view counter

CybersecurityMove to IPv6 may create a "security nightmare"

Published 9 August 2010

IPv6, the Internet’s next-generation addressing scheme is so radically different from the current one that its adoption is likely to cause severe security headaches for those who adopt it; the radical overhaul still is not ready for prime time — in large part because IT professionals have not worked out a large number of security threats facing those who rely on it to route traffic over the net

The presentations, papers, and demonstrations at the Black Hat-DefCon events are supposed to make us uneasy about the state of cybersecurity, unease which should spur us into action to address the vulnerabilities exposed. Some presentations, though, are downright scary, as was the discussion by Sam Browne of IPv6.

The Internet’s next-generation addressing scheme is so radically different from the current one that its adoption is likely to cause severe security headaches for those who adopt it, Browne said at DefCon. Dan Goodin writes that with reserves of older addresses almost exhausted, the roll-out of the new scheme — known as IPv6 or Internet Protocol version 6 — is imminent. Yet, the radical overhaul still is not ready for prime time — in large part because IT professionals have not worked out a large number of security threats facing those who rely on it to route traffic over the net.

“It is extremely important for hackers to get in here fast because IPv6 is a security nightmare,” Sam Bowne, an instructor in the Computer Networking and Information Technology Department at the City College of San Francisco, said at DefCon hacker conference in Las Vegas. “We’re coming into a time of crisis and no one is ready.”

Chief among the threats is the issue of incompatible firewalls, intrusion-prevention devices, and other security appliances, Bowne said. That means many people who deploy IPv6 are forced to turn the security devices off, creating a dangerous environment that could make it easier for attackers to penetrate network fortresses.

What is more, internet addresses that use the new protocol by default contain a 64-bit string that is generated by a computer’s MAC, or Media Access Control, address. The use of the so-called extended unique identifier means that people who want to remain anonymous online will have to take precautions that aren’t necessary under today’s IPv4 system.

“It means that everything you send or receive is labeled with your real MAC address and therefore if you were to do something naughty, like download copyrighted material, they would know who you are much better than they do if all they have is an IP version 4 address,” Bowne said.

Gooding notes that some operating systems, including Windows Vista and Windows 7, have privacy settings turned on by default that cause the string to be randomly generated. While this setting helps preserve anonymity, it also has the potential to break many

view counter
view counter