As of July 23 at noon EST, one online countdown clock predicts that internet address space, under the most commonly used protocol, will expire in 545 days, seven hours, 55 minutes and 24 seconds.
The Internet Protocol (IP) is one of the primary mechanisms for communicating data across networks. Each computer – or other device that is active on an IP network – is assigned a unique IP address, sort of like a Social Security number, to identify a device and its location on the internet.
The dominant IP standard in use today, Internet Protocol version 4, or IPv4, does not provide enough addresses to accommodate all the users and applications that will require a unique IP address in the future, according to experts. Estimates for when IPv4 space will actually start running out range from as little as one year to five, with most saying it will occur in two years or less. When address space under v4 does begin running out, enterprises that want to expand their networks or add more machines will increasingly have problems obtaining IP addresses, some say.
“It's not here today, but there's a growing danger that the growth of networks might be stalled in the future if people don't migrate to IPv6,” says Craig Labovitz (right), chief scientist at network security firm Arbor Networks.
But fear not, a new protocol deemed the “next generation” of the internet, was designed to alleviate the problem of IPv4 address exhaustion. Internet Protocol version 6 (IPv6) provides a dramatically larger address space than its predecessor – expanding the number of bits in an address field from 32 to 128. Because of this larger address field, IPv6 offers trillions more IP addresses.
Labovitz says that by now, many specifications and documents about how the system, under development for about 15 years, should work are mature. Moreover, a number of carriers are offering commercial IPv6 services.
“Like the transition to HDTV [high-definition television], part of the evolution was persuading people to buy a different TV, stations needed to be updated, the whole system had to change,” Labovitz says. “The same thing is true with IPv6. Things within enterprise networks, carrier networks, lots of different applications and many, many different things running in the background deep within the core of the internet, needed to change. It's a complex undertaking with many moving parts.”
But what does this mean for IT security professionals? For starters, IPv6 is more secure, says Michael Warfield (left), senior researcher and fellow at IBM Internet Security Systems (ISS). The massive size of the IP address space makes it nearly impossible for a malicious attacker to run a comprehensive scan for vulnerabilities, Warfield says. Consequently, the impact of worms and other malware that depend on network scanning techniques are limited in an IPv6 world.
“Now, you can scan v4 almost end to end – I see it every day,” Warfield says. “You can't do that with v6. It's too huge.”
Additionally, IPv6 eliminates a certain type of distributed denial-of-service (DDoS) attack. Because IPv6 does not implement a concept called “broadcast,” which is the ability to send information to all nodes on a network, the protocol eliminates a class of DDoS known as “smurf,” which uses broadcast addresses.
Also, Internet Protocol Security (IPsec), a model for securing IP communications with authentication and encryption, was developed for IPv6 and is required on all implementations. IPsec, which offers the capability of end-to-end encryption, is integrated into IPv6, but has to be built into IPv4 infrastructures.
But, some say that the inclusion of IPsec doesn't necessarily make IPv6 more secure than IPv4 because of heavy adoption of another security model called Domain Name System Security Extensions (DNSSEC). Also, IPsec itself has become more popular and widespread than the protocol it was designed for.
(Not) everyone's doing it
Despite the benefits of IPv6, it is not widely deployed, experts say. Within the United States, the most vocal early adopter of the protocol has been the federal government, which has maintained an active discussion about IPv6 since 2003. On June 30, 2008, the White House Office of Management and Budget (OMB) announced that all major agencies met a deadline for successful adoption of IPv6.
Since that milestone, the government's activity around the technology has not stopped. Federal agencies have been responsible for taking IPv6 into account when modernizing their infrastructures, says Peter Tseronis, acting associate chief information officer at the U.S. Department of Energy and chair of the Federal IPv6 Working Group. Because of the impending depletion of IPv4 addresses and the promise that IPv6 offers, agencies were encouraged to move forward with IPv6 integration and begin the process of planning for a phased incorporation of applications and users.
In December 2009, the Federal Acquisition Regulation, used by all federal executive agencies in the acquisition of supplies and services, was amended to require that all newly procured IP-enabled IT products be capable of IPv6. To support agency plans for adoption of the protocol, the National Institute of Standards and Technology (NIST) developed additional standards, called the U.S. Government version 6 (USGv6), outlining the capabilities and requirements newly procured products must meet with respect to IPv6.
The USGv6 standard went into effect this July, reigniting the discussion of IPv6, says Tseronis. To sell to federal agencies, IT vendors must now ensure their IP-enabled products are USGv6 compliant.
Besides the federal government, telecommunications organizations, along with some educational institutions, airlines and smart grid providers, have begun transitioning to IPv6, says Guy Snyder, secure communications program manager at ICSA Labs, an independent division of Verizon Business that tests and certifies information security products.
Overall, interest in IPv6 is at an all-time high, says Nick Edwards, senior product manager at Cisco Systems. Customers realize that as their networks evolve, they have to be able to capitalize on the capabilities IPv6 offers, he adds.
Some organizations are building comprehensive IPv6 networks from the ground up, Edwards says. More often, organizations, like the U.S. government, looking to expand operations to IPv6 are doing a phased introduction with both protocols coexisting on their networks, experts say.
But, by all accounts, most U.S. organizations have not yet taken advantage of IPv6. Further, the majority have no plans to do so, Snyder says.
“Your main businesses within the states aren't [implementing IPv6],” Snyder says. “A lot of financial institutions have not taken this seriously – although they are hearing about the need. General manufacturing has not seen a need for it.”
Ignorance is bliss
Today, IPv6 is present on most modern networks – whether network administrators are aware of it or not, he adds. It is now enabled by default on Microsoft's Windows 7 and Vista, for example.
But, because many network administrators have put IPv6 on the back burner, they may be unaware of IPv6 traffic on their networks, experts say. Attackers could potentially use this unsecured entryway to exfiltrate data out of an organization.
“The main threat from IPv6 is ignorance,” says IBM's Warfield. “They don't know it's on their network.”
Another concern is that enterprises and internet service providers have spent the last decade building up their network defenses with a host of layered security technologies that now may only work on IPv4, says Arbor Network's Labovitz.
All commercial-grade, enterprise-class firewalls should provide support for IPv6, but other technologies, such as SIEM and IPS, may not, says Lawrence Orans, research director at Gartner.
“It's very important that security professionals be aware that IPv6 support is varied,” Orans says.
Since deployment of IPv6 is so meager, vendors are not getting pressure from their clients to secure it. ICSA Labs' Snyder says that for the past three years, he has been putting pressure on security companies to provide support and, he says, their customers should do the same.
But while some IT vendors have been slow to provide support, cybercriminals were early adopters and already have developed a variety of attacks taking advantage of it, experts say. “They are ahead of us in this game, and their skills in IPv6 are better than ours,” says Warfield.
Currently, the amount of attack activity on IPv6 is much lower than IPv4, since the protocol is used far less. Attackers are still successful on IPv4, so for the most part, they don't yet need to launch attacks that take advantage of IPv6, experts say. But when IPv6 becomes more widespread, attackers will be ready, says Warfield. Plus, going forward, the threats associated with IPv6 are only going to get worse, he adds. “The time for ignoring it is long over,” he says.
IT professionals still have time to learn about IPv6 and should be taking steps to do so now, says Cisco's Edwards. Organizations should be developing a timeline for their transition to the protocol, recognizing that the transition does not have to be a complete facelift. It can be a staged rollout.
“There is familiarity with IPv6, but the majority of enterprises don't have the appropriate level of expertise,” says Arbor Networks' Labovitz. “Now is the appropriate time for enterprises to begin talking with their carriers, setting up trial networks, dipping their toes in the water and begin to experiment and understand the scope of a future migration.”
Never missing an opportunity to exploit a topical event, cybercriminals will undoubtedly craft scams and frauds related to the impending IPv4 address exhaustion, according to researchers at anti-virus firm Trend Micro. Attackers will likely prey on unprepared users and concern over network instability through scams that promise to convert existing IP addresses to IPv6, or guarantee a user be able to keep their existing IPv4 addresses for a certain amount of money.
When IPv4 address space does begin dwindling down within the next few years, there will be a rush to buy IPv4 addresses, experts warned. At that point, these will be increasingly difficult or expensive to obtain, some say. Consequently, there is the potential for gray or black market dealings for IPv4 addresses, which could lead to IP hijacking, in which cybercriminals take over groups of IP addresses by corrupting internet routing tables. Attackers may use the addresses for spamming or launching distributed denial-of-service attacks.
“An offer to buy unused IPv4 space for a seemingly large payout may be legitimate,” Ben April, advanced threat researcher at Trend Micro, wrote in a recent blog post. “However, you will still be the registered owner of that block in the Whois and RIR databases. Any malicious activity found there may invite a knock on the door from a government agency.” – AM