Companies should only deploy IPv6 for services they provide over the internet, as the protocol is still riddled with security flaws, an expert has urged.
The German researcher Marc Heuse, who has been analysing IPv6 security for almost a decade, said on Wednesday that there is no business case for deploying IPv6 on internal systems.
"If some network engineer says 'let's make a global company all IPv6', I would fire that guy, because it costs millions and the benefit is zero," Heuse told ZDNet at Telefonica's Campus Party event in Berlin. "Let's say you're Daimler: in what way does it make your network better?"
Heuse said outstanding vulnerabilities in IPv6 provide vectors for man-in-the-middle attacks, password sniffing and packet tampering. However, the protocol's uptake by users — particularly in Asia — mean there is no alternative to rolling it out for many outward-facing services.
"Companies should start with internet connectivity this year, but only the internet connectivity for the service they are offering," he said.
IPv6 is the new version of the internet protocol, and is being keenly pushed by governments and vendors worldwide. Its chief benefit is that IPv6 address strings are about four times as long as those for IPv4, providing trillions of possible addresses, versus IPv4's four billion possible permutations.
This is very useful for devices that are directly connected to the internet, but less so for companies' internal networks. The new protocol officially went live around the world in June, and is by all accounts now seeing tremendous growth.
'It was a political thing'
Heuse believes "the sun is coming up" for IPv6 security, in that vendors have been trying hard to fix the problems with it, particularly in the last year. However, he said fundamental flaws remain — the overall problem being the protocol's sheer complexity.
In a talk he gave earlier at the event, Heuse noted that IPv6 was designed in the mid-'90s, "when the world was still a very safe place".
"That's why they said back then that you don't need to have security locally, because everyone on the local network is trusted, and that if you encrypt everything, nothing can be hacked — yeah sure," he said. "Back then having a firewall filter was considered safe."
Heuse, who said he is finding more flaws with IPv6 each year, highlighted the problem of router advertisement spoofing. He blamed this problem on the keenness of the protocol's designers to move away from DHCP (Dynamic Host Configuration Protocol), which is used to assign IP address information to computers on a network.
"The protocol designers wanted to get the power of the network back to the network teams — it was a political thing," he said. "The routers [keep saying] to the network, 'I am a router'. This is similar to DHCP, but in DHCP the server says 'this is your IPv4 address'."
"In IPv6, the router says: 'this is a network space; choose what [address] you want.' Everybody can pretend they are a router, and every system on the network will think you are a router. This can allow man-in-the-middle attacks, password sniffing, changing data on the fly and so on."
Heuse criticised Microsoft for not fixing an IPv6-related router advertising flooding vulnerability in Windows, but still requiring customers not to deactivate IPv6 in order to let tools such as Exchange work. He said he had disclosed this vulnerability to Microsoft as much as two years ago.
He also pointed out that IPv4 benefited from 20 years of security research, whereas IPv6 was only now being deployed on a scale large enough for flaws to become more readily apparent.