Tuesday, May 22, 2012

IPv6 and Security: The Threat From Version 4

By Ken Presti, CRN

The official launch date for IPv6 is right around the corner, making June 6 famous for even more than the historic WW II invasion of Normandy. It might make the invasion of your customers’ networks more possible than ever before.

The higher threat level, according to Carl Herberger, vice president of security at Radware, lies in the fact that while IPv6 will be the new standard at the wide area, the local area will continue to be the near exclusive domain of IPv4. And since the two versions were not designed to co-exist, there are some gaping holes in security.

“You basically need to translate Version 6 to Version 4 and we can do that by encapsulation,” Herberger explained to CRN. “And the encapsulation standards are all over the map. This situation causes problems with security inspections because if I can send an attack that exploits Version 4 vulnerabilities through a Version 6 inspection module, I’ve got a pretty high chance of success because the Version 6 inspection module will not be able to read it. And we haven't been able to resolve this problem yet.


To put it another way, the Version 4 exploits would be effectively carried as a passenger through a security screen geared towards IPv6.

To further complicate matters, Herberger says Version 4 could easily remain widely deployed at the local area for 10 years or beyond, due to the absence of compelling business drivers to force local migrations anytime soon. “This opens up pretty much the full range of exploits because once you pass through the physical inspection module, you are through the perimeter and you have a new opportunity to deliver any payloads the malware producer wants.”

Despite these obvious threats, Herberger still sees IPv6 as a practical necessity given the shortage of IP addresses, as well as the new version's more granular capabilities around queries, enhanced security in non-hybrid environments such as encrypted headers, and additional DNS capabilities.He sees several key opportunities for the channel. The first involves the migrations themselves. Another opportunity involves consulting services around security, interoperability and similar challenges. “They also need to really push the vendors towards building solutions around this encapsulation issues,” he added. “There are some partial solutions out there, but nobody has really figured out how to solve the security risks overall.”

Herberger also believes that, before the problem is resolved, the industry will come to the realization that full-scale migration to IPv6, at all levels of the network, should have been mandated.

“I believe that history will show that we should have basically migrated over a short period of time entirely to one standard. In that case, you would not allow Version 4 to even be routable in the future.”

The June 6 deadline imposed by the Internet Society (ISOC) is also a bit of a formality. A number of the large-scale service providers, DNS and CDN providers, and other key players, have already made the switch. Most mobile providers who have adopted LTE 4G infrastructures have built around this networking principle already with mobile devices, by default, connecting to the Internet via IPv6 assignments.

No comments:

Post a Comment