IPv6 security: Plan now and quiz vendors

Surely IPv6, a protocol designed for the internet age, will herald a new era free of many of the old security problems? Not quite, says Rik Ferguson.

Remember the Ping of Death, source routing, stateless firewalling, IP spoofing and the myriad other "features" of TCP/IP that network admins have been learning to correct, compensate for, or reconfigure over the years?

I started working with TCP/IP in 1994, at the dawn of the commercial public internet. In the same year that I got involved with TCP/IP, the concept of Classless Inter-Domain Routing (CIDR) was introduced as a means of conserving the already conceptually limited address space offered by IPv4, the version of TCP/IP still most prevalent across networks and the internet today.

IPv4 was initially formalised in 1980 in RFC 760 and later refined in 1981 by RFC 791, which is essentially the specification that we still use today. To say that IPv4 suffers from two major issues would be simplifying things to the point of absurdity.

Root of all current IPv4 issues

Even so there are two issues that stand head and shoulders above the others. In fact in some ways they are the root of all the current issues with IPv4.

• TCP/IP was conceived, along with most of the other core internet protocols, for use in a friendly environment.
• The growth of the internet was not anticipated during the design phase of the protocol.

Leading us to the situation we face today — and have been facing for the past 15 years at least, where security mechanisms have been largely an afterthought, a bolt-on or a workaround in internet communication in general. Not only that, we've used up all the address space. The last IPv4 blocks were allocated on 3 February 2011.

Enter IPv6, a protocol designed for the internet age with security designed in from the conception phase. As well as exponentially expanding the available address space, one single /64 allocation — the standard user allocation block — is enough to contain four billion times more addresses than the entire IPv4 address space.

IPv6 also mandates IPsec, encryption and integrity for TCP/IP, which was so sorely needed that it was already back-ported to IPv4 and has been in widespread use, particularly in VPNs, for many years. Surely these measures are all to the good, right?

Failing to learn from past security lessons

Not so. As far back as four years ago, researchers Philippe Biondi and Arnaud Ebalard demonstrated that the IPv6 routing header was uncannily similar to source routing in IPv4, a feature that caused so many security headaches it was universally disabled, first by admins and later by vendors in their IP stacks. It seems that even those designing the standards failed to learn all the lessons of the past.

It seems that even those designing the standards failed to learn all the lessons of the past.

Add to that the many and varied implementations that will be built into firmware by the thousands of hardware manufacturers and the uncountable custom software stacks that will feature in applications as they move toward IPv6 compatibility.

Millions of new lines of code with the potential for thousands of vulnerabilities. I can't count the number of TCP/IP stack revisions I saw, even by the single vendor I worked for in 1994 as we learned to correct and follow the IPv4 standards as best we could.

The message to enterprise is clear: plan now, ask the right questions of your vendors and make sure your IT and security teams have a migration plan in place. Although IPv4 and IPv6 will run in parallel for some time, entrenched concepts such as perimeter firewalls, VPNs, intrusion-prevention systems and pen testing will have to be rethought and, as usual, the criminals will be leading the way.

Rik Ferguson is director of security research and communications, EMEA, at Trend Micro. He has over 15 years' experience in the IT industry with companies such as EDS, McAfee and Xerox.