Two days agoIndia, along with the rest of the world, saw the launch of IPv6 -- the new internet protocol which aims at replacing current IPv4 in its way. According to the Department of Telecom, 27 Indian websites have already stepped on to the IPv6 platform. Indian ISPs and government agencies have also hinted at following suite soon.
But many security experts have since begun talking on new security concerns the protocol brings along, which, in effect, are threatening to slow down the enterprise adoption of IPv6 further. The question remains: is it all just empty talk?Indian enterprises are already on their way making inventory checks of their IT resources that are now for dual IPv4/IPv6 support and rollout migration projects. "Enterprises will have to consider third-party partners, resources and links for the process. Now is the time to go beyond planning and get going," says Deepak Rout, Director at ISACA Delhi chapter.
Most disagree. "To most developers, security comes as a distant afterthought and so is the case with IPv6. IPv6 is not a security fix, and if we're not careful, it might be the opposite as the global attack surface will grow with people having a false sense of security over IPv4," says Steve Santorelli. Steve left the US Scotland Yard's Computer Crime Unit to join Microsoft's Internet Crimes Investigation Team and is now with Team Cymru, an Internet security research company.
IPv6 is talked about as the replacement to IPv4 pretty much like the phone numbering system for machines on the Internet. "It's unlikely that security of the IPv6-enabled devices will take precedence over usability, and miscreants will find ways to monetize compromised devices in ways we can't even imagine yet. The security problem still exists, with just a lot more complexity and many more exploited machines," warns Santorelli.
Essentially, the hype that IPv6 is more secure compared to IPv4 is not correct. "Security was not the core thought behind the creation of IPv6. It basically addresses the business necessity, which required more IPs for the internet to grow," says Rout.
If anything, it brings in more configuration complexity. "The essential element of key management which makes security possible over Internet i.e., end to end encryption for data security still remains a challenge (as it partially was in IPv4)," says Rout
One of the key factors is that the IPv6 protocol does not support Internet Protocol security (IPsec), a protocol suite for securing IP communications required for end-to-end security. End-to-end security between IPs can be organized in two ways: a) by accessing internet over a secure protocol called https, secure socket layers, etc. b) through IPsec, which is more prevalent in enterprises.
Ideally, IPsec integration was supposed to have been thought of in the conceptual stages of IPv6 creation. "But that didn't happen because of the rapidity of the rollout. So, today IPv6 will be deployed largely without cryptographic capabilities. CIOs will have to deploy encryption technologies over the protocol to make point to point security possible," says Rout.
TheUS, which has been deploying IPv6 for two years now, has seen network engineers express concerns on trying to encourage people to deploy IPv6 in a sustainable and more secure manner through best practices. "Yes, there are some unknowns and some other challenges with the migration towards dual stack and eventually the replacement of IPv4. The concerns include translation/transition/tunneling mechanism for attacks, new types of reconnaissance attacks and some new twists on header manipulation and fragmentation attacks," says Owen Delong, director of professional services for global Internet backbone Hurricane Electric.
But that shouldn't stop most organizations from the migration. With fewer IP address ranges, enterprises will soon feel the pain in the form of higher ISP costs both for simple connections and for web hosting. "You can use the old technology all you want, but in the end you'll be paying more. The days of IPv4 are numbered," Delong says.