With IPv4 space running dry, why are so many organisations still not ready for IPv6?

Organisations must have a proper IPv6 strategy for transition

Sponsored We seem to have been talking about IPv6 forever. It was officially launched in 2012 but had already been in existence for a number of years and had been implemented on all major operating systems used by businesses and consumers by 2011. Even before that date, it had been widely acknowledged that we were running out of IPv4 addresses.

And yet many organisations across Europe are still not ready to implement IPv6, with the issue varying hugely between countries and from company to company. While some businesses have not officially adopted IPv6 or put in place a strategy around how to manage its implementation, by allowing some technology onto their network which is already using the protocol (either with or without the express knowledge and permission of the IT team), they have in effect unofficially adopted IPv6. This means they run the risk of endangering the security of the organisation if firewall rules are no longer working, or if AV and other security products are not optimised for IPv6 traffic.

The reason this is such a problem in Europe is that there is no overall body enforcing the migration to IPv6. In the US, government policy enforcing the transition to the new standard has driven some uptake, and in Asia use of the protocol has been accelerated simply by virtue of their extreme growth and need for addresses and the limited availability of more traditional IPv4 addresses.

What is stopping organisations from just transitioning?

In a perfect world, organisations would be able to build a new IPv6 ready IT architecture from scratch. Of course, very few organisations have the luxury of this but having to adapt legacy systems to be IPv6 ready poses a series of often very difficult challenges.

Manufacturing companies, for example, rely on robots and machines on the production line. Many of these use the Windows 95 OS and often haven’t been updated for a long time. In some cases, implementing IPv6 would mean shutting down the production of a whole factory while the transition takes place, which would be incredibly costly for the business.

Telcos have been working on the transition for years and will be slowly but steadily rolling out to consumers and businesses. It’s critically important to make sure that IT and security teams are prepared, since if the incident response and central monitoring team of a large enterprise is unprepared for IPv6 alerts, critical events could be allowed to go unnoticed.

An even bigger challenge is that IPv6 is more than ‘just a bigger IP address’. The protocol has changed significantly from IPv4 and networks require an element of redesign in order to architect them correctly for performance and security. There is a real risk in doing this, of making security mistakes, exposing unintended resources or relying on a previous safeguard (such as a gateway with a NAT boundary creating an island).

Software and training readiness

In many cases even software companies and vendors are not yet ready for IPv6 with their products. Some technology and security products are ready but others have still not fully invested in feature parity of IPv6 compared to IPv4. Aside from the risks of technology (such as a web filter or a firewall) not being ready, it is also really important to ensure that cyber security practitioners are fully trained in the new protocol. IPv6 has new concepts that need to be fully understood and it is not uncommon to find it casually being used in a network without the controls being correctly updated. It’s not unusual to see IPv6 self-configuring on a network, or being used in association with Microsoft applications or OS services and the security and incident team being oblivious to its deployment.

Another key aspect to take into account is the growing lack of qualified security professionals and the many daily tasks that need to be carried out. Security practitioners in general are in short supply globally, let alone those with experience in this specific area. In addition, large organisations usually have sizeable security teams and the ability to invest more heavily in IT projects such as transitioning to IPv6, but SMEs don’t have the same resources. Given that even big businesses are not yet ready, we begin to see the scale of the problem given that the whole supply chain process usually involves a lot of middle-sized companies that deliver critical components for those larger enterprises.

What’s next?

There’s no doubt that the transition to IPv6 is a painful process for many organisations but it is a path than everyone will have to follow in the end. It is important that businesses move forward with their IPv6 deployments since there is already a surprising volume of IPv6 traffic moving around our networks and on the Internet. Organisations also need to ensure that, because IPv6 is not perceived as a ‘here and now’ trend, that its use does not forge forward with less attention being paid to it than it merits.

Looking for IPv6 related training?

The SANS SEC546: IPv6 Essentials course covers various security technologies like firewalls and Intrusion Detection and Prevention Systems (IDS/IPS). It also addresses the challenges in adequately configuring these systems and makes suggestions as to how apply existing best practices to IPv6. Upcoming IPv6 attacks are discussed using tools like the THC IPv6 attack suite and others as an example.

For more information on this course and resources that cover IPV6 head to the SANS website.

Sponsored by SANS Institute.

Biting the hand that feeds IT © 1998–2021