There was an error performing the search

The domain is available. Register domain

Registration verified by ISNIC

Signed Not signed
Registration verified by ISNIC


Jun 5, 2012

The IPv6 digital dilemma

We are now entering the time of permanent IPv6 presence. 6th june is ‘IPv6 Launch Day‘ and following this, we’ll expect quite a large number of companies enabling IPv6 on their services, lots of ISP’s will make IPv6 available to their customers and you need to ask now, are you ready to accept the new and improved, the unknown and available, secure and open network standard now, later or never?
My first impression of IPv6 after reading some material was, ‘yes and no’, and it still is. I’ve made steps to improving my setup, I’ve tested and tested and still remain hesitant because I cannot suggest to anyone, neither home users or companies that they implement IPv6 now… But if your decision is to try and test, I can make some suggestions…
Whatever they say about stuff included with IPv6, IPsec, protocol differences etc., remember it’s only as secure as your least secure item on the network – so find your lowest common denominator and figure out how you’ll apply security and some will find easy ways of doing monitoring and auditing, while others will quickly notice that they’ve got none at all.
Lots of users will have hands on experience with their loggers, Event Viewer, syslog, console log etc. But there will be new issues with IPv6. My immediate realization and my experience:
Several accidental issues popped up after IPv6 enabled services where introduced, i.e. the service is implemented and tested and the AAAA record is added to the DNS and the service starts to popup *and failing*, why?
If you think you’re part of a network which is *too large to scan* – because your smallest network is 64 bits large, and your machine or server is hidden somewhere – remember many devices are servers, and will present AAAA records and PTR records may give away some information. A local machine will be able to discover the neighbours, so your immediate danger of ‘scanning’ is already a part of your neighbourhood. Also, this is all about discovery and when you start accessing services, you’ll start to leave your footprints and your digital fingerprint will be all over the internet and a port scanning device, sniffer or data mining tools will start collecting IPv6 addresses and information. Remember that the default setup for router advertisments will use your network cards MAC address (ethernet address) and when you move to a new network, you’ll already carry a identifier which can be datamined. IPv6 does have some methods of randomizing your IPv6 address for security. This will of course make it more difficult to maintain AAAA and PTR records and some services will refuse connection from addresses missing the PTR records or have a mismatch between AAAA and PTR (RFC931).
One contingency plan was to make the address space enourmously large, but it will be filled. Several vendors, users and companies will simply make lots and lots of networks, spend their CPU cycles in routing and ACL’s for a simpler setup, but it’s not a good solution. It’s an situation where a secure webserver may be hosted in a dedicated /64 network because we can’t as yet break it down to /120 and then manage that by ACL on the routing level BUT we can do it on a local level – if you implement strict policies, know your devices and have trustworthy management and auditing, but it’s a management nightmare which needs solutions. There will be many views on how to implement security and they are all important because security will be required.


My suggestions?
Björn R. (My opinions are my own)