Hackers seeking to breach security are ahead of most would-be business implementers when it comes to figuring out the detail of IPv6 and are more motivated, a Wellington seminar has heard.
If a government agency does not intend using IPv6 in the near term, and has IPv6-capable devices communicating with its network, then IPv6 capability will have to be consciously turned off, Jonathan Berry of the Government Communications Security bureau warns. "That's prudent behaviour. Any sort of network hardening will push you down a path of turning off services and functionality you don't need," he told the seminar, on "Practical IPv6 for Government".
It's all too easy, several speakers at the event testified, to acquire IPv6 devices and addresses on a network, effectively providing a backdoor for security breaches if the network is not hardened against such traffic. And once you turn on IPv6, traffic on the network should, of course, be carefully monitored, to make sure only known activity is going on. "Whether you want to use IPv6 or not, you will have to know about it to keep your network secure," said Graeme Neilson of security specialist AuraInfosec.
It would be wrong to suppose IPv6 will fix problems that were previously well known in IPv4, said members of a security panel at the seminar. Email's SMTP protocol, for example, is not secure and IPv6 has not improved that situation, said AuraIfosec's Mike Haworth Fragmentation of Layer 4 headers, a known problem in IPv4, has also not been fixed in the new protocol. Fragmented headers can get past protection mechanisms that are expecting them in one piece. White papers about IPv6 security discuss fragmentation exhaustively.
In a plan for IPv6 implementation, GCSB recommends starting with less business-critical parts of the system. "Use that as an experience and a learning opportunity. Once you're experienced and comfortable with that, you may consider implementing IPv6 on more critical services."
The way vendors have implemented IPv6 in their products "could be considered relatively immature," Berry warned. "You will see vulnerabilities in the protocol and in devices. "There are many RFCs [notices of potential problems and workrounds out there already" and organisations should check how their vendors are responding to those RFCs.
With a dual communications stack supporting IPv6 and IPv4, warned TelstraClear's Steve Martin, "you are creating a second inroad into your organisation that will find all those old boxes you thought you'd turned off but hadn't. Make sure you know your lifecycle and are turning off systems when they go out-of-cycle," not just accepting someone's word that this has been done.
Financial considerations for the company are not limited to the cost of IPv6 itself, Martin says; a lot of security tools will need to be upgraded to handle IPv6 checks properly and this will cost the organisation.
Filtering of suspect email relies substantially on reputation servers, and most of these are not yet equipped to keep tabs on the vastly greater address space of IPv6, the panel agreed in response to a query from the audience. It is up to people who care about secure IPv6 implementation to start their own reputation lists, panel members suggested. These will blacklist wide ranges of address-space, since listing individual addresses will be too huge a task.
Hackers are busy looking at all the vulnerabilities in IPv4 and figuring out how they translate to IPv6. Using unobserved IPv6 traffic to covertly attack IPv4 networks is "attractive", said Neilson.
It's prudent to assume the adversary is slightly ahead of us," Berry said. The hacker community's incentive to explore the capabilities of IPv6 is "perhaps stronger than some of us".
The Australian Federal government being ahead of New Zealand's in implementing IPv6 has value, Berry says. "We are in touch with our sister agency, the DSD, in Australia. As [Australian agencies] push IPv6 out, there'll be significant lessons learned. DSD will alter its ISM and we will plagiarise that and push it out as policy here."