Assuring the Security of IPv6
Though Architected for Security, Safeguards Must Be Addressed
IPv4 is quickly running out of addresses, and organizations need to begin preparing for IPv6 implementation. What steps should they take, and what do they need to consider?
John Curran, chief executive officer at the American Registry for Internet Numbers, says that addresses for IPv4 - the protocol the Internet was originally built on - are short, with the North American region lasting about one more year.
So what does this mean for organizations looking at IPv6? "You need to look at your public-facing Internet, the things outside your firewall, the things like your websites and e-mail servers, and look at IPv6," Curran says in an interview with Information Security Media Group's Eric Chabrow [transcript below].
"Because some new users will be trying to access you with IPv6, you need to add that number - an IPv6 address - to your existing servers," Curran says.
He also stresses that organizations don't need new equipment in order to facilitate IPv6 implementation. "You just need to get your public-facing equipment numbered with both IPv4 and IPv6," he says.
In moving to IPv6, security capabilities are built in from the beginning, whereas IPv4 had add-ons to address security issues. But that doesn't mean organizations are safer after implementation. It will take some time to address any issues in security, and "[organizations] don't get the benefits until [IPv6] gets widely deployed," Curran says.
Organizations also shouldn't look at it as addressing security bugs in IPv6, but more of "you're turning on something new," Curran emphasizes. "You have to make sure you take the effort to secure it by setting up an appropriate firewall configuration for it," he says. "Otherwise, you might find you're passing all the appropriate IPv4 traffic, but, at the same traffic when it arrives on IPv6, is given a free pass into your network."
In the interview, Curran:
- Explains why the Internet using IPv4 is quickly running out of addresses and how IPv6 will resolve that problem;
- Discusses the responsibilities of user organizations' and Internet service providers' responsibilities to assure the safety of firewalls and other security measures tied to IPv6;
- Reviews steps organizations should take to securely implement IPv6.
Curran, who founded ARIN in 1997, ran several early Internet companies including BBN Planet, XO Communications and Servervault. He has authored the paper An Internet Transition Plan, which calls for moving the global Internet from its existing IPv4 protocol the newer IPv6 protocol. He also wrote Market Viability as a IPng Criteria, which summarizes some of the challenges IPv6 will have competing against IPv4 and the inevitable arrival of network address translation devices.
American Registry for Internet Numbers
ERIC CHABROW: Before we get into IPv6, take a few moments to tell us about ARIN.
JOHN CURRAN: ARIN is the American Registry for Internet Numbers. Our job is to manage the allocation distribution of Internet addresses throughout our service region. Our service region is Canada, the U.S. and 25 economies in the Caribbean. There are five regional Internet registries, all not-for-profit industry-led bodies that coordinate the assignment of Internet addresses. Every computer on the Internet has an internet address, what we call an IP address. It's an essential component of connecting to the Internet. The regional Internet registries make sure that those numbers are unique and that they're distributed throughout the globe to service providers of all types - telecommunication companies, hosting companies and cloud providers - to make sure everyone has enough numbers to get their job done.
IPv4 and IPv6
CHABROW: What are the main differences between IPv4 and IPv6?
CURRAN: IPv4 is the protocol that we built the Internet predominantly on. It's the one that was the original protocol of the Internet, and it's how packets move through the wire. Every packet that goes through the Internet has an IPv4 header and it has a destination, and there's a 32-bit field that identifies that destination. That 32-bit field means we have 4.3 billion approximate destinations that we can have on the Internet, which sounds like a big number. But as it turns out, 4.3 billion actually is relatively small compared to the world today. We have some 7 billion people spread throughout the world. People have smart phones, home Internet connections; they have Internet connections at work. You can imagine each person needing four or five IP addresses and that doesn't count servers that are generally used for business. If you've got seven billion people and you need four or five IP addresses for everyone of them, that's 30 or 40 billion IP addresses, and with IPv4, we only have 4.3 billion. So the Internet is constrained by IPv4 with how many devices we can connect to it.
With IPv6, we realized this constraint nearly 20 years ago - in 1992 - and the Internet Engineering Task Force - the IETF - spent some time to work on a successor protocol. This protocol is called IPv6 and it allows for many more destinations. Once we get the Internet switched over to IPv6, we'll never have to worry about running out again.
Preparing for IPv6
CHABROW: Basically, all the IPv4 addresses have been allocated. What does that mean to end-user organizations and the way they use the Internet? What should end-user organizations do to prepare for IPv6?
CURRAN: There are actually a few left in some regions of the globe. ARIN is one of them. But in the Asia-Pacific region, they have actually effectively run out. There's a small number that organizations can get a company or a service provider that might have hooked up 10,000 new customers every year. Now instead of getting enough addresses for them, they're only getting a small allocation, like 256 addresses, that have to be shared among 10,000 users.
Effectively we're out in Asia Pacific, shortly to be out in Europe, and in the North American region - U.S., Canada and parts of the Caribbean - we'll be out probably in about a year. What that means for organizations is, if you're already connected to the Internet, you might say, "I have my numbers. I'm connected. I don't need to do anything." But the Internet is an end-to-end network and so if the other end is running IPv6 and you're running IPv4, you might not be able to talk to them. What does this mean? You need to look at your public-facing Internet, the things outside your firewall, the things like your websites and e-mail servers, and look at IPv6 because some new users will be trying to access you with IPv6, and you need to add that number - an IPv6 address - to your existing servers. You don't need new equipment. You just need to get your public-facing equipment numbered with both IPv4 and IPv6.
CHABROW: Now is this something that organizations do themselves, or do they go to their ISPs to do this? How does that work?
CURRAN: Because the ISP has to route the traffic to you, you get your IPv6 address from your ISP. You call them up and say, "I need a block of IPv6 addresses," and they'll do the assignment. Organizations can also come directly to ARIN and that will give them a set of addresses that's independent of their service provider, but that's not necessarily something that people have to do. It's perfectly acceptable to get your addresses directly from your service provider.
CHABROW: Are most service providers doing this for their customers, or is this something where the end user has to be proactive?
CURRAN: You have to be proactive because you're already connected to the Internet. Service providers are focusing on connecting up new customers. I myself have run several service providers - two nationwide Internet backbones as well as a hosting company - before taking the CEO role at ARIN. Customers who want to use IPv6 need to contact their service provider and say they want to have an Internet connection that's both speaking IPv4 and IPv6.
CHABROW: Is this costly, or not really?
CURRAN: It depends on the service provider. It's not another piece of equipment. It's not a new router. It's not a new circuit. You don't need new fiber or copper. It's configuration over your existing connection. I do not know. You would you have to ask each service provider whether they charge a fee to do that configuration either one time or on an ongoing basis. That's really up to the service providers to handle.
Security of IPv6
CHABROW: IPv6 is said to be more secure than IPv4.How so?
CURRAN: Saying IPv6 is more secure than IPv4 is sort of like saying cars are more secure than trucks, or vice versa. It's really in the implementation. In theory, IPv6 has the capabilities of security built in. So what we use today - IPSec - to do encrypted connections is an add-on to IPv4. In IPv6, it's inherently part of the protocol, so all devices that speak IPv6 are capable of authenticated and encrypted connections. That from a viewpoint makes IPv6 more secure because the capabilities that you would have to add on to IPv4 are built in to IPv6.
Of course, you don't get the benefits until that gets widely deployed. In aiming for an Internet that will have better security because of IPv6, we have to get there first. In the process, we're employing new equipment or new software that supports IPv6, that's using IPv6 code that was written relatively recently. One of the advantages of IPv4 is it's had 20 years for us to find and fix any security issues. Well, IPv6 theoretically will provide us a long-term more secure environment. Short-term people have to realize IPv6 is subject to potentially having things discovered in it, simply because it's new and being deployed now much earlier than IPv4, which has 20 years of experience in looking for security holes.
Vulnerabilities in IPv6
CHABROW: Can you identify any kinds of vulnerabilities that have surfaced with IPv6 that need to be addressed?
CURRAN: That's really vendor-specific. The reality is that there were vendors that have shipped IPv6 code that didn't properly check security options or wasn't appropriately stopped by a firewall. It's possible that everything is working exactly as designed, but that your firewall hasn't been configured for IPv6. So it's not really a security bug as much as you're turning on something new. You have to make sure you take the effort to secure it by setting up an appropriate firewall configuration for it. Otherwise, you might find you're passing all the appropriate IPv4 traffic, but, at the same traffic when it arrives on IPv6, is given a free pass into your network.
CHABROW: I guess the ultimate responsibility would be to the end user, but is this something that an ISP can provide to their customers, or is this something that the end user always has to do?
CURRAN: If someone is buying a managed service, whether that be a security or a firewall service, then obviously that's something that the ISP has to provide as part of it, but this really is just like any other security issue. End-user organizations need to pay attention to their security and when they turn on v6 they have to remember to replicate their firewall security just as they did in IPv4.
CHABROW: Is there a way to quantify how many organizations have already moved to IPv6?
CURRAN: You have to understand, we've been working on IPv6 for 20 years. It became a standardized protocol with the IETF - the Internet Engineering Task Force - in 1999. It's been pushed out. It's sitting right now in the laptop you're using. It might be on the smart phone you're using, so this has been a very long process to make sure that this software is actually already deployed everywhere, but just hasn't been turned on.
In terms of deployment, IPv6 has remarkable deployment. It's very hard to find an operating system that doesn't have IPv6 support in it right now today for any modern operating system. In terms of the number of organizations that have turned it on, people turn it on when they have the need, i.e., when we have people connecting up with IPv6, and that need really just started in Asia Pacific a few months ago. People are beginning to enable their websites as the first step. It's because the Internet is now running publicly IPv4 and IPv6. Somewhere around one or two percent of the internet is IPv6 enabled, but that's going to change very rapidly. On June 6 of this year, there's now the World IPv6 Launch day where some of the top content providers, such as Google and Facebook, are going to turn on IPv6 and leave it on. When you ask how much of the Internet right now is IPv6 enabled, it might be a very small number, but it's due to increase significantly over the course of this year.
CHABROW: As organizations move to IPv6, are there other security implications they should be thinking of?
CURRAN: Certainly the question that comes up is, if you've got a website and you're trying to offer content to the Internet, there are going to be people trying to access it with IPv4 and IPv6. The ones who access it with IPv6, if you're not enabled with IPv6, they're going toward a gateway. That gateway is going to be run by their broadband provider. If they're a cell phone, it will be their mobile provider. If they're at home and they're using IPv6 and a broadband connection, it will be their broadband home provider. All of these six users come looking at you like a handful of IPv4 addresses. You won't know who's accessing your website. All you will see is a set of IP addresses associated with northern Virginia or southern California. So if you actually want to have security logs that reflect who's accessing you, if you want to actually have IP addresses that are unique for a user and not for an Internet service provider, you won't have visibility into any of that unless you enable your website with IPv6.
CHABROW: Anything else you would like to add?
CURRAN: It's not that hard to do. As the Internet moves over, people have to realize the growth will be on v6. If they don't make the change, people will still talk to them but eventually you will find yourself in the back water of the Internet, running only IPv4.