Are you ready to launch IPv6 securely?
Davey Winder says that despite the unnecessary scare stories, businesses need to think about migrating to IPv6 securely now.
Did you know that 6 June 2012 is IPv6 launch day?
Nope me neither, but according to the Internet Society it is and everyone, it says, should be thinking about making the permanent move from their current IPv4 network to the new whizz-bang IPv6 one.
So will you be one of them? More to the point, are there any pressing security reasons why you shouldn't?
Arbor Networks has published the results of some research into the first wave of Distributed Denial of Service (DDoS) attacks on IPv6 networks, and the good news is that the figure is pretty damn low with just four per cent of those operating such networks reporting DDoS activity.
Time and research has shown that IPv6 is not more secure than IPv4.
In fact, the chances are high that these are not actually the first DDoS attacks against IPv6 networks at all, but rather the first ones that have been detected and reported. Which is also good news. It means that, at long last, we are starting to see discussions on this kind of threat in relation to IPv6.
But in less good news, the reports of DDoS attacks targeting IPv6 networks do suggest that as adoption amongst organisations picks up pace, so does the value to the bad guys.
Indeed, the fact that these attacks are happening at all suggests that the bad guys are also adopting IPv6 as they need a platform from which to launch them, and that platform has to be an IPv6 endpoint. That they have managed to compromise enough of these to launch DDoS attacks at all is worrying, and raises questions about how well those networks are being secured against such an eventuality.
"More than six years ago, one of the frequent rallying points for IPv6 was that it was more secure than IPv4... Time and research has shown that IPv6 is not more secure than IPv4," said Arbor Networks engineer Bill Cerveny.
Many security experts with an engineering bent seem to readily agree, with the consensus of opinion being that the notion of greater security was based around the time at which IPv6 was being developed (mid-nineties) when the internet had not yet experienced the growth we have seen since. That growth had a knock-on effect of creating masses of fresh security threats.
While IPv6 may well have been 'more secure' in terms of the earliest threats, there is really no great body of evidence to suggest it has any real advantage over IPv4 when it comes to the current threatscape. The truth is that it's just as exposed, and possibly more so. We have already seen evidence of old IPv4 threats surfacing on IPv6 and there will be IPv6 specific vulnerabilities to throw into the risk assessment mix as well.
So is that reason enough to think that the Internet Society has jumped too soon with the IPv6 launch day idea? Certainly not. IPv6 has been around for what seems like forever (especially given the never-ending media obsession with reporting how many IP addresses it can support) and DNS use within IPv6 was given the go-ahead in 2008 to coincide with the Olympic Games of that year, which made good use of it. Today some three per cent of domain names and 12 per cent of internet connected networks support IPv6 according to the Global IPv6 Deployment Progress Report.