Friday, 2 August 2013

IPv6 Insecurity

Vint Cerf - one of the founders of the Internet - quipped last year that the current IPv4 Internet is the experimental version, and that IPv6 is the production version.  If this is true, then approximately 100% of businesses are still on the beta release and have no plans to move to production.  How can this be, in a world of 36 month IT replacement cycles, when IPv6 has been deployment ready since 1999?

There are a number of reasons, some technical, some psychological, but all to do with security.

Reason #1: Making unnecessary changes breaks things.  There is no compelling reason even today to move to IPv6.  The total number of IPv6 *only* services is approximately none, so not migrating does not limit anything.  Sure we will eventually run out of IPv4 address space, but I predict we will make do at least until 2020.

Reason #2: Complexity reduces security.  Not everything supports IPv6, so deployment requires a dual-stack approach, which significantly increases complexity, and therefore decreases security.  While this is true today, given a 36 month IT replacement cycle, everything will eventually support it by 2016.

Reason #3: We don't understand it.  This is the real reason for the lack of adoption.  IPv6 is not just IPv4 with longer addresses.  It does some things very differently than IPv4, and breaks the well-understood IPv4 security model.  There is no NAT.  There is no ARP.  Multicast matters.  ICMP matters.  We could fix this today, but it will take a generational change of CIOs to really embrace it.  Maybe it won't be scary by the Unix timestamp rollover in 2038.

Interestingly for those of us with a few grey hairs, we've been here before.  We made this same transition from IPX to IP in our Novell networks 20 years ago, but with one very significant difference.  We didn't dual-stack.  On a flag day we just changed all the configurations and got on with it.  But we can't do that this time, because now everything is interconnected, and the risk of cutting ourselves off today is much higher than the risk of running out of addresses at some point in the future.

IPv6 is definitely the future.  While the future is already here, and not very evenly distributed, for most of us the time is just not right.

Phil Kernick Chief Technology Officer

No comments:

Post a Comment