With the exhaustion of the public pool of available IPv4 addresses in 2011, the need for networks to move to the next generation IPv6 system of Internet addresses is becoming increasingly important. Moving to IPv6, comes with a host of challenges not the least of which are security related.
While IPv6 provides vastly more address space as well as additional protocol enhancements over IPv4, according to Check Point Fellow, Robert Hinden, IPv6 security isn’t all that different from IPv4 security. Hinden is no new comer to IPv6, he’s a contributor to the IPv6 protocol specification and has helped lead standardization efforts at the Internet Engineering Task Force (IETF).
“You will want to create an IPv6 security policy that sort of mirrors your IPv4 security policy,” Hinden told InternetNews.com. “If you decide to block some set of protocols in or out with IPv4, you will probably want to do that in IPv6.”
While many organizations may think that they haven’t yet moved to IPv6, Hinden warned that IPv6 capabilities are already available in more places than many users think. Windows 7 for example, supports IPv6 and could enable a user to tunnel IPv6 traffic over a network even if the enterprise as a whole is not officially running IPv6.
“You need to have security tools that look for IPv6 packets and you need to have a policy for what you want to do,” Hinden said. “IPv6 tunneling could be happening without the knowledge of the IT group in an enterprise.”
Unmonitored IPv6 traffic is likely the greatest risk that IPv6 represents to enterprises today. Since IPv6 support is well deployed in software products today, it could be possible for malware to use it as a back channel for transmission.
“If you don’t have security tools that know how to look at IPv6 packets, you won’t be aware of the threats,” Hinden added.
Visibility in IPv6, however, can be somewhat different than it is in IPv4 due to the use of extension headers in the packet. Hinden noted that where you go to look for information in an IPv4 packet may be different than where it resides in IPv6.
“Security devices need to learn about the different combination of headers so they can implement the same policy in different places,” Hinden said. “This is an area where IPv6 is more challenging than IPv4.”