6Sense: Generating New Possibilities in the New Internet.
Produced by: IPv6 Summit, Inc.

IPv6 Transition and Information Assurance - Going Forward without Stepping Back
by Ken Renard, Chief Scientist, WareOnEarth Communications

Today's business and government operations are increasingly net-centric and face mounting difficulties in defending and improving vital networks. To meet the challenge, network leaders are laying a sound, future-proof foundation with the move to IPv6.

IPv6 delivers many improvements, but from a security standpoint IPv4 and IPv6 may be nearly identical - mandated IPsec being the only obvious difference. So if these two versions of IP are nearly identical security-wise there shouldn't be any problems, right? Well, some insidious "gotchas" can ambush your network if you don't target them when considering IPv6 and your existing security tools, policies, and infrastructure.

Here are just a few of the many IPv6 security "gotchas" that demand attention during transition.

Sneaking Over the Border - The Ubiquitous IPsec Threat

With IPv6 come the advantages and risks of ubiquitous IPsec. Most of today's networks with typical "border defense" postures risk encrypted, host-to-host IPsec traffic bypassing those defenses. Without changes, firewall, IDS, and proxy systems will not be able to analyze encrypted traffic, rendering much of their policy enforcement useless. A combined deployment of border-type policies at IPsec endpoints and careful management of IPsec traffic at the border will maintain and strengthen network security. This shift from "border defense" to "end-to-end" security is a fundamental change driven by IPv6.

Watching for New Signs - Transition and Feature Abuse

Keeping a close eye on network traffic is fundamental to maintaining network security. IPv6 transition mechanisms and new IPv6 features just add to the watch list.

As an example, IPv4-mapped and IPv4-compatible addresses should be internal to end hosts only and not seen on the "wire". An IPv6 packet with this type of addressing on the "wire" could bypass certain IPv4 filtering mechanisms.

Similarly, the very loosely defined payload specification for IPv6 Option Headers can serve as a covert channel. A field even directs the action a host takes with unrecognizable header options. Tools already exist that exploit IPv6 option headers to transfer arbitrary data between machines. IDS upgrades for this new risk of network manipulation are essential. The addition of separate tools just for parsing and analyzing option headers may even be required.

New IPv6 features and transition methods introduce these and many other new network vulnerabilities. However, proper enhancement of filtering, authentication and proxy services can maintain network security in the face of these risks.

Biting the PKI Bullet - The Time Has Come

Many networks have not yet tackled the challenging integration of Private Key Infrastructure (PKI). Pervasive IPsec practically requires biting this bullet, because under IPv6, PKI virtually becomes a network necessity, not unlike DNS. Those networks that do not support automatic key exchange or X.509 authentication will require manual keying, which can be prone to error and neglect. Effective key management will determine how secure the IPv6-driven IPsec deployment will be.

Information assurance and net-centricity will both benefit from the IPv6 transition. New IPv6-enabled capabilities promise to make the vital networks, which government and commerce depend on, stronger and more capable. However, making this promise a reality depends greatly on proper knowledge and preparedness to eliminate these and other "gotchas," along with their security risks.

To learn more on how to venture forward with IPv6 without stepping back contact WareOnEarth Communications. Since 1997, WareOnEarth has had extensive involvement in the leading U.S. Department of Defense IPv6 networks. As a leader in information assurance and with its industry-leading IPv6 experience, WareOnEarth has the critical knowledge and experience required to smoothly and securely transition your networks and to derive the full advantages of IPv6. Contact us at 843-529-0678 or www.wareonearth.com.