Hacker's next attack target: IPV6

You can postpone the deployment of the IPV6 strategy as you wish, but you must immediately address the security implications of IPV6. If you plan to IPv6 and IPV4 on a dual stack configuration, then you can't take it lightly in terms of security. If you think about turning your whole IPv6, it doesn't mean you can sit still.

The biggest potential security threat is that a large number of IPV6-capable devices are already plugged into the corporate network, including all running Windows Vista, Windows 7, Mac os/x, Linux, and BSD devices.

Unlike previous IPv4 requiring DHCP, IPV6 does not require manual configuration. Eric Vyncke, co-author of Cisco's Outstanding Systems Engineer, IPV6 Security, said the stateless Autoconfiguration feature meant that "IPV6 devices can identify their identities on the web with only a single routing notice."

"Routers and switches that support only IPV4 cannot identify or respond to IPV6 device notifications, but a rogue IPv6 router can send and interpret this information," he cautioned. ”

Stateless autoconfiguration allows devices that support IPv6 to communicate with other IPV6 network devices and services on the same LAN. With this procedure, the device is able to advertise its location and can be positioned through the IPv6 Neighbor Discovery Protocol (NDP).

But without management, NDP may expose neighboring devices to hackers eager to gather information inside the network, even allowing them to be taken over and turned into "zombies."

Vyncke warned that the threat was real. "We have been observing around the world that these zombie machines are increasingly using IPV6 as a covert channel for communicating with zombie masters," he said. "In many guises, malicious software that supports IPV6 can encapsulate malicious load in one or more IPv4 messages." Without packet depth detection and other security measures conforming to the IPV6 specification, such loads pass through the IPV4 boundary while the DMZ defenses are not detectable.

The Secure Neighbor Discovery Protocol (SEND) is a solution developed by the IETF for Layer-2 layer IPv6 threats, such as Rogue Ra and NDP spoofing, that are equivalent to rogue DHCP and ARP spoofing in IPv4 threats. Although well-known manufacturers such as Microsoft and Apple do not support send, some operating system vendors have started to support send.

Cisco and IETF are developing security measures for the IPV6, similar to those currently in use to protect IPv4 from such threats.

This column more highlights: http://www.bianceng.cn/Network/Security/

The IETF has established a Savi (source address authentication) Working Group. Cisco's iOS upgrade program, which began in 2010, is now in its third phase, and is expected to be fully implemented in 2012.

Vyncke stresses that many of the common IPv6 security risks are caused by improper configuration of end-user devices on the network, and that proper configuration and IPV6 security measures can eliminate many of these risks. "The solution to this type of problem is to deploy native IPv6 to protect IPv6 information at the same level and to deal with similar threats that you have successfully defended on IPv4," he explains. ”

IPSec Security Myth

It is now widely believed that IPv6 is inherently safer than IPv4 because IPSec support is mandatory in IPv6. "This myth needs to be debunked," Vyncke said. ”

He noted that, in addition to the actual challenges faced by the widespread deployment of IPSec, the critical security features of the (Router/switch/firewall) devices were affected by the inability to see the content of the IPSec encapsulated information.

For this reason, Vyncke, who is an active member of the IETF and author of RFC 3585, says an IETF working group is considering the need to adjust IPSec support to "recommended" in IPV6 deployments.

Regarding the prohibition Ipv6,vyncke that this is a very bad idea, the reason has two. First, Microsoft says that IPV6 is banned in Windows 2008 because the configuration is not supported. Vyncke said the ban on IPV6 was an unwise strategy that would lead to inevitable delays in the deployment of IPV6. Second, whether it is willing or not, the devices that support IPv6 are starting to appear heavily on the network, which will lead to a deteriorating security situation.

Development power

Beyond the threat, IPV6 's commercial deployment cases are growing, and IPV6 has been unable to continue to be overlooked. As many international clients ' networks no longer support IPV4, banks and online brokerages are losing contact with these customers, and banks and online brokerages have begun to face up to the challenge.

Companies such as Telefónica and T-mobile have begun to deploy IPV6 on a large scale, particularly in the European region. The U.S. government has also begun a transition to IPv6, and they are also calling on suppliers and manufacturers to provide more IPV6 products and services.

"You never want to be in a situation where you can't interact with your clients," said Keith Stewart, director of product management at Brocade communications systems. "By sharing ideas with web vendors, Stewart found that the transition to IPV6 has become a big trend," he said.

"It is neither realistic nor feasible to upgrade the whole of the internet to IPV6," Stewart said. Customer needs a balanced, practical solution. He noted that as service providers consumed the fastest addresses, they were among the first to upgrade to IPV6, followed by content providers such as Google and Facebook, and end users, since 99% per cent of these end-user home routers were developed based on the IPV4 protocol.

While transitioning to IPV6, Boko is also deploying load balancers, providing IPV6 translations to public services and retaining IPV4 connections in the internal network.

So far, the majority of clients applying for IPV6 services are from education and government departments, especially university research laboratories and government agencies that need to comply with federal IPV6 orders, according to Juniper Networks.

Juniper Networks forecasts that the 2012 IPV6 will be more active, especially among service providers. Alain Durand, the company's software engineering director, said: "For our customers around the world, IPV4 address depletion is becoming a very serious problem." "Durand predicts that most IPv6 deployments will be small projects that use a dual-stack solution in the existing IPV4 public service to increase IPV6 functionality. "To address the problem of IPV4 address shortages, customers often choose to add a NAT layer," he said. ”

Although it is not yet possible to accurately predict when the IPV4 address will dry up, the APNIC chief scientist Geoff Huston, based on data analysis released by the IANA and regional Internet registries, will be fully depleted of the remaining IPv4 addresses in 2014.

However, it should be noted that Huston's analysis ignores addresses reserved by private companies that may be used or sold in the future. Microsoft, for example, has acquired more than 600,000 IPV4 addresses in its recent acquisition of Nortel assets. In recent evaluations, this part of the IPV4 address has not been taken into account, and many in the industry predict that the upgrade costs will rise as the IPV4 address is in short supply.

Many network managers are unwilling to take the initiative because of the lack of the best IPv6 transformation practices available for reference. While security concerns and concerns about the inability to communicate with customers who have been transitioning to support only IPV6 systems, it may not be a sensible idea to stay on the sidelines and wait for others to scout.

It is advisable to establish or re-establish contacts at the planning stage with trusted network vendors who can provide architecture and security guidance, and to work together to find a practical solution to the numerous IPV6 transition scenarios.