March 07, 2012, 6:47 AM — Hackers seeking to breach security are ahead of most would-be business implementers when it comes to figuring out the detail of IPv6 and are more motivated, a Wellington seminar has heard.
If a government agency does not intend using IPv6 in the near term, and has IPv6-capable devices communicating with its network, then IPv6 capability will have to be consciously turned off, Jonathan Berry of the Government Communications Security bureau warns. "That's prudent behaviour. Any sort of network hardening will push you down a path of turning off services and functionality you don't need," he told the seminar, on "Practical IPv6 for Government".
It's all too easy, several speakers at the event testified, to acquire IPv6 devices and addresses on a network, effectively providing a backdoor for security breaches if the network is not hardened against such traffic. And once you turn on IPv6, traffic on the network should, of course, be carefully monitored, to make sure only known activity is going on. "Whether you want to use IPv6 or not, you will have to know about it to keep your network secure," said Graeme Neilson of security specialist AuraInfosec.
It would be wrong to suppose IPv6 will fix problems that were previously well known in IPv4, said members of a security panel at the seminar. Email's SMTP protocol, for example, is not secure and IPv6 has not improved that situation, said AuraIfosec's Mike Haworth Fragmentation of Layer 4 headers, a known problem in IPv4, has also not been fixed in the new protocol. Fragmented headers can get past protection mechanisms that are expecting them in one piece. White papers about IPv6 security discuss fragmentation exhaustively.
In a plan for IPv6 implementation, GCSB recommends starting with less business-critical parts of the system. "Use that as an experience and a learning opportunity. Once you're experienced and comfortable with that, you may consider implementing IPv6 on more critical services."
The way vendors have implemented IPv6 in their products "could be considered relatively immature," Berry warned. "You will see vulnerabilities in the protocol and in devices. "There are many RFCs [notices of potential problems and workrounds out there already" and organisations should check how their vendors are responding to those RFCs.
With a dual communications stack supporting IPv6 and IPv4, warned TelstraClear's Steve Martin, "you are creating a second inroad into your organisation that will find all those old boxes you thought you'd turned off but hadn't. Make sure you know your lifecycle and are turning off systems when they go out-of-cycle," not just accepting someone's word that this has been done.