Five years ago, in July 2017, the international Internet Engineering Task Force (IETF) declared the “new” Internet Protocol IPv6 in RFC 8200 as the internet standard. But the story stretches back much further: the draft standard of IPv6 (RFC 2460) dates back to 1998. The main motivation, even back then, was to solve the problem of the predecessor protocol, known as IPv4, namely that of limited address space.
The approximately 4 billion IP addresses of IPv4 stood no chance of coping with the rapid increase in the number of internet-capable devices, something which was already foreseeable at that time – nine years before the launch of the first iPhone. Today – almost a quarter of a century later – the migration to IPv6 is far from complete as large parts of the internet still run on IPv4 – and the problem of insufficient address space still hasn’t been rectified. A remedy is provided in the form of a mechanism (Network Address Translation, NAT) – initially conceived as a temporary workaround – which enables an IP address to be divided among many devices. It works pretty well as long as you only use these devices to surf the net. Problems arise, however, when it comes to decentralised communication between devices, something which is quite common in the “Internet of Things” or in general in a “digitalised” world.
In the corporate network, IPv6 is often unmanaged
In the “NAT-based” IPv4 network, complex workarounds must be created to meet these requirements. Digitalisation applications need to be designed around the existing restrictions, instead of emerging on the basis of a modern end-to-end-capable network. At the same time, however, IPv6 is also running in the networks. According to Google, around 36% of internet users around the globe have IPv6 connectivity (Switzerland: 32%); five years ago, this figure stood at 17%. Nevertheless, many IT managers are still clinging to IPv4 – and are now paying around 50 USD for every IP address (15 USD 5 years ago). There are various reasons for this. But what about IT security at this present time?
Where the topic of IPv6 is not addressed systematically, many people often assume that there is no need to worry about IPv6 in terms of security either. That’s the wrong conclusion to draw for many reasons. Because many organisations are running IPv6 in their networks, latent and unmanaged – and are vulnerable to attacks as a result. The operating systems have long been equipped with IPv6 and can be activated externally via auto-configuration (SLAAC). Devices without IPv6 connectivity in the network can establish this themselves via tunnel mechanisms and as a result, potentially bypass firewalls and security monitoring, e.g. to exfiltrate data or establish back-door access to company networks.
1.4 million open SQL servers
New services may be provided, consciously or unconsciously, via both protocols – for example, in the cloud – but without having the same security features installed for both: access control lists and blacklists that have been properly maintained for IPv4 may potentially be bypassed via IPv6. In some cases, security features, e.g. DDoS protection, are only installed for IPv4. Scanning one’s own resources only takes place via IPv4 and vulnerabilities via IPv6 are often overlooked. For example, the Shadowserver Foundation recently found 1.4 million open SQL servers via IPv6.
These examples highlight the challenges of a multi-protocol environment facing IT operators today. An IPv4 mindset from the past will only make things worse going forward. With the steady rise in IPv6 users, current and future digitalisation requirements and imminent security problems on the horizon, companies will be increasingly exposed to risks if they continue to ignore IPv6. What are the alternatives?
