Wednesday, October 1, 2008

Are you ready for IPv6?

Vint Cerf one of the core developer's of IPv4 and now an evangelist for Google says time is running out at 32-bit IP addresses...

Article from timeonline.co.uk

So the question I pose is are you ready? To truly know, you have to ask yourself a few questions...

1. Does your ISP provide IPv6 connectivity (raw or tunneled)?

2. Most networking equipment and Operating systems support IPv6: but does your security equipment? If you use IDS/IPS, it's highly probably IPv6 is not yet supported or requires a software update to get there. This is based on the Snort the industry standard IDS gaining IPv6 support in recent 2.6+ releases.

3. Do you understand the security architecture changes required for IPv6?: Every node will have a public IP, no more NAT means privacy and security will have to be re-evaluated as every host will be addressable.

For example if Sally goes to website xyz.com from work, only the common WAN IP of the office is saved in xyz.com's access logs if using standard IPv4 NAT gateway. Under IPv6 the website would log the public IP designated specifically for Sally's computer and route directly back to her without NAT translation. So not only could an attacker potentially tie the website visit to Sally, he could also know the direct address to attack her computer.

4. DNS will become more important: while there are ways to simplify IPv6 notation so you don't have to remember a lengthy hex string, it will be more likely to heavily use DNS to address your LAN machines.

5. Dual mode IP stack: so most current Operating Systems like Vista, OSX and Linux come default running support for both IPv4 and IPv6, well think of the two like different layers as you could essentially be attacked on either IP protocol. You will have to remember this when designing your architecture for IPv6 so you do not leave a blind eye on IPv4 traffic.

No comments: