IPv6 and Security: The Threat From Version 4


The official launch date for IPv6 is right around the corner, making June 6 famous for even more than the historic WW II invasion of Normandy. It might make the invasion of your customers’ networks more possible than ever before.

The higher threat level, according to Carl Herberger, vice president of security at Radware, lies in the fact that while IPv6 will be the new standard at the wide area, the local area will continue to be the near exclusive domain of IPv4. And since the two versions were not designed to co-exist, there are some gaping holes in security.

“You basically need to translate Version 6 to Version 4 and we can do that by encapsulation,” Herberger explained to CRN. “And the encapsulation standards are all over the map. This situation causes problems with security inspections because if I can send an attack that exploits Version 4 vulnerabilities through a Version 6 inspection module, I’ve got a pretty high chance of success because the Version 6 inspection module will not be able to read it. And we haven't been able to resolve this problem yet.

[Related: Report: Android Malware Growing Exponentially]

To put it another way, the Version 4 exploits would be effectively carried as a passenger through a security screen geared towards IPv6.

To further complicate matters, Herberger says Version 4 could easily remain widely deployed at the local area for 10 years or beyond, due to the absence of compelling business drivers to force local migrations anytime soon. “This opens up pretty much the full range of exploits because once you pass through the physical inspection module, you are through the perimeter and you have a new opportunity to deliver any payloads the malware producer wants.”

Despite these obvious threats, Herberger still sees IPv6 as a practical necessity given the shortage of IP addresses, as well as the new version's more granular capabilities around queries, enhanced security in non-hybrid environments such as encrypted headers, and additional DNS capabilities.

NEXT: What The IPv6 Launch Means For The Channel