Security versus privacy with IPv6 deployment

SINGAPORE--IPv6 brings to light a new debate between privacy and security, as it allows more unique IP addresses which pinpoint users especially with the rise in mobile devices, but on the other hand ensures that it is difficult for cybercriminals to look for targets by scanning.

According to Dick Bussiere, solutions architect at Arbor Networks at the IPv6 Conference here Wednesday, the increase in number of IP addresses through the migration to IPv6 brings about a conflict between privacy and security.

With IPv6, IP addresses will now be "globally unique", being tied to specific people and devices, he explained. This means users can be tracked and is associated with privacy issues, and will no doubt make many "uncomfortable" because it raises their visibility on those devices, he noted.

However, greater security will also be ensured, as with IPv6, each subnet now has 18 quintrillion addresses, instead of 256 addresses per subnet, Bussiere pointed out. It will now take longer for cybercriminals to find the targets and it also eliminates one of the primary vectors of malware spread, he noted.

Another speaker, James Lyne, director of technology strategy at Sophos, agreed that IPv6 brings the issue of balancing security and privacy to the forefront. He pointed out that if users tried to use encryption on IP addresses to protect their privacy, it would complicate network security management in terms of intrusion prevention system (IPS) such that network inspection and protection is compromised, he said.

"There is no right answer, it's a constant calibration," Lyne noted. "Individuals and organizations must choose where they want to be on the scale of security and privacy, considering the technologies available to them and how they can configure it."

Threats similar to IPv4, but new security risks persistThe threats faced by IPv6 is similar to that of IPv4, since most cybercriminals attack applications instead of the protocol, Bussiere remarked. As such common cyberattacks such as social engineering, Trojans, worms, and viruses will continue to work on upper layers and not the protocols itself, he explained.

However, risks may arise from the transition from IPv4 to IPv6, he warned. The new "dual-stack" environment is preceded by an environment containing small "islands" of IPv6 which connects to the IPv4 network by "tunneling" one protocol over another, he explained. This requires deep packet inspection with the right authentication and access control mechanism, so that the attack traffic does not avoid security filters.

At the moment, many deployed network security tools also do not support IPv6, and most products that support IPv6 are relatively new and may have potential vulnerabilities and bugs, Bussiere pointed out.

While there are not many tools that work specifically on IPv6, they will continue to grow because cybercriminals "go where the money goes", Bussiere warned, adding that such tools will skyrocket as more people migrate to IPv6.

For instance, exploit tool Metasploit is now able to hide traffic over IPv6 and penetration testing toolkits traditionally used for network reconnaissance are now becoming more developed to work on IPv6, Lyne cited.

Don't activate IPv6 until readyWith dual-stack environments, companies must understand that host security controls should block and inspect traffic from both IP versions through host intrusion preventions, personal firewalls and virtual private network (VPN) clients, Eric Vyncke, distinguished engineer at Cisco Systems, who was also speaking at the event, advised.

Companies should take their time to understand the new risks IPv6 brings, and block IPv6 with a firewall if necessary until they are ready, he added. This is to ensure that they are able to procure IPv6 capable security devices over the next upgrade cycle and are able to conduct penetration testing exercises, he said.

"Companies should have a true concept of IPv6 readiness which includes network and endpoint security," Lyne said. "There is a difference between ready for business efficiency and being security-ready, and most companies only consider the former."