Last Updated: 2006-12-06 14:07:42 UTC
by Mark Hofman (Version: 1)
The first hurdle is to remember that it is just another protocol. Think of it like IPX, SNA, Appletalk, Decnet, take your pick. It is a convenient way of getting traffic from point A to point B. The main reason for changing to IPv6 is the increase in the number of available addresses. IPv4 addresses according to the presentations will run out in the next 6 years or so.
A second hurdle is to remember the difference between end-to-end addressability and end-to-end connectivity. A number of the presentations saw IPv6 as a way of providing the latter, which tends to scare security people. Peer 2 Peer processing, across firewalls, networks etc (I can hear the squeals of protest "not over my network you don't"). As far as I understand it, IPv6 will provide end to end addressing, which is different. Knowing how to get to a device is one thing. Being allowed to do so is another. It will also make the need to NAT obsolete.
Now for the security side of things, IPSEC is mandatory. So if you wish, you can secure communications from end to end, between two addressable (and reachable devices). If you have ever set up a VPN between two different vendor products you know that it can be a challenge. The second part of the problem is this, are you comfortable allowing IPSEC tunnels through your perimeter? BTW I'm not saying the IPSEC features are bad, I just think there will be some challenges to overcome.
One of the presenters today mentioned that reconnaissance and malware propagation will be more difficult in the IPv6 world. There is such a large address space that needs to be checked, it would take such a long time to scan the address range that the effort is not worth while (think several thousand years). However IPv6 does rely heavily on two things, DHCP and DNS, DHCP to allocate addresses and DNS to find things in the network. That in itself is interesting as it provides two convenient targets on an IPv6 network. Randomly scanning for available hosts may not be required as you may be able to get all the information you need from one of these devices. I think malware will just take advantage of what is available.
As for other threats there are many that will not change much, if at all. You can still sniff the network. Application layer attacks don't change, rogue devices can still be inserted into the network and may even be more difficult to detect. Man in the middle attacks still work. Flooding, spoofing and a whole host of other attacks are all still possible.
As a final thought, one of the presentations mentioned that There is much more to IPv6 than the above, but I'll leave that for another time, I'm still digesting all the information
IPv6 networks are already and will continue to be deployed within organisations. Connectivity via the internet will slowly start to appear over the next few years as ISP's and Telco's change their infrastructure (no real business driver as yet). In the mean time not many firewalls deal with this protocol sensibly, nor do a number of other security devices such as IDS/IPS. So there is a fair way to go before the protocol can be securely used.
As a final thought, one of the presentations mentioned that
There is much more to IPv6 than the above, but I'll leave that for another time, I'm still digesting all the information
ISC Handler on Duty