Are We IPv6 Ready? No, We Are Not

Monday, January 24, 2011

Antonio Ierano

76814d6a11ad20c1c48be0e9dce501a7

The time is here, it’s the beginning of the IPv6 era. June 8, 2011 will be the World IPv6 day, and the world is not yet ready!

As we all should know, IPv4 addresses are almost depleted, and so in order to continue to support internet growth, we must make some changes.

The addressing space is the most evident change we need to pursue - if we run out of IPv4 address we cannot add more nodes to reach the internet.

But there are a lot of new and needed nodes that want to be part of the game - think about all new browsing devices like smartphones, tablets, consoles, etc...

An illustration of an example IPv6 address
Image via Wikipedia

While NAT and PAT have extended the IPv4 life beyond it’s natural limits (adding also some security as side benefit) the last years growth rate cannot be sustained anymore.

So welcome IPv6, we were waiting for you.

But IPv6 brings some caveats as a new addressing space that needs to be understood and correctly implemented: a lack of IPv6 services ready to be used (think the DNS name space resolution as an example, we do not have native root IPv6 servers at the moment, and only a few IPv6 ready public DNS); and most of all, a TCP\IP network infrastructure that is not IPv6 compliant at the moment.

Want a proof? l I suggest you to test your environment here: http://test-ipv6.com/

Just to be sure you are able to communicate with the new protocol, at least check if you have IPv6 stack enabled and an address ready.

Devices and Security Policy

While most of the OS are already able to talk IPv6, there are concerns about network devices. Most of the routers, switches and security appliances are not ready to make the jump or manage the transition. Some are too old, and others have never been updated to the new OS release.

In the consumer space the situation is quite critical, just a few home routers are able to support IPv6 and  most of ISPs are not even ready to provide support for it. We should have expected a new IPv6-ready offering coming form providers, but I haven’t seen anything of that. The result is that the transition will require a long (and I fear painful) time to be implemented.

The problem is, as I wrote also in a previous articles of mine, that IPv6 will allow developers to implement a whole new set of applications and services that will not be available on IPv4 networks. This will shut out a lot of users to the new browsing experience for a while.

I confess that this could increase the Digital Divide issue in some countries (mine included).

But concerns are also coming from the enterprise environment. It is not only that most of the devices are still not ready to use the new protocols, it is the lack of knowledge and the poor implementation of the existing IPv4 addressing scheme in most of the enterprises that concerns me.

We will have for some time a double stack, and some transition and tunneling will be needed.  This will require a careful plan to be able to correctly manage security policies.

Alas, most of our security procedures are IPv4 based, for example, the usual rules you have on your firewall and the rules you use to provide IP addresses to your client.

The new address space will require a bit more work, as NAT would not be “necessary”, and this could expose you to more errors while deploying the infrastructure. I know that some security people will bark, but with IPv6 the most logical solution is to plan a deployment using Global addressing scheme (ULA –Unique Local Addressing RFC4193-  or ULA+Global would bring more pain, believe me).

Damn!!! Hiding IP topology will not be a good security strategy anymore. Sorry security guys, but we have to think in a different fashion - there will be no more network borders and no more hidden IP topology in our futures.

Building security policies based on identity instead of IP addresses would be a good step to create a consistent implementation of security rules in the enterprise.

Tunneling and VPN should be rethought correctly by taking into account the new devices the enterprise brings into the game, like smartphones, tablet, video conferencing and video\audio streaming capabilities.

IPv6 will also require a whole new rethink on how we plan to manage and address security in routers and switches.

Alas the time has come, if we don’t start to think about this now it will be late (if it is not already late). The fun is just starting.

A few resources and articles:

Some info on IPv6 can be found here:

Want to test IPv6 and need a resolver, here you are: http://censurfridns.dk/

Related articles

Cross-posted from PostOffice

Possibly Related Articles:
16816
Network->General
DNS ISP IP Address IPv6 IPv4 Tunneling
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.