While many large organizations have hooked their plans on change over to the ISOC launch date, legions of companies have already been leveraging IPv6 WAN connectivity. Most mobile providers who have adopted LTE 4G infrastructures have built around this networking principle already with mobile devices, by default, connecting to the Internet via IPv6 assignments.
It’s well known, however, that a 4G phone must also be 3G compatible and must also be able to regress to IPv4 published websites as not to upset the end-user community. Thus all we really have done, and much to the chagrin of the initial designers, is somehow weave IPv6 into the existing IPv4 Internet.
Bottom line: Because IPv4 is not going away and many estimate that it will take 10 years (or longer) for the natural death of IPv4 to occur, we will essentially live in perpetuity with both designs.
A new dawn? Or the beginning of the end? To be honest, it’s neither. The interoperability issues between IPv4 and IPv6, however, opens a Pandora’s Box of opportunity for those of the nefarious persuasion. Much has been written about this including from my colleague Ron Meyran who addresses specific IPv6 vulnerabilities that will remain and are likely to be with us indefinitely.
So, what are the three main takeaways from this event?
Take away #1: IPv6 will first be implemented on the WAN, IPv4 will continue to remain in the LAN for years to come
OK, so the ‘big boys’ – Google, Facebook, DNS and CDN providers – are all moving to IPv6 default systems via WAN connectivity. And many, if not most ISP’s are following fast or already there. However, nearly no one has made the transition to IPv6 for LAN. There are many reasons for this, but probably the most notable is that there really is no concept for IPv6 NATing, which would mean that most companies would need to go back to the drawing board for their LAN to transition to IPv6.
Realizing that IPv6 will be adopted at an ever-increasing rate on the Internet WAN operations, and it will be very slow to take hold for LAN operations, that means this will wreak havoc on perimeter security!
If we go back to Ron’s blog post we find out that there really is a huge problem associated with IPv4 and IPv6 cohabitating. The problem is twofold:
Problem #1 – There is no good security detection or mitigation for encapsulated traffic.
Problem #2 – All of yesterday’s exploits, in theory, can be tunneled through the perimeter if someone knows how to properly package the exploit in today’s new transmission transition packaging.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.