Security concerns of IPv6 should be treated equally as those of IPv4, shared various experts at the IPv6 Conference, organised by Infocomm Development Authority of Singapore at Hotel Fort Canning on 1st August.
Many enterprises are aware of IPv6 and why it needs to be deployed, with some expressing interest in its potential benefits. However, efforts to make the switch from IPv4 to IPv6 remain conservative as security concerns linger.
Mr Dick Bussiere, a network security expert, rates IPv6 as "neutral" from a security perspective. Mr Bussiere is a Solutions Architect at Arbor Network with over 20 years of industry experience.
"It is no better, no worse than IPv4," said Mr Bussiere who assured the audience that there is no cause for panic as long as there is proper planning for the transition.
The security concerns between IPv4 and IPv6 are largely the same, as most attacks are not targeted at the protocol layers, leaving applications at risk.
However, he acknowledged that the industry does not have as much experience dealing with the risks in IPv6 as the technology has only gained traction in the past few years.
Just like how the industry took decades to experiment with and strengthen IPv4, IPv6 faces bugs, attack tools, and risks that might have never been experienced before.
With these pre-existing risks, he encouraged businesses to begin by examining their systems and assessing if they are ready to adopt IPv6 securely.
Dr Lyne, Director of Technology Strategy of Sophos, also shared with the audience a list of his quick tips on IPv6 readiness, the most pertinent one being: "Go back to school, develop the right skills."
However, he acknowledged the resistance to transition, likening it to "convincing a child to eat vegetables instead of chocolate."
"You already use it, so embrace it."
Before a full-fledged transition, businesses must first find out if they are already using IPv6.
"You might not have consciously adopted IPv6 but you might have been using it a lot more that you think," warned Dr Lyne.
In anticipation of IPv6 deployment, many operating systems now enable IPv6 by default and latest network, and server equipment often runs in dual-stack mode, which supports IPv4 and IPv6 traffic. This means that IPv6 traffic might be unknowingly routed within the network and bypassing firewalls.
One of Dr Lyne's key messages was: "You already use it, so embrace it."
He also advised to start understanding IPv6 as soon as possible to mitigate the associated risks.
Privacy versus Security
Nevertheless, as IPv6 allows addresses to be unique to individual devices, users can be identified with relative precision, hence raising some privacy concerns.
At the same time, the sheer number of IPv6 addresses - 18 quintillion, instead of 256 addresses per subnet in IPv4 - makes it harder for cyber criminals to accurately trace their targets.
Dr Lyne pointed out that if users tried to use encryption on IP addresses to protect their privacy, it would complicate network security management in terms of intrusion prevention system (IPS), leaving network inspection and protection systems vulnerable to attack.
"There is no right answer; it's a constant calibration," he noted.
"Individuals and organizations must choose where they want to be on the scale of security and privacy, consider the technologies available to them, and how they can configure it."
Start planning for transition today
Mr Bussiere warned against configuring an IPv6 system wrongly, a problem he says could stem from a lack of training. To minimise risks, he suggested the following:
-
Upgrade IPv6 capable security devices over the next upgrade cycle
-
Conduct a penetration testing exercise that includes IPv6 testing.
However, history has shown that hackers tend to go where the money is. As IPv6 skyrockets into prominence over the next few years, companies must ensure they are well protected from hackers.
Another security expert, Mr Eric Vyncke, Distinguished Engineer from Cisco Systems, highlighted the key differences between the two protocols and explained in greater detail where the vulnerabilities could lie. However, his conclusion was similar to the other experts, saying that there is "nothing really new in IPv6".
"Control your IPv6 traffic as you do for IPv4," Mr Vyncke encouraged.
To handle these issues as well as build up a strong defence against IPv6 security risks, the experts encouraged businesses to start planning for the transition as soon as today.
"Everyone is learning v6. Go step by step, slow, but now," advised Mr Vyncke.