it is possible that the device can sniff the network traffic or modify it.
4. Type 0 routing header: It seems this is a well known vulnerability which has been released by Cisco. According to Cisco this vulnerability can be triggered only when Cisco IOS processes specifically crafted IPv6 type 0 routing headers which are used for source routing. The impact of exploiting a type 0 routing header repeatedly could result in a DoS attack.
Some of the mitigation steps which can be taken to ensure that IPv6 deployment is secure are:
1. The organization should increase the level of knowledge regarding IPv6 to the persons concerned eg network administrators, network manager
2. Plan the deployment in a phased manner.
3. Plan a transition period with dual IPv6-IPv4 co-existence
At present only a few companies are implementing IPv6 and as and when organizations begin adopting IPv6 some more loopholes or vulnerabilities would be explored. For some time in the near future, we will definitely see IPv4 and IPv6 co-existing successfully. Implementing an IPv6 network securely lies in the hands of the network administrator or manager.
The real success of IPv6 can only be gauged when IPv6 will be implemented globally and if we do not see much of attacks from the bad guys.