I was honored to be invited to talk with Ed Horley and Scott Hogg on this week’s packetpushers podcast about Overcoming the Big Three Objections to IPv6 Adoption.

We discussed the three main objections that I face when engaging with Erion’s clients in IPv6 deployments and how I respond to them. In particular, we discussed the differences between business and technical objections and the importance of responding in terms that are meaningful to the audience.

I also suggested a number of important points that are useful to make when justifying IPv6 adoption projects.

Overcoming the Big Three Objections to IPv6 Adoption

We are pleased to announce a new and even more comprehensive version of our IPv6 Forensics training course. The new course is five days long rather than four and we have included even more material and exercises to an already extensive and detailed course.

This course is designed for network security professionals and network forensics practitioners who wish to learn about IPv6 forensics. Attendees first learn about the basic principles of forensics, before proceeding to examine all aspects of IPv6 to determine where and how to obtain IPv6 forensics evidence. The course also covers a considerable number of important security and forensics tools and shows how forensics practitioners can use those tools to analyse IPv6 incidents.

Each module includes step-by-step practical exercises showing how to use each tool and extensive practice analysing simulated incidents. These tools include; packet capture tools, flow capture tools, system and applicating logging tools, intrusion detection systems and security systems. The course also includes how to configure and use Elasticsearch to capture and analyse a large set of different IPv6 evidence ranging from flow data to application data.

As always with Erion courses, this course includes comprehensive manuals consisting of a course manual, an exercises manual and an exercise solutions manual (over 530 sides in total).

For full details of this course see the IPv6 Forensics 5 days course description. For upcoming public training events see our training schedule here. If you do not see a location or date that meets your requirements, then please contact us to discuss what we can do with you. This course is also available in a virtual classroom and as a closed on-site event.

In January, I was honored to be invited to speak on IPv6 security at the UK Network Operators Forum (UKNOF42). The UKNOF is a not-for-profit organisation seeking to improve co-ordination between IP network operators in the UK to enhance the efficiency and stability of the UK’s network infrastructure. Their events attract a wide-range of presenters mainly from the UK. They are an excellent opportunity to share knowledge and best practice with other network operators on network operations and security.

The full list of presentations can be found here.

My presentation (video/slides) was a comprehensive overview of IPv6 security, why it needs to be taken seriously, how it differs from IPv4, the problems it presents and current IPv6 security techniques and best practice.

On a recent flight to the US I sat next to the IT director for a global corporation. He asked me why I was travelling, to which I answered that I was giving the keynote presentation at an IPv6 conference held by the US Federal government. Without hesitation, his response was “IPv6 is not even on my radar”.

This set me thinking about blockers to IPv6 adoption and how we can address them.  First, I spoke about this at the UK IPv6 Council’s annual meeting in December 2017 (slides, video).

More recently I have expanded upon this important topic in two posts; one on the APNIC blog and one, to mark the World IPv6 Day anniversary, on the RIPE Labs blog.

After over twently years of working with IPv6 we have reached the point where not only is IPv6 mature, widely implemented and deployed, but also where the gradual deterioration in the legacy IPv4 Internet is becoming a driver for adopting IPv6. What remains is to demonstrate that the blockers to IPv6 adoption are not as significant as some believe. Take a look at my post and let me know what you think.

I was delighted to be invited to speak at this year’s Global IoT Summit in Bilbao Spain. The GIoTS is a gathering of many of the world’s foremost IoT experts and opportunity for those working in the area to meet and exchange ideas.

Cybersecurity is of particular importance to IoT, where numeruous low-powered devices are often interfacing with and controlling critical systems in our daily lives. It is essential that these systems are secured even though the resources available on each device for security are constrained by functionality, capacity and power.

My presentation, which you can find here, sought to provide an overview of the IoT cybersecurity challenges and technologies. I focused on IPv6-based IoT solutions implemented using 6LowPAN. 6LowPAN is rapidly becoming the primary networking technology for IoT systems.

Further information on the IEEE Global IoT Summit can be found here.

NEW DATES Erion are delighted to announce new dates for their advanced IPv6 training course focusing on deploying and securing IPv6 networks and systems.

Our Implementing and Securing IPv6 course provides you with all that you need in order to plan for, design, deploy and secure IPv6 in your network.

Implementing and Securing IPv6 is of our most popular IPv6 training courses.

This is an advanced technical course that is ideal for all technologists interested in learning how to both deploy and secure IPv6. This course is constantly updated in line with the latest IPv6 standards and products. This course has over 19 years of continuous development.

IPv6 training is becoming increasingly relevant in 2017 with the exponential growth in the deployment of IPv6 and the increasing deterioration of the legacy IPv4 Internet.

Deploying IPv6 not only future proofs your network but it also brings with it the opportunity for performance, functionality and operational improvements. For example, Facebook found that end users using IPv6 experience a 15% performance improvement over end users using IPv4. Also, in the long term, IPv6 is the only protocol suitable as a basis for the Internet of Things (IoT).

Furthermore, we already reaching the point where organisations are not only considering moving to IPv6-only networks but have already deployed such networks. Microsoft, Facebook, LinkedIn and Cisco are amongst those who have or are in the process of deploying IPv6-only networks.

IPv6 is very different from IPv4.

The common belief that IPv6 is IPv4 with longer addresses is wrong. IPv6 is made up of many new features and functions which are often widely and subtly different from those in IPv4. Even IPv6 addresses are significantly different from IPv4 addresses, not just in size, but in how they are structured, their types, their attributes, how many their are and how they are used. It is crucially important when deploying and securing IPv6 to move away from legacy IPv4 thinking and fully appreciate the differences from IPv4.

Course Details

Course: Implementing and Securing IPv6
Duration: 5 days
Location: London, UK
Dates: 29th January to 2nd February 2018
Exercise platforms: Linux (default), Cisco IOS, Windows
Delegate Fee: £2,195.00 (GBP) + VAT if applicable

Book Now

Erion is the world’s leading IPv6 training company. With over 19 years experience of providing IPv6 training and IPv6 consultancy services, Erion has the world’s most comprehensive portfolio of IPv6 training courses. Erion’s courses cover all aspects of IPv6 on all major operating systems and platforms.

All Erion’s IPv6 training courses are Gold certified by the IPv6 Forum. Our IPv6 security courses are also IPv6 Security certified from the IPv6 Forum.

This course will be delivered by Erion’s chief consultant Dr David Holder.

Instructor Bio: Dr David Holder CEng FIET MIEEE

Dr Holder has over twenty-eight years’ experience in the IT industry in senior technical and management posts. He is currently the CEO and chief consultant at Erion Ltd, the world-leading IPv6 training and IPv6 consultancy company.

In his role at Erion, Dr Holder has had over nineteen years’ experience providing IPv6 consultancy to leading global organizations worldwide. He has assisted organizations to develop IPv6 strategies, enable IPv6 in their products, create IPv6 address schemas and deploy IPv6. His experience covers all major networking and operating system platforms. Clients include Alcatel Lucent, Arbor Networks, Atos Origins, Brocade, BT, Dell, Ericsson, HP, IBM, Sony and Sophos. He is the author of white papers, solution guides, books and training courses on IPv6 and related topics. Recent papers include two published by the UK telecommunications regulator Ofcom on IPv6 and CGN.

In addition to his role at Erion, Dr Holder is active in promoting IPv6 both in the UK and abroad where he is a regular speaker at IPv6 related conferences. He is the chairperson of the IPv6 Task Force Scotland, founder of the IPv6 Future Enabler conference and is a regular speaker at Global conferences on IPv6.

Dr Holder has a PhD in High-Frequency Semiconductor Physics and an Honors degree in Electronic Engineering. He is a Chartered Engineer, a Fellow of the Institute of Engineering Technology and a Member of the IEEE. He holds several industry qualifications.

Please contact us for further details.

Erion’s David Holder is honoured to have been invited to give the keynote address at next week’s Fedv6 conference in Washington DC.

Fedv6 is the organisation working within the US government to promote and deploy IPv6. The Federal government has a long history of working towards the adoption of IPv6. Towards this end they set two goals; firstly, to IPv6 enable public services by 2012 and secondly to deploy IPv6 internally by 2014.

Many good things have come out of the USG’s IPv6 efforts. These include useful documentation, guidance and tools. Back in 2008, NIST created the USGv6 Profile. This is a profile for IPv6 within the US government. In 2009, the Federal Acquisitions Regulation (FAR) made IPv6 a requirement in all purchases except where there is an explicit waiver. This step helped avoid funds being wasted on products that could not support IPv6.

In addition to all of this, NIST created a web-site that monitored the deployment of IPv6 on public services such as web-sites, mail servers and DNS.

Further information about the Fedv6 taskforce and the progress of IPv6 within the US government can be found in Kevin L. Jones’ recent presentation at the North American IPv6 Task Force (NAv6TF).

For those interested in the pressing issue of IPv6 security and wanting a high-level overview of the challenges and security features of IPv6 then the video from Erion’s David Holder’s recent presentation at the UK IPv6 Council’s IPv6 Security Workshop is now available on YouTube. The slides and a brief summary of the presentation can be found here

If you want to learn more about IPv6 security and IPv6 in general then why not contact us for details of our IPv6 training and IPv6 consultancy or attend one of our IPv6 courses such as the one we are running in the UK in September.

Course Details

Course: Implementing and Securing IPv6
Duration: 5 days
Location: Edinburgh, UK
Dates: 25th to 29th September 2017
Exercise platforms: Linux (default), Cisco IOS, Windows
Delegate Fee: £2,195.00 (GBP) + VAT if applicable

Book Now

NEW Erion are delighted to announce a new advanced IPv6 training course focusing on network forensics for IPv6 networks and systems.

This course is designed from the ground up to provide forensic investigators and network security professionals with all that they need to carry out effective IPv6 forensic investigations. In today’s cyber security aware environment, network forensics is playing an ever increasing role in investigating incidents. The significant growth in IPv6 within enterprise networks, the Internet of Things and the widespread deployment of IPv6 on the global Internet means that many current and future incidents will involve network forensics in IPv6 environments.

The often complex and varied differences between IPv4 and IPv6 mean that there is a very real need for investigators to learn about IPv6 and adapt their existing skills for IPv6 networks as well as understanding where new tools and approaches are required.

This course covers all aspects of IPv6 network forensics and provides both a grounding in advanced network forensics techniques and in the IPv6 technologies and tools that are available to assist investigators. The course includes details of the relevant aspects of the IPv6 protocols, implementations and operations pertinent to gathering evidence

The IPv6 Forensics course is run over 4-days and contains twelve comprehensive modules. Each module has extensive hands-on practical exercises so that delegates can explorer and gain experience with the techniques and tools taught in the course.

Erion can provide this course on-site at your premises or you may wish to attend one of our public runs of the course. If you wish we can create a tailored IPv6 training programme for your organisation that includes modules from this and any other of our many IPv6 courses. We can also accompany the training with specialist IPv6 consultancy.

The full course description can be found here.

Please do not hesitate to contact us for further information.

Erion’s David Holder provides an insight into the recent IPv6 Security Workshop

I was privileged to be invited to speak at this year’s IPv6 Security Workshop arranged by the UK IPv6 Council. The event, held at the BT Centre in central London, was oversubscribed well in advanced with around 170 delegates registered. This was the largest subscription for any IPv6 Council event to date and the speediest registration yet! The speaker line-up included many leading IPv6 security experts, those involved in developing IPv6 security standards, the National Cyber Security Centre and a range of industry experts. We were all delighted to see such a high level of interest in IPv6.

In my introductory presentation, I gave a quick, but comprehensive, overview of the fundamentals of IPv6 Security. You can view the slide deck here. For those who were not able to attend, here are a few highlights.

IPv6 Security Fundamentals

The first crucial point to appreciate is that IPv6 is everywhere. It is the default on all major operating systems and is widely deployed across the Internet. Further, its growth is exponential and at the current rate all Internet users will be using IPv6 by 2020. If you have IPv6 today you will find that over 75% of your traffic will be carried by IPv6 rather than IPv4.

Even if you have not deployed IPv6 it is important to understand that most of current your networks areIPv6 ready and are IPv6 enabled by default. All modern operating systems contain IPv6 stacks. These are on by default. Operating systems will use IPv6 if they possibly can. This means two things: firstly the majority of security vulnerabilities associated with IPv6 are on your networks today even if you have not deployed IPv6 and secondly if you look on your networks you will see IPv6 traffic. Therefore it is essential that you implement IPv6 security, ideally you should have done this over decade ago when IPv6 was already widely implemented in common operating systems. It is not sufficient to, as some suggest, turn off IPv6. Partly because modern operating systems are IPv6 operating systems and also because turning off IPv6 is often an unsupported configuration.

There are two, possibly three, widely held misconceptions regarding IPv6 and IPv6 security. The first two are:

Misconception 1: IPv6 is more secure than IPv4

Misconception 2: IPv6 is less secure than IPv4

Dual Stack IPv6Both of these are wrong. They both assume that a comparison between IPv4 and IPv6 is meaningful, it isn’t. The reason is simple, in our networks there are no IPv4 stacks, all stacks are IPv6 stacks. Therefore, whether you are using IPv6 or not the vulnerability surface of your IPv4 network is practically identical to that of an IPv6 network. There is a combined vulnerability surface consisting of IPv4 and IPv6 vulnerabilities. Comparing the two is therefore meaningless.

There is another major misconception that is relevant to IPv6 security and that is,

Misconception 3: IPv6 is IPv4 with longer addresses

It isn’t. IPv6 has many complex and subtle differences from IPv4. It is a new protocol with many new features. Even in those areas that are superficially the same as IPv4 there are surprising differences. As a result what is often best practice in IPv4 is not best practice in IPv6.

Even IPv6 and IPv4 addresses are very different and not just in their length. For example:

  • NEW New attributes: length, scope and lifetimes
  • NEW It is normal for IPv6 interfaces to have multiple addresses
  • NEW IPv6 addresses can change over time
  • DIFFERENT Multicast is very important in IPv6
  • NEW There are large numbers of methods for assigning interface identifiers
  • DIFFERENT How addresses are used and managed are different
  • DIFFERENT Global public addresses are the norm
  • NEW And of course there are a huge number of addresses

These differences and that includes all the differences not just those relating to addresses, have a direct impact on the IPv6 vulnerability surface and the mitigation techniques required for IPv6.

Whilst it is not possible to list all the IPv6 vulnerabilities it useful to get an idea of where the problems lie. The slide below shows a rough approximation of the IPv6 vulnerability surface. It is not complete and it cannot show how probable or how significant each of the risks is. What it does show is how many new and different areas there are that need to be considered when implementing IPv6 security.

IPv6 Vulnerability Surface

In the presentation, I went through a number of key areas to illustrate three things; first that IPv6 is significantly different from IPv4, second that some of the areas of vulnerability shown in the above diagram contain many vulnerabilities themselves and finally that not everything is worse. Some things are better than IPv4. Of particular note is the area of scanning and reconnaissance. In IPv4, scanning a whole network is simple and fast. In IPv6, it is impractical to directly scan every address in an IPv6 subnet. This is because testing every address in an IPv6 subnet would take hundreds of thousands of years even on Gigabit networks. This is not to say that attackers cannot discover the addresses of IPv6 nodes, they can, it is just much more difficult for them to do so. However, do not forget that all of the vulnerabilities of IPv4 exist in the IPv6 dual stack, therefore even though scanning IPv6 might be difficult if nodes also have IPv4 addresses is it is still trivial for an attacker to find those nodes from their IPv4 addresses.

When designing and implementing your IPv6 security policy you should pay particular attention to these areas that are listed as new in the diagram. Those areas that are similar to IPv4 are often mitigated in IPv6 using the same techniques that are common in IPv4. Therefore, you should begin by ensuring that the security techniques that you use for IPv4 are also implemented for IPv6. For example, you should use ingres and egress filtering in both IPv4 and IPv6 and you should use unicast reverse path forwarding in both.

In terms of the many differences in IPv6, you need to pay particular attention to the NEW areas in the diagram. Of these, the increased end-to-end transparency, extension header attacks, neighbor discovery attacks and transition mechanism attacks are of particular importance, but this is not to say that you can ignore the other areas. In the presentation I went through each of these and gave specific examples of the types of vulnerabilities. Here are five of the areas that I covered:

  • End-to-end Transparency - Public addresses are the norm, there is no NAT44. Firewalls are necessary (as they are with IPv4).
  • ICMPv6 - Much more complex and critical then ICMPv4. Requires more complex security techniques.
  • Extension Header Manipulation - Whilst the IPv6 header is simple, extension headers that carry options are extremely complex and can be used by attackers in a variety of ways even to hide attacks from security devices.
  • Neighbor Discovery Protocol - NDP is very important to the operation of IPv6 it is also complex. It introduces a number of vulnerabilities to IPv6 nodes and subnets. Securing against these is especially important.
  • Transition Mechanisms - The huge number and complexity of transition mechanisms in itself increases the vulnerability surface. Worse, these create complex interactions between IPv4 and IPv6 and some are standard on many operating systems. Mechanisms such as Teredo are designed to tunnel through IPv4 NAT and firewalls raising the possibility of Teredo being used to circumvent perimeter security.

I then gave a whirlwind tour of IPv6 security features and their pros and cons. Briefly these were:

  • IPsec - Largely the same as IPsec in IPv4. The one key difference is how it is used. The absence of NAT44 in IPv6 makes IPsec transport mode more practical than in IPv4 changing the way IPsec is used.
  • Privacy Addresse - Useful (and the default on many platforms). The temporary nature of privacy addresses has significant implications for operational management including IPv6 Forensics, audit and legal intercept
  • Opaque Static Addresses - Useful (and becoming the default). Avoids linking IPv6 addresses to hardware addresses.
  • SeND and CGAs -Secure Neighbor Discovery (SeND) and Cryptographically Generation Addresses (CGAs) are not widely implement in many operating systems.
  • RA-Guard - Extremely useful protection against rogue IPv6 routers, but can be circumvented using extension headers.
  • DHCPv6-Shield- Extremely useful protection against rogue DHCPv6 servers, but can be circumvented using extension headers.
  • Neighbor Discovery Inspection- Extremely useful protection against attacks against Neighbor Disocvery, but can be circumvented using extension headers.
  • MLD Snooping- Useful for limiting the effectiveness of multicast attacks. Primary use is to improve LAN multicast performance.

I finished by suggesting that the real security benefits of IPv6 will only be seen when we get rid of IPv4 and move to IPv6-only networks. Indeed, some organisations are already moving to IPv6-only networks mainly for operational and cost reasons. Moving to IPv6-only networks will also have security benefits. Removing all of the IPv4 and transition mechanism vulnerabilities it will be possible to make full use of the security features of IPv6.

The key high-level points to take away from my presentation were:

  • IPv4-only networks are historic, they rarely exist today
  • IPv6 should already form a part of your security policy today
  • IPv6 has introduced many new vulnerabilities and features
  • IPv6-only networks will have fewer vulnerabilities
  • Legacy IPv4 thinking is a security risk - staff IPv6 competency is crucial

Erion IPv6 Cyber Security Training

Erion is the world’s leading IPv6 training company with the largest portfolio of IPv6 training courses covering all topics and environments. We have a range of IPv6 security training courses from short introductions to advanced and detailed technical IPv6 security courses. Further information on our IPv6 training can be found at www.ipv6training.com.

Erion recently released a NEW IPv6 Forensics course. This advanced course covers all aspects of IPv6 forensics and is ideal for all those involved in forensic activities.

Other Presentations from the IPv6 Security Work Shop

You can find many of the other presentation from the workshop at http://www.ipv6.org.uk/2017/03/31/ipv6-security-workshop-jul-2017/.