IPv6 security guru fields questions

Security guru Scott Hogg says that IT executives can't ignore the security problems that the next generation Internet protocol can present

Although he acknowledges that businesses have yet to embrace IPv6, security guru Scott Hogg says that doesn't mean IT executives can ignore the security problems that the next generation Internet protocol can present. After all, he notes, operating systems such as Microsoft Vista and Linux are already IPv6 capable and thus any networks that use them might be handling IPv6 traffic without their operators' knowledge. In this question and answer session, Hogg, who is also the coauthor of the Cisco-approved IPv6 Security guidebook and who writes regularly for Network World's Cisco Subnet blog, talks about steps that network operators can take to ensure that they don't inadvertently let their network get compromised by stealth IPv6 packets.

You say that a lot of organizations may already have IPv6 running over their networks and not realize it. Can you give me an example of how this happens?

Well it might happen if they have IPv6-capable hosts, meaning that maybe their own network doesn't run IPv6 per se but that traffic can be tunneled over IPv4 systems. If you have machines on your network that run Vista, then that would run both protocols at the same time. And even if your network isn't using the IPv6 stack, there are ways to awaken the IPv6 stack. For instance, Windows XP systems can be configured to run IPv6, so a hacker can turn it on by infecting your machine with some worm that changes your settings.

Can you explain in greater detail what you mean by IPv6 traffic being "tunneled" through IPv4 systems?

Sure. So right now there aren't nearly as many IPv6 addresses as there are IPv4 addresses. And the problem comes in when you need to get two IPv6 islands to talk to each other in an ocean of IPv4 networks. So the solution is that we encapsulate the IPv6 traffic inside what looks on the outside like IPv4 traffic so it can be sent over IPv4 networks. The security implications of this come in if I have a simple firewall that just sees an IPv4 box and doesn't parse it enough to see that there's something else in there. The firewalls don't look closely enough at encapsulated packets because the typical firewall today has nothing capable of opening up the capsule. Some vendors are starting to work together on this problem but they aren't there yet.

What are some of the unique challenges in securing a dual-stack network that supports both IPv4 and IPv6?

You're twice as vulnerable because if you had a certain application that had security issues, then hackers could attack it with either IPv4 or IPv6. So if a hacker went after a system that was running two protocols they could get to either one. For instance, they could leverage one protocol for another by finding hosts that run IPv4 and then using IPv6 as a covert channel.

How do the security challenges of IPv6 networks differ from those of IPv4 networks?

One key difference that I've already mentioned is in the way that IPv6 requires that we use migration techniques that can create tunnels that hackers can exploit. The other area where IPv6 is different from IPv4 is that IPv6 packets use extension headers that were developed to improve performance by simplifying the packet header structure. Essentially IPv6 extension headers are optional headers that let you specify certain ways that you want the packet to behave. You may want to route the packet through a certain path on the network, for example, or you might have a fragmentation header that breaks up the packet and then reassembles it. In IPv4 we had to have all those headers included in one single header but they're optional in IPv6. And because they're optional, security protocols need to parse a variable set of headers.

Finally, if a company came to you and asked you to help them make a checklist of things they would need to do before changing over to IPv6, what would you tell them?

In a lot of ways it's very similar to what they did to secure their IPv4 networks. They'll want to secure the perimeter first. Then they'll need to harden their network devices and make sure their routers and switches running IPv6 are hardened before turning on specific areas of their network. In general their migration strategy should be going from the core on out. Use that same practice as securing IPv4 networks where you go from the core to the edges.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags ipv6

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Brad Reed

Network World
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?