Fortinet Blog | News and Threat Research

Thank goodness for IPv6. The comprehensive kickoff June 6 to the updated Internet Protocol version 6, (IPv6) will no doubt open up an almost infinite number of Internet addresses, ensuring that we all remain online for generations to come.

However, as one might expect with any significant undertaking, the impending transition will likely expose networks to a slew of security issues, both anticipated and unforeseen.

What kind of threats can we expect to see targeting IPv6 down the road? Thus far, the comprehensive launch of the new Internet protocol is just days old, and no one has a crystal ball. However, there are few security issues that we can expect to tackle in the not too distant future, according to Patrick Bedwell, Fortinet vice president of products.

Attacks Targeting IPv6:So far, there have been only limited reports of malicious attacks targeting the IPv6 protocol. But the reason has more to do with the number of users than capability or intent. With the worldwide launch of the IPv6 protocol barely a week old, there are few attack targets—meaning a very small number of networks are fully running and operating IPv6. As such, cybercriminals have had relatively little time to discover vulnerabilities in the protocol and then subsequently create an attack exploiting those flaws, Bedwell says.

But just wait. As more users adopt the new protocol, it will only be a matter of time before malware authors will follow suit with their arsenal of attacks.

Attacks Targeting Systems Protected By Legacy IPv4: It’s a fair to assume that inherent weak links in IPv4 will inevitably start to emerge as the protocol usage slowly starts to atrophy. And cybercriminals will be standing by with their weapons.

One of those weak links in the IPv6 protocol chain occurs because of an egregious gap in visibility. Specifically, while there are work-arounds that allow IPv4 network and security devices to forward IPv6 packets, IPv4 devices themselves are not equipped to inspect those packets for malicious content, Bedwell maintains. That disparity then facilitates a giant security loophole that enables malicious content to evade legacy security devices when sent via IPv6. As such, threats traveling via the IPv6 protocol will essentially be invisible to security policies that may have been in place for years. And as long as the system can process IPv6, the attack is sure to reach its intended destination.

Misconfiguration: You’ve got to expect that this comes with the territory. Any “new” technology or protocol will require a steep learning curve that sets the stage for a slew of human errors, often in the form of misconfiguration, blind spots and unintended vulnerabilities, Bedwell maintains. While IPv6 is not exactly new, few organizations have launched comprehensive deployments. Consequently, that lack of old-fashioned trial-and-error experience leaves a wide knowledge gap in its wake, especially when compared to the solid build-up of IPv4 expertise acquired from decades of use. As such, it’s merely a statistical inevitability that teams delving into IPv6 will make their share of mistakes before fully understanding the nuanced ins and outs of the protocol. Along those lines, it will also require a bit of “on the job training” for IT staff to fully understand the “dual stack” environment—another element that is likely to provide ample opportunities for misconfiguration.

To Support Or Not To Support? : That is the question. Until the new protocol gains solid momentum, devices that both enable and lack support for IPv6 will be vulnerable.

Increasingly, more devices and systems, such as Windows 7, will ship with IPv6 support enabled. Unless that support is actively disabled, these devices will be vulnerable to all the same threats transported via IPv6 but impervious to IPv4 inspection.

Conversely, some legacy security devices will never support IPv6 and subsequently, will fail to see threats traveling over the new protocol. Increasingly, more network security devices will require the latest released versions of their operating systems to support IPv6. However, not all devices are equipped to support the most recent releases—whether due to memory issues or other limitations–and will even require a full forklift upgrade to the latest hardware device to functionally support IPv6. Barring an all-out hardware replacement, legacy systems will become increasingly blind to security threats hidden within IPv6 traffic.

Performance Anxiety: At least for now, the greatly enhanced capabilities provided by IPv6 support often come at a price– much slower performance. Now, the implementation of IPv6 support in a network security device is no trivial undertaking, requiring significant investment in time, resources, research and, like any other technology, several product releases before achieving stable and mature functionality. So in an effort to leap over those hurdles a bit (i.e. reduce the amount engineering effort and accelerate the time required to bring the functionality to market) vendors will release IPv6 support in software only.  However, while IPv6 support may be available, the drawback is that the software-only approach is significantly slower than a hardware-accelerated approach.