What’s the Future of IPv6? Risks & Concerns
In reviewing the IPv6 threat concerns identified in the 13th Annual Worldwide Infrastructure Security Report (WISR), I am stricken by how today’s perceived threats are similar to what was observed and expected by early adopters 10 (or even 15) years ago.
It is expected that the existence of Distributed Denial of Service (DDoS) attacks and botnet activity across IPv6 will become more commonplace as IPv6 becomes more broadly deployed. It is reasonable to expect that attackers are developing IPv6-enabled tools to take advantage of the other threats listed in the WISR.
What Are Some Common IPv6 Mistakes?
Misconfiguration is still considered a major concern for enterprise organizations and service providers. As IPv6 support has become more ingrained into network hardware and software, progress has been made to make IPv6 configuration as easy as, or even the same as, IPv4 configuration. However, it remains easy in many cases to either overlook IPv6 or incorrectly configure IPv6. More comprehensive IPv6 training for network engineers will help reduce misconfiguration errors.
The “stack implementation flaws” and “inadequate IPv4/IPv6 feature “parity” concerns speak to the maturity of the IPv6 software code in network equipment as well as server and client software. Stack implementation flaws are becoming less of an issue as the number of network hosts running and using IPv6 continues to increase. Network and software developers have become more familiar with the potential and observed challenges unique with how IPv6 has been designed.
IPv4/IPv6 feature parity is still a work in progress. The gaps in IPv4/IPv6 features are rapidly closing as more customers are using and relying on IPv6. In most cases, it is still safe and practical to deploy IPv6 on a network. Workarounds for missing IPv6 functionality may be necessary or the gap in functionality may simply be accepted for minor issues. It is likely that less IPv6 functionality testing occurs than with equivalent IPv4 functionality. This reflects the correctly held perception that for many of today’s networks, it is more important to test IPv4 functionality, which essentially all users rely on, and to test IPv6 functionality with less time and less emphasis.
How Should IPv6 Be Implemented?
In my opinion, software designers should strive to support using the same IP feature configuration commands for both IP versions. For example, the software should allow configuration of IPv6 addresses using the same CLI command that one would use for an IPv4 address. Where IPv4 and IPv6 protocols and design are different, only then should the IP version need to be used as a differentiator. Many network hardware and software vendors have yet to make their devices this intuitive and simple.
What Are the Security Concerns of IPv6?
Looking at IPv6 security concerns, lack of visibility is likely related to older (or even “end-of-life”) network monitoring and reporting software in routers and standalone networking monitoring devices that don’t support IPv6. Visibility is very important. In some cases, workarounds may be possible by monitoring the traffic via neighboring devices which do have the required IPv6 functionality.
The host scanning concern is more complex than it would appear. The equivalent of an IPv4 address network “host scanning” sweep is infeasible with IPv6 since there are typically 264 (1.8446744e+19) possible addresses on a single end-user network, and as many as 296 (7.9228163e+28) addresses allocated to large enterprises and service provider networks. Such a host scan across the entire IPv6 address range of the sub-network would be impractically slow.
Having said this, there are ways a network intruder can reduce the number of addresses that need to be scanned, as documented in IETF RFC 7707 “Network Reconnaissance in IPv6 Networks”. Additionally, IETF RFC 6583, “Operational Neighbor Discovery Problems”, discusses how a host scan can impact the functionality of a router’s neighbor table.
Concern regarding subscribers using IPv6 to bypass application rate limiting is perhaps a more specific part of the IPv4/IPv6 feature parity threat.
Is IPv6 Viable?
In this year’s report, we continue to see a maturing of IPv6 as a production-ready IP version. None of the challenges with IPv6 are show stoppers; in fact, some of the largest service providers and enterprises are running IPv6 across their entire network. Several 4G wireless carriers have enabled IPv6 across their network. As with IPv4, challenges will continue to be observed with IPv6, and network designers and architects will find that IPv6 requires careful consideration and mitigation of the issues observed.
For more information on IPv6 threat concerns, download the full WISR here.