Best Practices for Implementing IPv6 and Avoiding Traffic Exposures

There has been a lot of discussion lately about the potential for IPv6 to create security issues. While there are definitely some security risks of IPv6 deployment, a carefully considered implementation plan can help mitigate against security risks.

As we approach World IPv6 Launch tomorrow, I thought it prudent to share the below described incident that iDefense recently observed. This incident illustrates the disruptive capability of IPv6 in action and also prompted me to think about what IT professionals need to do to help make sure their network infrastructure is ready for the impending launch of IPv6.

During a recent incident, attackers compromised an organization’s network and were able to activate the IPv6 protocol on the organization’s routers. In this case, as in many enterprises, network and security engineers were not fully monitoring IPv6 traffic within their networks. By using IPv6, the attackers that caused this incident flew completely under the radar and were able to transmit their stolen data unnoticed.

Cases such as these present one of the greatest risks to organizations, but have gone mostly unreported. They also call to light how important it is for administrators to actively monitor IPv6 traffic in their networks just as robustly as IPv4 traffic to better understand specific IPv6 attack vectors and traffic characteristics.

Even if an organization is not planning to implement IPv6, it is in their best interest to deal with IPv6 traffic exposures as soon as possible, as they may already have devices, operating systems and transitional configurations in place on their networks that can make them susceptible to cyber criminals.

The following are some best practices for handling the transition to IPv6 no matter what your migration plan is:

  1. Begin monitoring networks for IPv6 traffic now.
  2. If you’re not monitoring for IPv6, turn off IPv6 everywhere to ensure that there are not any unknown paths through an organization’s network. This includes turning off IPv6 interfaces and tunneling protocols.
  3. Begin thinking about what is required to build the security that organizations need to use IPv6 within the application layer.
  4. Do an IPv6 pilot on a small portion of the network, potentially using a transitional technology.
  5. Develop a plan to transition an entire network to IPv6 incrementally.
  6. Execute the plan once it’s ready but execute quickly once committed to avoid vulnerabilities.
  7. Acquire and test IPv6-aware monitoring and assessment tools.

Has your organization started actively planning for the launch of IPv6?

Written by Rick Howard, General Manager, iDefense at Verisign

Nominum Survey of World’s Leading ISPs Shows Nearly 60% of ISPs Plan to Roll-Out IPv6 by End of 2012

Most ISPs Are Undervaluing the Business Benefits Associated with IPv6

In anticipation of World IPv6 Day — June 6, 2012 — Nominum, the worldwide leader in integrated DNS-based applications and solutions for service providers, today released results of a survey of the world’s leading ISPs regarding their plans and concerns regarding the transition from IPv4 to IPv6.

Nominum surveyed 67 top ISPs throughout North America, Japan, Europe and Latin America with a combined reach of 110 million households. The survey found that 97 percent of these ISPs have either already implemented or plan to implement IPv6. From that group:

  • 23 percent have already done so
  • 35 percent say they plan to do so in 2012
  • 39 percent say they plan to implement IPv6 in 2013 or later

The survey revealed major regional differences in IPv6 deployment plans:

  • Every Japanese ISP surveyed has deployed IPv6
  • Only 25% of North American respondents have deployed IPv6, but 100% plan to by year-end
  • Just 48% of European respondents plan to deploy IPv6 by year-end
  • Only 20% of Latin American ISPs plan to deploy IPv6 by year-end

European ISPs appear to have the greatest risk of not making the transition in time since under current policies the Regional Internet Registry for Europe (RIPE NCC) is projected to run out of IPv4 addresses later this year.

Not surprisingly, accommodating new subscriber growth was the number one business reason given for making the change to IPv6. However, most ISPs are not looking beyond software support and interoperability testing to uncover key business benefits associated with IPv6, such as:

  • Revenue Growth: IPv6 accommodates dramatic growth in IP-enabled devices, i.e. the Connected Home, M2M, etc. It also supports growth into new or expanding markets.
  • Customer Loyalty: IPv6 provides for a better experience accessing popular connection-intensive contents, such as Facebook and Google Maps, as well as better peer-to-peer gaming and personal cloud applications.
  • Network Efficiency: Protocol improvements such as better multi-cast support and larger packet sizes enable high performance applications and lower overhead for high performance data transfers for video and cloud access.

“IPv6 represents the biggest change in IP Networking since the start of the Internet. Most people know it is a necessity to keep the Internet moving and growing, but don’t realize how it can be used to improve our favorite applications. It also presents a huge opportunity for operators, content providers and enterprises to harness powerful business benefits associated with the ‘new’ Internet,” said Craig Sprosts, leader of Fixed Broadband Solutions for Nominum. “Things like increased customer loyalty, higher network efficiency and reduced costs are all powerful reasons to make the IPv6 transition. IPV6 presents a viable solution for continued Internet growth, sustainable provider success, and positive user experience.”

The survey also revealed surprising results regarding the transition mechanisms planned for IPv6. Despite the extra expense associated with customer premise equipment, 80 percent of ISPs surveyed say they plan to use a native dual-stack transition mechanism for their roll outs as opposed to carrier-grade NAT and other such technologies. Dual-stack technology helps ISPs to make smarter use of their existing address space while moving the Internet forward by supporting native IPv6 and the benefits it provides.

To help optimize broadband service quality and launch new applications, fixed broadband and mobile service providers rely on Nominum’s three-tiered architecture: the engines, which make networks faster and more efficient; platforms, which increase business agility; and applications, which increase competitive differentiation. More than 500 million Internet users depend on Nominum-powered networks around the world every day.

To learn more visit: www.nominum.com/ipv6survey

London2012 needs IPv6 at the starting gun

China made its mark with its implementation of IPv6 for the Beijing 2008 Olympics. London needs to follow suit — for the good of its games and to help create an IPv6-ready infrastructure in the capital, says Axel Pawlik.

Earlier this summer, the Wimbledon quarter-finals triggered a 70-percent surge in UK internet traffic as the public watched matches online. The online viewing figures in August 2012 are expected to dwarf that Wimbledon surge, as millions around the world log on to watch the London Olympics.

More from ZDNetUK…

The Four Horsemen of the Apocalypse, Class of 2011: IPv6

The previous two columns in this series—The Four Horsemen of the Apocalypse, Class of 2011—discussed the Cloud and Recreational Hacking and what they mean for corporate counsel. This column looks at the third of the Horsemen: IPv6, the new protocol for the Internet that is rolling out over the next few months.

The Internet—originally known as ARPANET, among other configurations—was developed by geniuses like Jon Postel, Vint Cerf, Lawrence Roberts, and others who made the technology advances that laid the groundwork and the backbone for the worldwide web as we know it today. I was honored to have met Postel and Cerf in the 1990s when I participated in hearings before the World Intellectual Property Organization in Geneva. The debates then centered on access and growth. One topic that was never discussed (or if it was, only in passing) was whether the Internet would ever run out of numbers – the unique identifiers known as Internet Protocol (IP) addresses. After all, the key to the Internet’s design was that it was scalable and could grow without foreseeable limitations. At least that was the plan.

More from Corporate Counsel…

ZTE Upgrades T8000 Router to IPv6 using NetLogic Microsystems’ NLA11k Knowledge-based Processors

NetLogic Microsystems, Inc., a worldwide leader in high-performance intelligent semiconductor solutions for next-generation Internet networks, today announced that ZTE Corporation, a leading global provider of telecommunications equipment and network solutions, has selected NetLogic Microsystems’ industry-leading NLA11k knowledge-based processors, optimized for Internet Protocol Version 6 (IPv6) processing, for ZTE’s multi-terabit T8000 Cluster Router. ZTE’s T8000 Router is ideal for operators and service providers building sophisticated IP/Multiprotocol Label Switching (MPLS) infrastructure for next-generation network backbones.

Complete info at TradersHuddle.

ISI Snapshot Provides Cisco Readiness Monitoring for IPv6

IPv6 is here and most companies are expected to deploy it in the next 12 to 24 months. Not all networking equipment supports or can be upgraded to use IPv6. ISI Snapshot 7.4 can inventory and tell you if your current configuration currently supports or can be upgraded to support IPv6 and helps avoid major outages caused by undetected incompatibilities.

Complete info at SFGate.