Version 6 of the Internet Protocol (IPv6) became the internet standard five years ago, serving as the basis for digitalisation since its official launch. An important topic for IT operators and security managers.
Five years ago, in July 2017, the international Internet Engineering Task Force (IETF) declared the “new” Internet Protocol IPv6 in RFC 8200 as the internet standard. But the story stretches back much further: the draft standard of IPv6 (RFC 2460) dates back to 1998. The main motivation, even back then, was to solve the problem of the predecessor protocol, known as IPv4, namely that of limited address space.
The approximately 4 billion IP addresses of IPv4 stood no chance of coping with the rapid increase in the number of internet-capable devices, something which was already foreseeable at that time – nine years before the launch of the first iPhone. Today – almost a quarter of a century later – the migration to IPv6 is far from complete as large parts of the internet still run on IPv4 – and the problem of insufficient address space still hasn’t been rectified. A remedy is provided in the form of a mechanism (Network Address Translation, NAT) – initially conceived as a temporary workaround – which enables an IP address to be divided among many devices. It works pretty well as long as you only use these devices to surf the net. Problems arise, however, when it comes to decentralised communication between devices, something which is quite common in the “Internet of Things” or in general in a “digitalised” world.
In the “NAT-based” IPv4 network, complex workarounds must be created to meet these requirements. Digitalisation applications need to be designed around the existing restrictions, instead of emerging on the basis of a modern end-to-end-capable network. At the same time, however, IPv6 is also running in the networks. According to Google, around 36% of internet users around the globe have IPv6 connectivity (Switzerland: 32%); five years ago, this figure stood at 17%. Nevertheless, many IT managers are still clinging to IPv4 – and are now paying around 50 USD for every IP address (15 USD 5 years ago). There are various reasons for this. But what about IT security at this present time?
Where the topic of IPv6 is not addressed systematically, many people often assume that there is no need to worry about IPv6 in terms of security either. That’s the wrong conclusion to draw for many reasons. Because many organisations are running IPv6 in their networks, latent and unmanaged – and are vulnerable to attacks as a result. The operating systems have long been equipped with IPv6 and can be activated externally via auto-configuration (SLAAC). Devices without IPv6 connectivity in the network can establish this themselves via tunnel mechanisms and as a result, potentially bypass firewalls and security monitoring, e.g. to exfiltrate data or establish back-door access to company networks.
New services may be provided, consciously or unconsciously, via both protocols – for example, in the cloud – but without having the same security features installed for both: access control lists and blacklists that have been properly maintained for IPv4 may potentially be bypassed via IPv6. In some cases, security features, e.g. DDoS protection, are only installed for IPv4. Scanning one’s own resources only takes place via IPv4 and vulnerabilities via IPv6 are often overlooked. For example, the Shadowserver Foundation recently found 1.4 million open SQL servers via IPv6.
These examples highlight the challenges of a multi-protocol environment facing IT operators today. An IPv4 mindset from the past will only make things worse going forward. With the steady rise in IPv6 users, current and future digitalisation requirements and imminent security problems on the horizon, companies will be increasingly exposed to risks if they continue to ignore IPv6. What are the alternatives?
As we have seen, IPv6 is much more than just a simple network topic; rather, it is up to IT as a whole and IT security in particular to ensure future-oriented, secure and efficient IT management. It might be a good idea, therefore, to appoint an “IPv6 officer”, someone with an overview of IPv6 aspects within all IT projects, regardless of whether we are talking about the new data centre, cloud provider, SOC outsourcing, firewall project or tool requirements.
Which individuals require which level of IPv6 knowledge within your organisation? There’s no simple answer. Training plans are useful, but you only really learn the ropes during manageable implementation projects. It’s also a very good idea to network with others and compare notes. Get active! For example, you could reach out to the Swiss IPv6 Council for advice.
Taking into account the various IPv6-specific security risks, you should analyse whether and in which locations potential targets for attack, which have thus far stayed under the radar, have arisen – and work to mitigate these vulnerabilities.
Use the life cycle of new applications and products to make these IPv6-ready. Otherwise, you will be importing new legacy issues into your organisation, which will then accompany you over the years and only get worse over time, making business operations much more expensive.
All of the above points need the support of management. Here it is vital to create understanding – see point 1 – and to sit down together with all the stakeholders and take firm fundamental decisions. These can then create the basis for all of the detailed decisions, for example, in the form of a company policy.
1. NIST: Guidelines for the Secure Deployment of IPv6
2. RFC 9099: Operational Security Considerations for IPv6 Networks
3. FIRST Education: IPv6 Security Training Material