Wind of change is blowing. Network Providers are preparing themselves to migrate there network from IPv4 to IPv6. It is still in a position like egg and chicken mean the stage where providers are waiting for response from there customer and customer are waiting for there providers signal to migrate their network with new technology. This is true that IPv6 will be the next generations networking specially Internet network technology. Internet Giant's like Google Inc or Yahoo! already offering there service on IPv6 network.
Big OS vendors like Microsoft along with other professional OS vendor including Redhat's Linux or Sun's Solaris and other operating system vendors are shipping their Operating System with IPv6 Enable by default. But still at this moment IPv4 is main stream protocol on Internet Data Transfer.
Before saying that IPv6 Enabled OS is a security risk now a days, we need to know what is IPv6 or IPv4. In 60's or 70's Internet Technology was available to public, TCP/IP(v4) was the protocol to communicate on Internet Networking. At that time it was expected that the available IP address on that technology is enough to run the entire Internet for a long time. But that was wrong. On early 80's, Internet scientist found that the growth of Internet is too havvy and resource like IP address are going to finish soon. So they innovated a new protocol/technology called IPv6 which is having virtually unlimited numbers of IP address for individual system connected to Internet.
Currently there is 2 protocol running on Internet. IPv4 is in production line and IPv6 is on development line. Though IPv6 is now mature enough to migrate 80% of Internet Service on it, providers and end users are still waiting for first steps from each others to start the migration process. As on Internet, IPv6 are running parallely with IPv4, there is no direct connection between these 2 protocols. But to give the test of IPv6 another technology call tunneling is there to transfer data between 2 protocols.
What are we talking about and what is the size of risk?
The number of computers running IPv6 is staggering. Carolyn Duffy Marsan in aNetworkWorld article quoted Joe Klein as saying:
“We’re probably talking about 300 million systems that have IPv6 enabled by default. We see this as a big risk.”
What I’m wondering, is how many of the people using the 300 million computers realize IPv6 is enabled or know what it means?
What’s being exploited
In a concurrent article, Marsan asked experts what they considered the most serious issues of running a dual stack comprised of IPv6 and IPv4. Here’s what they said:
Rogue IPv6 traffic: Attackers realize that most network administrators aren’t monitoring IPv6 traffic or they can’t. Because existing firewalls, IDS, or network management tools aren’t IPv6-aware. Therefore, an attacker can send malicious traffic to any computer running IPv6 and it will get through.
IPv6 tunneling: Protocols such as Teredo and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) encapsulate IPv6 packets inside IPv4 packets. The morphed packets can easily pass through IPv4 firewalls and network address translation (NAT) equipment, defeating perimeter defenses purposed to sense and drop IPv6 packets.
Rogue IPv6 equipment: Because IPv6 uses auto-configuration, an attacker can gain considerable control over computers running IPv6, simply by placing a rogue device capable of issuing IPv6 IP addresses on the network under attack. To make matters worse the device could have router attributes. Forcing all traffic to transit through it, allowing attackers to snoop, modify, or drop traffic at their whim.
Built-in ICMP and multicast: Unlike IPv4, IPv6 requires ICMP and multicast traffic. That fact will significantly change how administrators approach network security. Right now, blocking ICMP and multicast traffic on IPv4 networks is the accepted practice. That will no longer work and complicated filtering of ICMP and multicast packets will be required to maintain some semblance of security.
Leave IPv6 enabled or not
Whether to leave IPv6 “enabled or not” is about as clear as mud. There’s the yes camp and there’s the no camp with the whole gray area in between littered with other opinions. I thought I’d let the experts introduced in Marsan’s article present their views:
Tim LeMaster: Director of systems engineering for Juniper’s federal group mentions:
“If you’re not prepared for IPv6, then the prudent thing to do is not to allow it into your network,” LeMaster says. “But you shouldn’t be blocking all IPv6 traffic for the next five years. You should only block it until you have a policy and understand the threats.”
Lisa Donnan: Vice president of advanced technology solutions at Command Information has a different viewpoint:
“
We don’t recommend that you block IPv6 traffic. We are recommending that you do an audit and find out how many IPv6 devices and applications are on your network. If you have IPv6 traffic on your network, then you’ve got to plan, train, and implement IPv6.”
Sheila Frankel: Computer scientist in the Computer Security Division of the National Institutes of Standards and Technology (NIST) expresses a middle-ground viewpoint:
“Companies need to acquire a minimal level of expertise in IPv6, which will help protect them against threats. The other thing they should do is to take their outward-facing servers, those that are external to the corporation’s firewalls, and enable IPv6 on them. That way, customers from Asia with IPv6 addresses will be able to reach these servers and their own people will acquire expertise in IPv6. This will be a first step in the process.”
Frankel continues:
“IPv6 is coming. The best way is to face it head on and to decide you’re going to do it in the most secure manner possible.”
As soon as I started receiving computers with IPv6 enabled, I turned the protocol off. My rational was why take a chance when it’s not necessary. Apparently, my choice is paying off, as my client’s computers aren’t vulnerable to these new exploit vectors.
That works for me for the time being at least. I don’t pretend to think my choice will work for everyone. From the above opinions, the only thing I do know for sure is that getting up-to-speed on IPv6 is important. As that knowledge will help you determine what’s in your network and computer systems best interest.
Final thoughts
This is definitely a thorny subject and full of surprises. Just like every new and untested technological change. I can accept that. What’s hard to accept is that security once again appears not to be a main consideration. I hope it’s just a temporary oversight.
Ref: Part of this article is directly tacken from Articles by Mr. Michael Kassner published on URL: IPv6: Oops, it's on by default
Posts
0 comments:
Post a Comment