Tag Archive for World IPv6 Day

| June 12, 2012
Comments Off on Security Considerations for IPv6

Security Considerations for IPv6

Security Considerations for IPv6For those who missed the Internet Society (ISOC) announcement that World IPv6 Launch day arrived on June 6. (I blogged about World IPv6 day, back in March) Carl Herberger, VP of Security at Radware (RDWR) recently wrote at Help Net Security that he sees World IPv6 Launch day as much more hype than an operational change.

Internet Society logoMany high-profile organizations have hooked their plans on change over to the ISOC launch date. Supporters include Google (GOOG), Facebook (FB), Microsoft (MSFT) Bing, Yahoo (YHOO), and Akamai (AKAM).  Mr. Herberger points out that many companies have already leveraged IPv6 WAN connectivity. Most mobile providers who have adopted LTE 4G infrastructures have built them for mobile devices, Mobile devices will connect to the Internet with IPv6 addresses by default. He argues that since a 4G phone must also be 3G and IPv4 compatible, the 5G providers have not done much. The service providers have woven IPv6 into the existing IPv4 Internet much to the chagrin of the initial IPv6 designers.

IPv6 Pandora’s Box

Bottom line: Because IPv4 is not going away any time soon, we will essentially live in perpetuity with both designs. A new dawn? Or the beginning of the end? The Radware VP thinks it’s neither, he calls the interoperability issues between IPv4 and IPv6, a Pandora’s Box of opportunity for those of the nefarious persuasion.

So, what are the three main takeaways from World IPv6 Launch day?

Take away #1

Dog and catIPv6 will first be implemented on the WAN, IPv4 will continue to stay in the LAN for years to come – Google, Facebook, DNS, CDN providers, and many, if not most ISP’s are all moving to default IPv6 WAN connectivity. However, nearly no one has made the transition to IPv6 on the LAN. Mr. Herberger adds that rapid IPv6 deployment on the Internet WAN operations side and the very slow rollout of IPv6 on the LAN side will wreak havoc on perimeter security. He believes that there are huge problems associated with IPv4 and IPv6 cohabitating.

Take away #2

IPv6 & IPv4 don’t cohabitate well – IPv6 and IPv4 make insecure bedfellows. There are no predefined standards in the way to handle the cohabitation of IPv4 with IPv6.  The transition mechanisms to ease the transitioning of the Internet from its first IPv4 infrastructure to IPv6 have not been standardized yet. The Internet Engineering Task Force (IETF) has working groups and discussions through the IETF Internet-Drafts and Requests for Comments processes to develop these methods. Some basic IPv6 transition mechanisms have been defined; however, nothing has yet emerged as a proposed uniform standard. As such, the article states, the world is awash with a plethora of IPv4 to IPv6 (and vice versa) Transition Mechanisms such as:

  • Encapsulating IPv4 in IPv6 (or 4in6)
  • Encapsulating IPv6 in IPv4 (or 6in4)IPv6 tunnel
  • IPv6 over IPv4 (6over4)
  • DS-Lite
  • 6rd
  • 6to4
  • ISATAP
  • NAT64 / DNS64
  • Teredo
  • SIIT.

If you are familiar with network perimeter security devices, one of the things they do well is deep packet inspection and Stateful aware analysis. However, one of the dirty little secrets is that nearly none of today’s technologies have the capability to inspect encrypted traffic such as SSL  or the ability to inspect tunneling protocols such as L2TP, PPTP, etc. What IPv4 and IPv6 transition does is effectively exacerbate these “Achilles heels” in security detection capabilities by introducing a whole new class of nearly undetectable transmissions. The author warns Don’t be fooled by a vendor’s claim that they inspect a v4 packet in v6 or vice versa, because even if true for one or two methodologies, the ways to carry out this task are almost immeasurable today. This is really a true community-wide problem and one that must be addressed.

Take away #3

ConfusedMeet your old vulnerability – Same as the new vulnerability! Much of our defense is single-threaded, and should an adversary be able to pass through your perimeter defenses, many of the ‘older’ vulnerabilities would find a receptive home having passed through the ‘corporate scrubbers.’Moreover, just think of the new opportunities available to more nefarious organizations that don’t have your interests in mind. This ‘transition mechanism’ essentially becomes an effective ‘unscrubbed’ gateway or tunnel for all newly developed organized crime-designed, state-sponsored, and Hacktivist-motivated attacks.

Moreover, most of us will be largely blind to these realities unless we are acting now to make certain that our gateways are designed with all encapsulated traffic being detected and mitigated. Anomaly detection takes center stage here and signature tools will leave you wanting.

The Radware VP concludes that this problem requires action on behalf of security professionals to solve; you HAVE to do something different because the inertia path will leave you vulnerable.

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| March 22, 2012
2 comments

Flip the Switch on IPv6

Flip the Switch on IPv6World IPv6 day (Which I reported on here) took place in June 2011. Google (GOOG), Facebook, Yahoo (YHOO), and Akamai (AKAM) were among the participants in last year’s new networking dress rehearsal. apparently, everything went well last June.

Internet SocietyNathan Ingraham at The Verge recently noted that IPv6 is now ready for prime-time. The Internet Society announced that the IPv6 switch will be permanently flipped on June 6th, 2012.

The article says a number of major ISPs, networking hardware manufacturers, and web companies pledged support from day one. For starters, four of the biggest web properties will all enable IPv6 permanently:

Cisco logoFrom a hardware perspective, Cisco (CSCO) and D-Link (2332) both committed to enabling IPv6 across their range of home products by June.

GigaOM reports that Akamai (AKAM) and Limelight (LLNW) will also recruit other websites to join the initiative, by implementing IPv6 throughout their content delivery networks.

Several leading ISP’s will enable IPv6 to enough of their customer base that at least one percent of their residential subscribers who visit IPv6 enabled websites;

rb-

The internet is quickly running out of IP addresses, the last addresses in Internet Protocol version 4 were officially distributed early in 2011 Which I wrote about here.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| June 4, 2011
Comments Off on Google, Facebook and Yahoo Test IPv6

Google, Facebook and Yahoo Test IPv6

Google, Facebook and Yahoo Test IPv6A global trial of IPv6 is scheduled for June 8th 2011. Google (GOOG), Facebook, Yahoo (YHOO), and Akamai (AKAM) will reportedly take part in the IPv6 “test flight.” The Internet Society, a non-profit group that educates people and companies about net issues is coordinating World IPv6 Day. Those who sign up for the test will make their pages available via IPv6 for 24 hours to help iron out problems created by the switch to the new addressing scheme.

IPv6 good news

Internet Society logo“By providing an opportunity for the internet industry to collaborate to test IPv6 readiness we expect to lay the groundwork for large-scale IPv6 adoption and help make IPv6 ready for prime time,” said Leslie Daigle, chief Internet technology officer at the Internet Society in a statement.

“The good news is that internet users don’t need to do anything special to prepare for World IPv6 Day,” said Lorenzo Colitti, a network engineer at Google in a blog post. “Our current measurements suggest that the majority (99.95%) of users will be unaffected. However, in rare cases, users may experience connectivity problems, often due to misconfigured or misbehaving home network devices.”

According to Google, Vint Cerf, the program manager for the ARPA Internet research project chose a 32-bit address format for an experiment in packet network interconnection in 1977. For more than 30 years, 32-bit addresses have served us well, but now the Internet is running out of space. IPv6 is the only long-term solution, but it has not yet been widely deployed.  In November 2010 Mr. Cerf, one of the driving forces behind Google’s IPv6 efforts warned that the net faced “turbulent times” if it did not move quickly to adopt IPv6.

rb-

Vint Cerf wants you t use IPv6It will be interesting to see the number of participants. This all may just blow over the top because not enough of the right people in organizations see the need. I spoke to my Boss about this a while ago and I think one phone call has been made to our upstream ISP to see what they are doing. We probably won’t deal with it until there is a need for a point-to-point IP video conference with China or something and when it won’t work, then it is a crisis that gets addressed.

Does your organization have a plan for IPv6 migration?

View Results

Loading ... Loading ...
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| January 31, 2011
One comment

The IPocalypse is Nigh

The IPocalypse is NighThe IPocalypse will cause users with improperly configured computers to experience slowdowns, timeouts, or other connectivity issues when the Internet moves to the IPv6 protocol unless they are ready. To see if you are ready to endure the IPocalypse ghacks point us to IPv6-Test.com.  The site has an Open Source script that runs using JavaScript. Just visit the website click and wait until the test has finished. The IPv6 test runs a series of tests including the browser’s IPv4 and IPv6 capabilities, IPv4 and IPv6 connectivity with and without DNS records, and a test that checks if the ISP’s DNS server uses IPv6.

According to ghacks the most important test for users to run is the dual-stack test. There will be a transition period where websites and services can be reached via IPv4 or IPv6. The user’s computer needs to pick one of the protocols and use it for the connection which means that devices that only support IPv4 at this time can still connect to the websites. Connectivity issues occur if this is broken.

Major services and websites will switch to IPv6 for a 24 hour period on World IPv6 day on June 8. Among them are Google, Facebook, and Yahoo. That’s where the dual-stack DNS record support can be tested in a live environment.

 

This gadget was developed by Takashi Arano, Intec NetCore

What do you think?
  • Is this really the IPocalypse or just marketing hype?
  • Have you tested your connection?

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,