by Jose Bejar, M.S. Telecommunications and Network Management ‘14
What is IPv6?
IPv6 appeared as a protocol designed to overcome some of the inherent issues in IPv4. Since the protocol was developed taking into account improvements needed for IPv4, such as security, one could think that IPv6 and its new set of features are a glass of water for someone in the middle of desert. IPv6 include several security improvement next to IPv4. IPsec, for example, is a gold star that creates expectations regarding embedded privacy, authentication, and authorization. The possibility of having encrypted communications over almost any network is as promising as the idea of having enough IP addresses available not to have to worry about VLSM anymore.
IPv4 and IPv6
IPv6 is an incredible protocol, and I am not saying it just because I have become a fan of it, but because it has been created with the idea of supporting a new and bigger worldwide network in mind. Nonetheless, it was created when people could still be trust. IPsec solves several security problems associated to the old and still useful IPv4. Some popular attacks in IPv4 take advantage of an unsecured connection. The implementation of IPsec is mandatory in IPv6, however its configuration is not. It means that even though the protocol has the feature embedded, administrator have to choose activating it to take advantage of it. Unsecure IPv6 networks bring us back to common IPv4 issues and losses the whole point of integrating IPsec in the protocol.
Coexistence between IPv4 and IPv6 and supposed security concerns of not having NAT are other security concerns. Coexistence of IPv4 and IPv6 require some devices to run dual stack. Firewalls and routers should have correct configurations and tunnels should be properly controlled. A tunnel where a message from one protocol is tunneled using the other may hide a message from a firewall inspection. The other issue, the absence of NAT, has also been wrongly mentioned as a possible source of security issues. NAT in IPv4 does not really provide security features, but those provided by the firewall or router that controls NAT. Although the absence of NAT might make IT administrator naked, other real security issues are more relevant. DNS poisoning, for example, is an inherited security problem that has adopted new flavors on IPv6. The same can be told of Man-In-the-Middle, smurfing, local IP address DoS, and router impersonation among others. At the CCENT lab, we are working on testing issues related to IPv6. In previous analysis we have tested MIM attacks spoofing ND messages, IPv6 router impersonation, and DoS against interfaces verifying uniqueness of their IP address, among some others.
Policy and Security Considerations
Finally, policies and the human factor cannot be overseen when we talk about security. From bits and low level code to management and policies, security must be practiced at all levels if we want to go to bed peacefully; at least for one night. Good and strong policies are required especially in environments with IPv4 and IPv6 coexisting. Management should also spend resources training their IT employees to handle both protocols. Well-defined policies and practices complement IT efforts to keep networks and systems secure. Security is like politics, it depends entirely on people, even if they are not aware.