The rate at which technology increases is sometimes frustrating. Of course, it’s nice to have new things that work better and faster, but it seems like the moment we finally understand one technology, it’s replaced by something else. We’re constantly having to learn and further our understanding.
IPv6 is the latest Internet Protocol (IP). Replacing v4, it is now faster, more reliable and comes with better security. However, just because it’s new and improved, doesn’t meaning it’s invulnerable.
There is a risk that IPv6 implementation will lack co-ordination and therefore, go without the collective thinking that is required to make sure the protocol is as secure as it can be. For example, security suppliers will have to re-write firewalls for the new protocol, but without any single organization to set the direction of the deployment of IPv6, approaches will be in constant flux. That directly correlates to the inability of security suppliers to anticipate how IPv6 will work in practice, creating exploitable opportunities for criminals.
Despite the advantages in speed and efficiency that come with IPv6, the lack of leadership and ownership is driving the slow adoption of the technology. And so, while organizations play the waiting game, cyber criminals are already hard at work, taking advantages of the fact that few people are filtering IPv6 traffic.
With that in mind, here are the top threats facing IPv6 that professionals should be aware of:
A Need for IPv6 Security Training
By far, the biggest risk facing IPv6 today is a lack of security knowledge. Because of the new technology, many IT professionals are unfamiliar with it, and therefore in need of upfront training and education before there should be any deployment. Enterprises must invest resources into network security training. If not, they risk compromising their network, and spending even more money down the road should their be a need to fix problems and plug holes. As always, being proactive is far better than reactive. Security is far more effective during the planning stage than after deployment.
Addressing Bugs in New Code
New codes mean new bugs. As with almost anything, it’s next to impossible to get it right the first time, and later patches and upgrades will bring streams of improvements. In the case of IPv6, these bugs are likely to be found in the coding around NICS, TCP/UDP and networking software libraries that aren’t yet able to fully support IPv6. In addition, technologies like VoIP and virtualization may also be vulnerable. Not only are bugs annoying, they can present a real danger to your network by introducing new vulnerabilities. The best way to handle this situation is through testing. A proper test network and plan will help your organization discover any problems early, and provide time to isolate and come up with solutions until they’re repaired.
Cisco just announced at the end of February that their NCS 6000 and Carrier Routing System have software bugs that needs patching. The bug itself affects the way Cisco IOS XR units parse IPv6 packets. An attack that exploits the vulnerability could result in a forced restart of the line card that processes traffic. According to a statement by the company:
“An attacker could exploit this vulnerability by sending a malformed IPv6 packet, carrying extension headers, through an affected Cisco IOS XR device line card. This vulnerability could be exploited repeatedly to cause an extended DoS condition.”
Lack of IPv6 Support at ISPs and Vendors
As mentioned, testing is imperative until IPv6 security and stability equals that of IPv4. Every network is different, and will require a personalized test plan. In addition, make sure to demand native IPv6 from your upstream provider. Without one, a tunnel connected to your interface could increase the security complexities and expose an opening for DOS attacks. Vendors and ISPs are still racing to catch up with the technology, rolling out services and IPv6 routers over the coming months. It’ll be a while before they themselves will be able to manage it all. In the meantime be weary, as these weaknesses are likely to be prime targets for cybercriminals. | Images via Shutterstock