The IPv6 networking protocol appears to be poised for prime time in 2019, with worldwide adoption already at 28 percent in mid-May according to Google, and with U.S. adoption at 46 percent, according to Akamai.
The protocol fixes a serious problem with the Internet’s underlying plumbing — there simply aren’t enough IP addresses to go around, and IPv6 greatly expands the number available. The previous protocol, IPv4, was designed in the early part of the 1980s, when no one imagined the Internet would grow so explosively. Enterprises and others have used workarounds to get around the problem, but they’re no longer good enough because the Internet is hungry for far more IP addresses due to the massive growth in IoT and mobile devices.
IPv6 also has the potential to make the Internet a safer place when it’s fully adopted worldwide. But there are plenty of security bumps between today and full adoption. Merely moving your network from IPv4 to IPv6 won’t make your enterprise any safer, experts say. In fact, they warn, if done improperly, it could leave open gaping security holes. In this blog post, we’ll go over what you need to know about IPv6 and security, and how you can best deploy it.
IPv6 Urban Myths
IPv6 on its own won’t increase Internet security, contends well-known IPv6 expert Charles Sun, who has worked as a senior network engineer and principal network consultant at the University of Maryland, Northrop Grumman Mission Systems, U. S. National Library of Medicine, AOL Time Warner, and other organizations.
“It’s not necessarily true that IPv6 is inherently more secure than IPv4,” he says. “That’s a myth that was started because the initial specs for it included end-to-end encryption using IPsec.”
However, IPsec was dropped from the spec to make IPv6 easier to deploy. IPsec will work with IPv6, but it’s no longer mandatory.
Sun says that IPv6 is vital for the future of the Internet, because the deluge of new devices, including not just IoT, but also self-driving cars, will require it. There may be as many as 30 billion devices on the Internet in the next several years, he adds, which will require IPv6’s dramatic increase in IP address space.
IPv6 on its own won’t increase Internet security.
Bruce Beam, CIO of the (ISC)² IT security professional non-profit group, believes that IPv6, if used properly, will allow enterprises to adopt more secure practices than they now have.
Notably, he says, when enterprises have the larger address space available for every Internet-connected device, they can better segregate IP addresses on their networks. Doing that, he says, will keep enterprises safer because if an attacker gets into their networks, they can only attack one part of it, and can’t hop onto other sections.
How to Deploy IPv6 Safely
Experts agree that unless enterprises deploy IPv6 properly, they can put themselves at risk. Particularly important, Sun says, is that companies check with their security and hardware vendors to find out whether their software and hardware are compatible with IPv6 — and if so, what changes need to be made in the way the hardware and software is deployed. That includes not just networking software, but desktop PCs and other company hardware. All new hardware and software should be IPv6 compliant, as well, he says. And any existing hardware and software that won’t work with IPv6 will need to be replaced.
“It’s especially important to check with firewall vendors, to make sure they work with IPv6 and are configured properly,” he says. “Otherwise, you may leave yourself open to intrusions.”
Some vendors may not support the full IPv6 feature set, he warns, so it’s vital that enterprises know which security features are supported and which aren’t. At a minimum, he adds, vendors should support a company’s current IPv4 security feature set. He says that when negotiating security contracts, enterprises should require that their vendors support the entire IPv6 spec.
“Look for vendors way ahead of the IPv6 curve,” he recommends.
Experts agree that unless enterprises deploy IPv6 properly, they can put themselves at risk.
He adds that many enterprises may be tempted, during the transition from IPv4 to IPv6, to use tunneling technologies to have IPv4 and IPv6 sections of a network to talk to one another. But that can be extremely difficult to configure properly, he says, and may lead to sizable security holes. So he recommends changing over all at once to IPv6, if at all possible, eliminating the need for tunneling.
Beam adds that enterprises need to go into a potential IPv6 deployment with eyes wide open, and only make the move if it offers significant benefits, including for security.
“Moving from IPv4 to IPv6 is going to be a very difficult implementation, especially in large organizations, so enterprises should closely examine the benefits they expect to get from the move, and any potential security risks they might face during and after changeover,” he says.
“So, for example, if you don’t expect to get benefits such as with network segregation, it doesn’t make sense to do a large-scale move just in order to say, ‘I’m on IPv6.’”