Report outlines IPv6 security challenges
Connecting state and local government leaders
The first draft of NIST Guidelines for Secure Deployment of IPv6 compares and contrasts the new Internet Protocols with IPv4 and identifies security risks likely to be faced in deploying the new protocols on the network.
Ready or not, the next generation of Internet Protocols is likely to be making their appearance on government networks in the not-too-distant future, and the National Institute of Standards and Technology is advising network engineers and administrators to familiarize themselves with the security challenges of IPv6.
“The migration to IPv6 services is inevitable as the IPv4 address space is almost exhausted,” a new NIST draft publication states. “IPv6 is not backwards-compatible with IPv4, which means organizations will have to change their network infrastructure and systems to deploy IPv6.”
NIST Special Publication 800-119, “Guidelines for the Secure Deployment of IPv6,” describes IPv6's protocols, services and capabilities, including addressing, DNS, routing, mobility, quality of service (QoS), multihoming and IPsec. For each there is an analysis of the differences between IPv4 and IPv6 and the security ramifications of these differences. It characterizes new security threats that the transition to IPv6 poses and gives guidelines on IPv6 deployment, including transition, integration, configuration, and testing.
“IPv6 can be deployed just as securely as IPv4, although it should be expected that vulnerabilities within the protocol, as well as with implementation errors, will lead to an initial increase in IPv6-based vulnerabilities,” the report cautions. “As a successor to IPv4, IPv6 does incorporate many of the lessons learned by the Internet Engineering Task Force for IPv4.”
The Internet Protocols are the set of rules governing the way devices communicate with each other over packet-switched IP networks. The Internet has been operating on version 4 of those protocols since its public adoption, but a limited address space forced the development of a new version with greatly expanded address space and other features. IPv4 continues to work and will remain on networks for the foreseeable future, but the imminent exhaustion of address space now is forcing the adoption of the new protocols. Government networks already are capably of carrying packets using IPv6, but it has not been actively implemented on the networks. That is expected to change before long.
“Since the majority of organizations will most likely run both IPv6 and IPv4 on their networks for the foreseeable future, this document speaks about the deployment of IPv6 rather than the transition to IPv6,” the publication says.
The community of attackers is likely to have more experience with IPv6 than the organizations that are just now deploying it, according to the report. The organizations also may have IPv6 assets on their existing IPv4 networks that are unknown or unauthorized. Operating both protocols in parallel during the transition phase adds complexity to network management. And the security products made for IPv6 are less mature than their IPv4 counterparts. All of these factors pose risks, according to the NIST report.
The publication includes an introduction to IPv6, including its history, features and comparisons with IPv4, and discusses details of IPv6 addressing, allocation and packet organization. It also examines some of the more advanced features of IPv6 such as multihoming, multicast, QoS, Mobile IPv6, Jumbo grams and address selection and their security implications. Advanced security features are discussed, such as privacy address and IPsec, along with the process for securely moving from IPv4 to IPv6.
NIST recommends that engineers and administrators bring their knowledge of IPv6 up to the level of IPv4, and phase in the new protocols while planning for a long period of coexistence of the two. If the new protocols are not being deployed on a network, all IPv6 traffic should be blocked within the network, and IPv6-accessible Web servers placed outside of the firewall.
Comments on the draft should be sent by April 23 to draft-sp800-119-comments@nist.gov with "Comments SP 800-119" in the subject line.