Tag Archive for World IPv6 Day

| June 12, 2012
Comments Off

Security Considerations for IPv6

World IPv6 DayFor those who missed the announcement from the Internet Society (ISOC) World IPv6 Launch day arrived on June 6. (I blogged about World IPv6 day, back in March.)  Carl Herberger, VP Security at Radware (RDWR) recently wrote at Help Net Security that he sees World IPv6 Launch day as much more hype than an operational change.

Internet SocietyMany high-profile organizations like Google (GOOG), Facebook (FB), Microsoft (MSFT) Bing, Yahoo (YHOO) and Akamai (AKAM) have hooked their plans on change over to the ISOC launch date, Mr. Herberger points out that many companies have already leveraged IPv6 WAN connectivity. Most mobile providers who have adopted LTE 4G infrastructures have built for mobile devices, which connect to the Internet with IPv6 addresses, default. He argues that since a 4G phone must also be 3G and IPv4 compatible all the 5G providers have done, and much to the chagrin of the initial designers, is to have woven IPv6 into the existing IPv4 Internet.

Bottom line: Because IPv4 is not going away any time soon, we will essentially live in perpetuity with both designs. A new dawn? Or the beginning of the end? The Radware VP thinks it’s neither, he calls the interoperability issues between IPv4 and IPv6, a Pandora’s Box of opportunity for those of the nefarious persuasion.

So, what are the three main takeaways from World IPv6 Launch day?

Take away #1: IPv6 will first be implemented on the WAN, IPv4 will continue to remain in the LAN for years to come – Google, Facebook, DNS, CDN providers and many, if not most ISP’s are all moving to default IPv6 WAN cDog and catonnectivity. However, nearly no one has made the transition to IPv6 on the LAN. Mr. Herberger adds that rapid IPv6 deployment on the Internet WAN operations side, and the very slow rollout of IPv6 on the LAN side will wreak havoc on perimeter security. He believes that there are huge problems associated with IPv4 and IPv6 cohabitating.

Take away #2: IPv6 & IPv4 don’t cohabitate well – IPv6 and IPv4 make insecure bedfellows. There are no predefined standards in the way to handle the cohabitation of IPv4 with IPv6.  The transition mechanisms to facilitate the transitioning of the Internet from its first IPv4 infrastructure to IPv6 have not standardized yet. The Internet Engineering Task Force (IETF) has working groups and discussions through the IETF Internet Drafts and Requests for Comments processes to develop these methods. Some basic IPv6 transition mechanisms have been defined; however nothing has yet emerged as a proposed uniform standard. As such, the article states, the world is awash with a plethora of IPv4 to IPv6 (and vice versa) Transition Mechanisms such as:

  • Encapsulating IPv4 in IPv6 (or 4in6)
  • Encapsulating IPv6 in IPv4 (or 6in4)IPv6 tunnel
  • IPv6 over IPv4 (6over4)
  • DS-Lite
  • 6rd
  • 6to4
  • ISATAP
  • NAT64 / DNS64
  • Teredo
  • SIIT.
If you are familiar with network perimeter security devices, one of the things they do well is deep packet inspection and Stateful aware analysis. However, some of the dirty little secrets is that nearly none of today’s technologies have a capability to inspect encrypted traffic such as SSL  or the ability to inspect tunneling protocols such as L2TP, PPTP, etc. What IPv4 and IPv6 transition does is effectively exacerbate these “Achilles heels” in security detection capabilities by introducing a whole new class of nearly undetectable transmissions. The author warns Don’t be fooled by a vendor’s claim that they inspect a v4 packet in v6 or vice versa, because even if true for one or two methodologies, the ways to carry out this task are almost immeasurable today. This is really a true community-wide problem and one that must be addressed.
ConfusedTake away #3: Meet your old vulnerability – Same as the new vulnerability! Much of our defense is single threaded, and should an adversary be able to pass through your perimeter defenses, many of the ‘older’ vulnerabilities would find a receptive home having passed through the ‘corporate scrubbers.’Moreover, just think of the new opportunities available to more nefarious organizations that don’t have your interests in mind. This ‘transition mechanism’ essentially becomes an effective ‘unscrubbed’ gateway or tunnel for all newly developed organized crime-designed, state-sponsored, and Hacktivist-motivated attacks.

Moreover, most of us will be largely blind to these realities unless you are acting now to make certain that your gateways are designed with all encapsulated traffic being detected and mitigated. Anomaly detection takes center stage here and signature tools will leave you wanting.

The Radware VP concludes that this problem requires action on behalf of security professionals to solve; you HAVE to do something differently because the inertia path will leave you vulnerable.

Related articles
Category: IPv6, Networking | Tags: , , , , , , , , ,
| March 22, 2012
2 comments

Flip the Switch on IPv6

World IPv6 launchWorld IPv6 day (Which I reported on here) took place in June 2011. Google (GOOG), Facebook, Yahoo (YHOO) and Akamai (AKAM) were among the participants in last year’s dress rehearsal. apparently everything went well last June.

Internet SocietyNathan Ingraham at The Verge recently noted that IPv6 is now ready for prime-time. The Internet Society announced that the IPv6 switch will be permanently flipped on June 6th, 2012.

The article says a number of major ISPs, networking hardware manufacturers, and web companies pledged support from day one. For starters, four of the biggest web properties will all enable IPv6 permanently:

Cisco SystemsFrom a hardware perspective, Cisco (CSCO) and D-Link (DLINK) both committed to enabling IPv6 across their range of home products by June.

GigaOM reports that Akamai (AKAM) and Limelight (LLWN) will also recruit other websites to join the initiative, by implementing IPv6 throughout their content delivery networks.

Internet Service ProviderSeveral leading ISP’s will enable IPv6 to enough of their customer base that at least one percent of their residential subscribers who visit IPv6 enabled websites;

rb-

The internet is quickly running out of IP addresses, the last addresses in Internet Protocol version 4 were officially distributed early in 2011 Which I wrote about here.

Related articles
Category: Networking | Tags: , , , , , , , , , , ,
| June 4, 2011
Comments Off

Google, Facebook and Yahoo to Test IPv6

A global trial of IPv6 is scheduled for June 8th 2011.  Google (GOOG), Facebook, Yahoo (YHOO) and Akamai (AKAM) will reportedly take part in the IPv6 “test flight.”  The Internet Society, a non-profit group which educates people and companies about net issues is coordinating  World IPv6 Day.  Those who sign up for the test will make their pages available via IPv6 for 24 hours to help iron out problems created by the switch to the new addressing scheme.

“By providing an opportunity for the internet industry to collaborate to test IPv6 readiness we expect to lay the groundwork for large-scale IPv6 adoption and help make IPv6 ready for prime time,” said Leslie Daigle, chief internet technology officer at the Internet Society in a statement.

Cerf wants you to use IPv6“The good news is that internet users don’t need to do anything special to prepare for World IPv6 Day,” said Lorenzo Colitti, a network engineer at Google in a blog post. “Our current measurements suggest that the vast majority (99.95%) of users will be unaffected. However, in rare cases, users may experience connectivity problems, often due to misconfigured or misbehaving home network devices.”

According to Google, Vint Cerf, the program manager for the ARPA Internet research project chose a 32-bit address format for an experiment in packet network interconnection in 1977. For more than 30 years, 32-bit addresses have served us well, but now the Internet is running out of space. IPv6 is the only long-term solution, but it has not yet been widely deployed.  In November 2010 Mr.  Cerf, one of the driving forces behind Google’s IPv6 efforts warned that the net faced “turbulent times” if it did not move quickly to adopt IPv6.

 

rb-

It will be interesting to see the number of participants. This all may just blow over the top because not enough of the right people in organizations see the need. I spoke to my Boss about this a while ago and I think one phone call has been made to our upstream ISP to see what they are doing.  We probably wont deal with it until there is a need for a point-to-point IP video conference with China or something and when it wont work,  then it be a crisis that gets addressed.

What do you think?

Is your organization participating in World IPv6 day?

Does World IPv6 day even matter?

Does your organization have a plan for IPv6 migration?

Related articles
Category: IPv6, Networking | Tags: , , , , , , ,
 

Switch to our mobile site