Although IPv6 introduces new and improved security features, it still does not address all the security problems found in today’s IPv4 networks. Moreover, there are still different security threats and concerns that relate to IPv6 networks. Also, given that IPv6 and IPv4 will have to coexist for a long period of time during the transition phase, network security will be affected by security concerns that are specific to both protocols. Further, the transition mechanisms that are suggested to facilitate interoperability between the two protocols are also likely to introduce new security threats. Some of these threats could be easily mitigated by reconfiguring or upgrading existing network firewalls and intrusion detection systems.
Internet Protocol version 6 (IPv6) was developed with the intention of remedying the address space limitations of Internet Protocol version 4 (IPv4). Techniques such as the use of Network Address Translation (NAT) allowed the extension of IPv4 addresses and hence delayed the transition to IPv6. However, even with the use of NAT, the IPv4 addresses cannot sustain the exponential growth of the Internet. The next option left for organizations is to migrate to IPv6. The process of migrating from IPv4 to IPv6 is poised to present various hurdles to enterprise managers and their network administrators. The challenges include protocol and application modification, hardware modifications and upgrades, network security issues, added costs, and lack of policy. This paper focuses on the various challenges likely to be encountered during the process of transitioning from IPv4 to IPv6. Some of the possible problems to be encountered during the time of coexistence of the two protocols are mentioned and some solutions to help alleviate some of these challenges are also stated.
When IPv4 was first designed and implemented, its 32-bit address space (4,294,967,296 addresses) was considered to be more than sufficient for the limited number of nodes on the Internet at the time. However, the subsequent exponential growth of the Internet and networked devices meant that more and more hosts needed IP addresses. Thus, it soon became clear that the depletion of IPv4 addresses was imminent; this led to the conception of IPv6. The concept of IPv6 protocol was first presented in 1995 in the form of RFC 1883. The IPv6 standard was drafted by the Internet Engineering Task Force (IETF) as a remedy to the anticipated shortage of IPv4 Internet addresses. IPv6 consists of a 128-bit address space (2^128 addresses) and is capable of producing a much greater number of addresses compared to those that can be generated by IPv4 which consists of only 32-bit address space (2^32 addresses).
For a considerable amount of time, the expected depletion of IPv4 address space has somehow been postponed, thanks to Dynamic Host Configuration Protocol (DHCP) and NAT protocol. With NAT, users are able to share public IP addresses. Yet, even with the use of NAT, the explosive growth of the global Internet cannot be sustained by the available IPv4 addresses. As IPv4-based Internet addresses near their depletion, IT leaders will have to face the reality of transitioning their network infrastructure to IPv6. IPv6 is poised to play a key role in Internet communication as a multitude of machines (including household appliances) get allotted IP addresses and join the Internet. IPv6 protocol is gradually being introduced to the Internet as various organizations are already transitioning to IPv6. Nonetheless, the vast majority of organizations still use IPv4-based addresses. Indeed, it will be a while before IPv4 gets phased out; therefore, for the time being, the two protocols will have to coexist.
IPv6 will present IT leaders and network administrators with several challenges, both foreseen and unforeseen. One of the challenges likely to be faced by organizations as they transition from IPv4 to IPv6 is compatibility issues. Consequently, a need arises to develop a mechanism that will allow communication between devices configured with the two protocols. Different approaches for tackling this matter have been suggested. Bigger companies that have large complex networks with hundreds or even thousands of networked systems will be faced with an even steeper challenge when upgrading to IPv6. This will require extensive planning to account for aspects such as cost and recovery procedures in case of a failure while in the transition process. A company will have to take the necessary precautions and devise backup plans to be implemented in case mistakes are made.
Another implication of the transition is security threats against IPv6. Some of these threats might be similar to those that affect IPv4, while others may only be specific to IPv6. Also, given that IPv6 is still new to the majority of network administrators and users, training in this topic will be needed in order to facilitate better implementation and management of the protocol. The rapid growth of the Internet also brought about other unanticipated demands that IPv4 could not handle effectively. Some of these demands included: a reduction of the routing tables (to increase routing speed), easier configurations, real-time data transmissions, and enhanced security mechanisms. When compared with IPv4, IPv6 introduces various improvements in areas of routing, quality of service, and security. Unfortunately, IPv6 was not designed to be backward compatible with IPv4 and requires end-to-end implementation whereby hardware vendors and providers have to enable it.
The changes incorporated in IPv6 were intended to fix some of the shortcomings that had become apparent in IPv4. For instance, IPv6 features a header that differs greatly from that of IPv4. This change was adopted after observing that most of the fields in the IPv4 header do not always get used with every packet. Consequently, IPv6 eliminates some of the header fields in favor of reduced processing needs. However, although the IPv6 header changes were intended to provide efficient routing, they may make it harder to program certain applications.
Furthermore, the IPv6 header is larger than the IPv4 header (the IPv6 header has 20 bytes more than IPv4) resulting in some overhead when transmitting traffic. Thus, applications that use the IPv6 protocol are likely to consume more bandwidth compared to those that use IPv4. It is those networks with lower transmission rates that will experience noticeable congestion. Also, those networks that have high bandwidth utilization may be impacted by this behavior. Despite the different mechanisms that have been employed by organizations to expand existing IPv4 addresses, it is only a matter of time before the address space gets exhausted. The American Registry of Internet Numbers (ARIN) predicts that the remaining IPv4 addresses will be given out before the end of 2014. Notwithstanding, operators are not likely to experience shortage simultaneously; rather it is the bigger and faster-growing networks that will be affected first.
As most organizations come to terms with the looming depletion of IPv4 addresses, many are gradually deploying IPv6 in their networks. For instance, Comcast supports native IPv6 and offers its customers IPv6 broadband Internet services. The same, though, cannot be said of all other many internet service providers (ISPs). For instance, Verizon has yet to implement IPv6. ISPs have contributed to the slow adoption of IPv6 as they have not fully implemented IPv6 in their networks. One could say that no ISP wanted to be the first one to switch to IPv6 and not be able to offer its customers IPv4. Instead, Internet service providers are looking to extend the use of their existing IPv4 pool of addresses. ISPs are able to achieve this through techniques such as sharing IP addresses between customers, and through Large Scale NAT (LSN) to provide shared public addresses to their customers.
The slow adoption of IPv6 has been attributed to the lack of economic incentives. This has contributed to the reluctance of a large number of service providers and hardware suppliers to initiate the process of upgrading to the IPv6 protocol. Indeed, since (ISPs) continued to run IPv4, the implementation of IPv6 had been curtailed as most enterprises did not see the need to upgrade to IPv6. Another factor that has led to minimal IPv6 implementation can be pointed towards IT management who are responsible for prioritizing IT projects. Up to this point, IPv6 has not been considered a priority by many organizations; hence their reluctance to deploy this new protocol in their networks. Instead, other aspects of IT (such as adopting cloud service) have been the focus of IT departments.
The lack of IPv6 support by end-user home devices (PCs and gaming consoles) has also been a setback to the adoption of IPv6. Moreover, not all content providers are able to deliver content to customers via IPv6. In many cases, this can be attributed to customer-premises equipment (CPE) that is not being configured to support IPv6. A key issue that has led to the slow transition from IPv4 to IPv6 is the fact that there is still a lack of an understanding of IPv6 in the IT industry.
American companies have been lagging behind in the implementation of IPv6 compared to other nations. Consequently, American businesses might find themselves isolated as IPv6 gets implemented all over the globe. This could result in strategic and connectivity issues as businesses located in other continents – in particular, Asia, and Europe – deploy more and more IPv6 networks. Eventually, this could have a negative impact on eCommerce when American businesses and users have difficulty accessing essential markets and sites that are only IPv6 accessible.
Although a majority of the latest operating systems for personal computers and servers offer support for IPv6, not all the older version offer support. Also, Windows operating systems have a default of tunneling IPv6 over IPv4; so, the Windows system has to directly link to an ISP and it has to receive a valid IPv4 address in order for IPv6 to function. An additional step needed is the installation of supporting modules in the research directory. This is something that system administrators will have to configure and also be able to troubleshoot.
Given that IPv6 is still relatively new, there has not been extensive literature covering specific aspects of networking. For instance, the topic of Quality-of-Service techniques in relation to the IPv6 protocol has not been thoroughly investigated. Nonetheless, recent trends show that more effort is being put into researching this topic as well as other aspects of IPv6 using various localized networks. While there are some operating systems that offer IPv6 support, most business applications are likely to be incompatible with IPv6 by virtue of their design. Moreover, although most operating systems may be IPv6 capable, not all of them have this feature enabled by default. Since IPv6 is still new, most products and appliances have not had sufficient testing on it.
In order for applications (e.g., network monitoring, and logging applications) and network devices (e.g. routers, web servers, and hosts) to fully support the IPv6 protocol, new lines of code will have to be introduced into the Internet. This new code could be targeted by hackers since relevant security measures may not yet be in place. While some web browsers have IPv6 built-in capabilities that enable users to request web pages using IPv6 addresses, others do not. An example would be Internet Explorer version 6 which does not offer support for IPv6. This demonstrates compatibility issues between IPv6 and legacy applications that are still in wide use today.
IPv6 offers support for some protocols (on some operating systems) such as telnet without the need for any configurations. However, this may not be the case for other protocols such as File Transport Protocol (FTP), and Simple Mail Transport Protocol (SMTP); mainly due to the incompatibility of Reverse DNS Lookup with IPv6. This particular hurdle can be tackled by installing third-party vendor software that resolves the incompatibility issues and allows communications using protocols such as FTP.
Domain Name System (DNS) is not independently able to use IPv6 (when using Windows-based operating systems), but instead, requires the use of IPv4 for configuration. Thus, IPv6 capabilities cannot fully function without the use of IPv4 in the network. In some cases, DNS issues can be mitigated by configuring static routes on getaway routers. Another key protocol that is not supported by some mainstream Windows-based operating systems is the Network Time Protocol (NTP) which is essential for synchronizing device clocks within a network. Mass deployment of IPv6 is likely to present challenges mainly due to some technical considerations. For instance, not all IPv6 stacks accept DNS server allocations. DNS is particularly crucial in IPv6 given the length and complexity of IPv6 addresses. Moreover, since DNS security is not fully implemented, address configuration issues arise.
NAT presents certain limitations and complexities because it prevents end-to-end communication between end users. Many protocols (such as IPSec and Kerberos) that are based on bidirectional communications might be incompatible with NAT. Other applications that may not be compatible with NAT include those that are designed to use a globally unique address and those that require more than one port to open on the same end host (e.g., Network File Service (NFS)). Additionally, applications that rely on packets sourced from particular port numbers and those that are run on servers (for example, File Transfer Protocol (FTP), and games) may also not be compatible with NAT.
NAT presents drawbacks that limit the ability to leverage the benefits provided by the QoS concept. For instance, applications that are not able to make use of IPv6 are unable to rip the benefits offered by IPv6 such as larger address spaces, and use of QoS. IPv6 removes the need to use NAT by providing a massive number of addresses. Furthermore, this also eliminates the problems that are linked to NAT. For example, some applications such as VoIP experience diminished performance when set up under environments that make use of NAT technology.
Since IPv6 offers a tremendous number of addresses that promises every node its own global IP address, it discourages the use of NAT technology which is used extensively in IPv4 to extend the address space. However, even though NAT has its shortcomings, one cannot deny the fact that it has been used extensively by network administrators as a security tool. Thus, it may be difficult to convince some IT administrators to abandon IPv4 and NAT so that they can switch to IPv6.
While IPv4 is the current standard that is used in most networks (if not all) and will continue to be this way for a while, it makes sense to find a mechanism that will enable interoperability between IPv4 and IPv6. IPv4 and IPv6 are likely to coexist for an extended period of time, during the transition phase from IPv4 to IPv6. The good news is that the designers of IPv6 foresaw this scenario and incorporated procedures that will allow the two protocols to run side by side.
Most of the applications that are used on IPv4 networks may not work in IPv6-enabled networks. Consequently, several techniques have been designed to help resolve this issue: Bump-in-the-Stack, Bump-in-the-API, transport translator, and translation algorithm. These techniques are essential, especially during the transitioning period as they facilitate interoperability between the two protocols. There are various methodologies that can be implemented when deploying IPv6 alongside IPv4. The dual-stack backbones method is whereby routers have both IPv6 and IPv4 configured and running in parallel. Both protocols are able to perform full routing operations using their respective routing protocols. A second method involves implementing IPv6 over IPv4 tunnels. In this method, IPv4 is used to encapsulate IPv6 packets.
There are various versions of tunneling that can be used (such as manual tunneling, automatic tunneling, and generic routing encapsulation tunnels). IPv6 can also be implemented via a data connection that is devoted just to IPv6. Alternatively, IPv6 can be deployed by using IPv4 multiprotocol label switching (MPLS) as the means to carry IPv6 packets. A third method uses translation to achieve interoperability between IPv6 and IPv4. This method has similarities to IPv4 NAT methodology in terms of implementations as well as problems.
Although IPv6 introduces new and improved security features, it still does not address all the security problems found in today’s IPv4 networks. Moreover, there are still different security threats and concerns that relate to IPv6 networks. Also, given that IPv6 and IPv4 will have to coexist for a long period of time during the transition phase, network security will be affected by security concerns that are specific to both protocols. Further, the transition mechanisms that are suggested to facilitate interoperability between the two protocols are also likely to introduce new security threats. Some of these threats could be easily mitigated by reconfiguring or upgrading existing network firewalls and intrusion detection systems.
When IPv4 was designed, security threats were not a major concern; therefore, minimum security features were included in the protocol. However, as the use of the Internet expanded and security problems started to mushroom, some protocols (e.g., Secure Socket Layer (SSL)) in the transport layer and some applications (e.g., secure HTTP) started implementing security mechanisms, including encryption, authentication, and digital signatures. This approach, however, was not the most effective as it left information for lower layers unencrypted.
When IPv4 was designed, security threats were not a major concern; therefore, minimum security features were included in the protocol. However, as the use of the Internet expanded and security problems started to mushroom, some protocols (e.g., Secure Socket Layer (SSL)) in the transport layer and some applications (e.g., secure HTTP) started implementing security mechanisms, including encryption, authentication, and digital signatures. This approach, however, was not the most effective as it left information for lower layers unencrypted.
Consequently, network layer security issues like denial of service, and spoofing attacks are left unhandled. Thus, to alleviate the layer three security threats, IPsec (IP security) was developed. IPsec describes the various security features that can be implemented in both IPv4 and IPv6. IPsec is integrated into IPv6 and allows for ways to provide authentication, integrity, and privacy. It is worth noting that the security features incorporated in IPv6 can also be achieved in IPv4 through the use of IPsec as well. The security mechanisms included in IPv6 do not eliminate all security threats affecting IPv6 networks. There are quite a few attacks that can target IPv6 networks. For instance, sniffing attacks can be employed to capture and view packets as they are transmitted via the network. This attack is often aimed at data that is sent in plaintext whereby IPsec is not properly configured.
Other security threats target the application layer (e.g., web application attacks, and viruses). These attacks can be mitigated by neither IPv6 nor IPv4 (both of layer three of the OSI network model) as they occur at layer seven (or application layer) of the OSI model. Another type of attack that cannot be addressed by the IPv6 security mechanism is a flooding attack. Flooding attacks send large amounts of data to a network device (e.g., a router) with the goal of overwhelming the device and making it unable to perform its basic functions. In fact, some of the new extension header fields in IPv6 may be used to employ flooding attacks.
Some security implications associated with IPv6: ICMP issues, multiple protocol stack weaknesses, insufficient tools for countering hacker threats, and IPv6 header content insecurities. In particular, ICMPv6, which is utilized for neighbor discovery, can be deceived by a rouge device in the network. This can happen during the bootup process of a device attached to an IPv6 network. The device will first attempt to find out which network it is connected to by sending a Router Solicitation packet. IPv6-capable routers in that network then send a Router Advertisement (RA) packet. However, a rouge router in the network can respond with a RA indicating a phony subnet for the requesting device. Many devices are able to run multiple protocols, that is, both IPv4 and IPv6. This, however, may result in security risks whereby internet access is enabled by accident on a client’s machine prior to the configuration of IPv6 security features. Regardless of whether IPv4 security measures are already in place, attackers can circumvent IPv4 security by employing IPv6 as the means of transport.
IPv6 header contains a Flow Label field that is intended to aid in the improvement of QoS aspects of the protocol; yet, this field also presents certain security risks when used by QoS services. These can be accomplished through the theft of services by malicious traffic that can spoof Flow Label value as well as the source and destination addresses. Unfortunately, IPsec does not include any specific defense mechanism targeting this particular security threat. The only effective way of addressing Flow Label threats is by implementing proper policies and authorization standards on the host’s devices.
IPv6 packets allow extension headers that point to the subsequent header; this feature presents a security vulnerability, in that, destructive headers can be employed to exhaust router resources on a network path. Such headers may be designed to point to multiple headers with the intention of creating a denial of services by depleting resources on routers. In some instances, IPv6 routing headers are able to limit access to a specified destination address. This could result in malicious attacks that misrepresent the routing header based on a forbidden address and target a victim network. This can be achieved by first spoofing packet addresses and then initiating denial-of-service attacks.
Another security concern that is specific to IPv6 is that it affects networks that implement tunneling of IPv6 via IPv4. Tunneling of IPv6 packets inside IPv4 creates an additional layer that hides the original IPv6 initial information. This layer makes it harder for IPv4 network security tools as they might not have the capability to perform an in-depth inspection of the concealed IPv6 packets.
Various transition techniques have been suggested for easing the gradual process of transition from IPv4 to IPv6. These migration mechanisms, however, bring with them new and unanticipated security issues. Take for instance the tunneling technique used to facilitate connections to networks that are on IPv6 “islands”. This approach requires that both ends offer support for both protocols. The fact that receiving nodes have to decapsulation packets received from any source, presents security risks. This is because headers can be spoofed and then the information obtained can be used to launch attacks targeting the nodes on the network.
The dual-stack approach which involves the implementation of both IPv4 and IPv6 protocols simultaneously presents certain security challenges. The dual-stack technique solves interoperability problems by having two separate stacks featuring IPv4 and IPv6. This network design can be targeted using either IPv4 or IPv6 attacks. The tunneling solution makes it difficult to determine who is involved in communications on the tunnels. This could result in security concerns as routers end up carrying communications with non-authenticated routers. Intruders can use forged network traffic to send to an endpoint inside the tunnel. Additionally, tunneling allows for the encapsulation of traffic that may not be inspected by firewalls hence allowing malicious data to enter the network.
Firewalls represent an essential security component of today’s networks as they are used to filter traffic into the network and from the network. There is a wide variety of software firewalls that have been developed for IPv4, most of which include easy-to-use interfaces. These firewalls are quite advanced and also come with defined filtering rules. Contrarily, there is a limited number of firewalls that offer IPv6 support mainly because filtering rules for IPv6 will have to be different than those for IPv4. Not to mention that the process of translating IPv4 security policies to those based on IPv6 is going to be a challenge. Moreover, the differences in header formats for the two protocols require a different approach when designing firewall roles. Besides, some protocols associated with IPv6 (e.g., ICMPv6) need to be allowed in IPv6 firewalls.
Reconnaissance attacks that involve gathering network and end host information can be performed in IPv6 networks. An attacker can use various tools (e.g., Nmap) and other methods to collect information about the host and network devices. In particular, multicast addresses assigned to network nodes can be used to help identify resources on a network that can then be attacked. It is possible to avoid attacks by disabling access to internally used addresses.
IPv4 has been used in networks for many years; which has resulted in an understanding of its security aspects. A majority of network engineers as well as administrators have a wide collection of tools for countering network security concerns. On the contrary, there is yet to be an adequate set of tools that can be used to deal with security issues related to IPv6. It will take a considerable amount of time before vendors and network engineers fully understand the different IPv6 attacks and device-appropriate measures to address these concerns. Being that there are not many effective security scanning tools for IPv6, it becomes harder for the existing security features to detect malware-related security threats.
IPv6 increases available address space but at the same time, it introduces an addressing style that is end-user unfriendly. In addition, the increased scope of IPv6 could result in network outages caused by multicast misuse. What is more, improper anycast address configuration might affect availability.
Network administrators and users will have to receive some training in order to familiarize themselves with IPv6’s addressing structure. IPv6 addressing style differs in three main ways from that of IPv4. First, IPv6 consists of a 128-bit address scheme, which is unlike IPv4’s 32-bit address scheme. Second, the IPv6 address allocation makes use of hexadecimal notation whereas IPv4 uses decimal representation. Third, in IPv6, there are three main types of addresses: anycast, unicast, and multicast.
The unicast addresses are broken down into three subcategories, that is, site-local, link-local, and global addresses. Unicast addresses incorporate the local host’s MAC address to provide convenient and unique address allocation. Multicast addresses are intended for multiple nodes located on a single site and were designed to replace IPv4’s broadcast address type. Lastly, the anycast address type represents a unicast address that is allocated to more than one device. A packet that has an anycast address as its destination is forwarded to the closest anycast address. Certainly, the IPv6 addressing scheme is one that a majority of network administrators, as well as users, are not quite familiar with.
The multitude of addresses that IPv6 provides is not only going to solve the issue of limited addresses in IPv4, but it will also have implications on how the network functions in general. For instance, there will be no particular motivation to use address translation through technologies such as NAT. In addition, the routing state will not have to be kept inside networks. IPv6 introduces a new challenge to a network administrator in terms of address assignment. With IPv4, devices on a network can be assigned addresses either manually or through the use of DHCP. Unlike IPv4, IPv6 employs two address assignment techniques: stateful address and stateless address autoconfiguration. Stateful address autoconfiguration is similar to that of IPv4’s DHCP standard whereby devices get their addresses from a router or server that is configured will a pool of addresses to hand out. On the other hand, Stateless configuration does simplify address allocation by not requiring manual configuration or the use of a server. Instead, nodes are allowed to produce their own addresses by using information that is available within the local network. Still, these are all new concepts that network administrators will need to receive training on.
The stateless configuration uses the device’s Media Access Control (MAC) address that is “burnt” into the device’s network card when it is manufactured. However, this concept raises privacy issues, in that, individual devices on the Internet will be configured with permanent unique addresses; hence, making it easier to locate and track. It also creates security threats since it makes it easier to determine what addresses are located within a given network. IPv6 also provides features that facilitate better management of qualities of service through datagram labeling, however, this could also result in privacy concerns as there is increased control of the content. Another privacy issue can be associated with the long-term addresses that are assigned to end-user devices.
One solution that has been suggested to deal with privacy issues is by varying network identifiers using extensions for stateless configurations that utilize MAC addresses. Still, this approach may not be entirely reliable since addresses obtained through the DHCP server may take a long time to change. Furthermore, changing addressing within the topology has the possibility of negatively affecting the routing configuration within a network.
Undeniably, IPv6 addressing concept is a complex one that might take a while to be fully understood by end users as well as network administrators. IPv6 implementation will require an understanding of the different addressing and routing approaches it presents. Companies will need to train their support personnel on matters of IPv6. Besides, vendors will have to find solutions that will make it easier for them to adapt to a new and changing market.
There is no question that a vast number of providers will have to provide support for both IPv4 and IPv6 for a considerable period of time. This is likely to result in increased costs due to duplicated routing information on network infrastructure. Some companies may be compelled to implement IPv6 due to partner or market demands even when they are not ready or do not feel the need to migrate to IPv6. Transitioning to IPv6 may end up being a slow and expensive process for many organizations, adding unforeseen costs (including vulnerability patches). The added costs could be a result of software and hardware upgrades. Other costs could be related to the support and training needed for the new protocol. The added costs as well as the time needed may make it even harder to convince top management to allow for the switch to IPv6.
Before a company can migrate to IPv6, it is critical that it adopts a strategy that will aid in making the transition process a success. For instance, it will be crucial for companies to know when their ISP providers are scheduled to offer support for IPv6. The company will also have to ensure that transitioning to IPv6 will not negatively impact communication with business partners. Another key requirement that has to be met prior to migration is ensuring that network devices are IPv6 capable. Also, DHCP and DNS servers will need to be upgraded to those versions that are compatible with IPv6. Finally, the company will need to decide which technique to use in order to connect the IPv6 network to external networks.
Conclusion
IPv6 is projected to introduce a variety of improvements to different aspects of networking. However, the migration process from IPv4 to IPv6 is not going to be a smooth one as there are many stumbling blocks that IT departments will have to contend with. Some of the issues that organizations will have to face include: application and protocol incompatibility, software and hardware updates, security concerns, employee training, and added costs. Ultimately, IT management will be best served by planning the transition process well prior to implementation.
