Improving security knowledge while deploying IPv6

digital security padlock
OpenVPN-protokollet - därför är det så bra (Image credit: Shutterstock)

It’s safe to say that the move to IPv6 has been a major focus for the Internet community for some time now. The supply of IPv4 addresses was exhausted in 2019, so that milestone is now a matter for the history books. With the rates of IPv6 deployment increasing across the world, it looks as though real headway is finally being made – in fact, IPv6 is even said to be growing faster than IPv4 did, driven in great part by the growth of IoT enabled devices and smart homes.

About the author

Alvaro Vives is Assistant Manager for the RIPE NCC.

There are challenges that come alongside this transition that must be acknowledged – including the crucial role of IPv6 security. The gap is currently not in the protocol, but in the skills – and this skillset gap can be filled. Technology moves faster than both security and knowledge, so learning where and how to find the right technical information required to protect networks is key.

New protocol, new challenges

Since its launch, there has been talk within the Internet community that IPv6 would provide a solution to some network cybersecurity challenges – a claim now proven to be false. The truth of the matter is that IPv6 is no more or less secure than its predecessor, but is a different protocol entirely with its own opportunities and challenges – and should be considered as such.

Even if you have not actively deployed IPv6, your networks still have the combined vulnerability surface of IPv4 and IPv6. This gives clear urgency for IT teams to take measures to protect their network from both angles. Teams that do not understand the fundamentals of the IPv6 protocol might be equipped to deal with known IPv4 attacks – but aren’t necessarily prepared for future IPv6 developments. Without a clear grasp of how both IPv4 and IPv6 protocols work, teams cannot stay ahead of potential attacks and vulnerabilities – and we need only look at recent outages to confirm the knowledge that having your network go down can have serious consequences.

For those currently running an IPv6 network and for those who are implementing IPv6, making certain that the right security measures are in place for implementation is essential to guarantee the process runs as smoothly as possible. Recent developments, such as US officials urging agencies to develop their IPv6 and zero-trust architecture implementation plans simultaneously in order to improve network cybersecurity, show that the security of IPv6 will be of growing importance as the protocol is increasingly adopted.

Recent statistics also show that the community is calling for more practical information on IPv6 deployment, while also citing network security as the biggest challenge faced by their organizations. It’s therefore essential that networking engineers are equipped with the necessary skills and knowledge to deploy IPv6 safely for both their businesses and the internet itself. Many network engineers are still warming up to IPv6, much less IPv6 security, so for them, the all-important question is: where do I begin?

Getting started with IPv6 security

Firstly, teams need to know the basics of the IPv6 protocol. For example, an understanding of what extension headers (which are new to IPv6) do, and what kinds of attacks they are vulnerable to, is important. Knowing and understanding how these can be used to bypass security filters means engineers can choose tools that can properly deal with all combinations of extension headers.

Once they have the basics in place, they can learn about other challenges. For example, IPv6 has a new addressing architecture. Each IPv6 address is 128 bits (compared to 32 bits for an IPv4 address), which means there are 36 undecillion IPv6 addresses – a number so high it’s difficult to imagine. On the plus side, it means that encryption can be added to IPv6 addresses; on the downside, the sheer number of addresses available means that tracking which addresses are in use and where is essential.

IPv6’s addressing architecture also brings back the use of Global Unicast Addresses (GUAs), equivalent to IPv4 public addresses. This tends to raise concerns for IPv4-minded engineers that use more and more private IPv4 addresses and NAT. This means IPv6 brings back the end-to-end paradigm, which has implications for security design. You get to decide which addresses are reachable, and you need to filter traffic accordingly.

Furthermore, any IPv6 enabled interface will have – in addition to a link-local address, that allows for communications within the LAN/VLAN – a GUA. And indeed, having several GUAs is not an issue with IPv6, and is considered a feature of the protocol (for example to make it easy to renumber a network). However, this brings about security implications as it’s not easy to control or monitor network activity of an IPv6 host.

There are also security considerations and measures specific to the protocols used in IPv6 networks, new ones like Neighbour Discovery Protocol (NDP) or Multicast Listener Discovery (MLD), and updated ones like ICMPv6. For example, NDP and MLD work on a link and can be used for different attacks, ranging from scanning for hosts to Man-in-the-Middle (MITM) attacks. As you would expect, there are solutions and measures against these threats that are specific to IPv6, such as a set of techniques called First Hop Security (FHS) which are implemented on the switch.

Arm yourself with real knowledge

There’s a lot of information to take in, which is why it’s so important for IT teams to get started as soon as possible. It’s not difficult to close the IPv6 skills gap, but it does require managers to invest in training their teams. After all, knowledge is the best security tool!

It also doesn’t need to be an overwhelming hill to climb – network engineers can access IPv6 security training courses to aid them in this mission, enabling them to put the relevant ideas into a practical context and experiment with tools that they’ll later use to secure their own networks. They can even work towards achieving IPv6 security certifications to substantiate their learnings.

These steps are of growing importance as businesses increasingly seek out the deployment of IPv6 for sustainable growth. The businesses that equip themselves with the right knowledge and learn how to keep that knowledge updated will see their IPv6 networks run as securely as possible.

Alvaro Vives is Assistant Manager for the RIPE NCC’s Learning & Development department.