Liam Tung June 08, 2012
HD Moore, chief security officer at Rapid 7 and chief architect of Metasploit.
World IPv6 launch day - when businesses, web hosts and equipment manufacturers were encouraged to switch from the old internet protocol version 4 to the new version 6 - came without any noticeable hitch this week, but device owners should disable the protocol until there's a compelling reason to activate it, according to two security experts.
IPv6 will eventually replace IPv4 as the communications protocol that enables internet traffic to move between addresses and past switches, routers and other networking equipment.
The new protocol will deliver a range of inbuilt security features, like IPSec, that should improve authentication and encryption on the web in a way that supports an expansion of web addresses to include things like fridges, toasters, toilets and lights.
But until that happens on a large scale, users are being advised to disable IPv6 in their device's networking options. The reason is simple but has nothing to do with any quality issues or deficiency of IPv6 itself.
"It's a basic security tenet. If you're not using a protocol, then you should disable it," explains systems engineer and Gartner research director, Lawrence Orans.
"Whether you're an enterprise or consumer, if you're running a protocol like IPv6, then it's a security risk because there may be a vulnerability in the implementation or on that particular device and the bad guy could take advantage of it," Orans told ITPro.
So far there hasn't been a compelling reason to enable it, according to Orans. And not enabling it will not stop users connecting to online sites and services because many will use both protocols for a while to ensure connectivity.
"Right now, I can't think of any killer apps that have any practical use."
Yet IPv6 is in many ways already in the hands of consumers and enterprise.
Besides Google, Facebook and Bing, businesses and governments are already activating IPv6 for externally facing web infrastructure in the interest of maintaining a connection to clients that will increasingly have IPv6 addresses.
On the user side, modern operating systems, including Windows Vista and 7, Apple's mobile iOS, Android, and Apple's OS X, enable IPv6 by default.
Meanwhile, dozens of internet service providers (ISPs) switched on IPv6 for good from June 6, while several router makers enabled it by default going forward, covering fixed line IPv6, leaving mobile network operators to open up IPv6 to the wireless world.
There's no hard switch for IPv6, but the very real shortage of IPv4 addresses means a mixed IPv4-IPv6 environment that requires 'tunneling' and 'translators' to ensure the separate 'internets' can cooperate.
For enterprises, depending on how sensitive they are to security, this means having to keep a sharp eye on how firewalls, intrusion prevention systems, web servers and SSL load balancers handle IPv6.
"Many of those devices either support IPv6 poorly or some of the features they have don't work properly through v6 as well," HD Moore, chief technology officer of vulnerability testing firm Rapid7 told ITPro.
"You may have an [intrusion prevention system] IPS or another device that does a great job of monitoring traffic in IPv4 mode, but many of these devices don't have the capabilities of running in v6 mode."
For both consumers and enterprises, the transition to a new protocol will pose challenges more akin to change management than a technical upgrade.
"The issue is what happens when you implement it in your network and because you have fewer tools available and less mature [monitoring] tools, then your network is at greater risk, Orans said.