Archive for October, 2010

Despite the imminent depletion of the IPv4 address pool and the serious consequences for the IPv4 Internet, there are still many organisations that continue to delay the implementation of IPv6. Whilst the need for IPv4 in some organisations is arguably less than in others, one area that cannot be ignored is the essential need to secure current IPv4 networks against attacks perpetrated through the use of IPv6 and IPv6 transition technologies.

It is undeniable that the vast majority of current TCP/IP networks already include not only IPv6 capability, but also have IPv6 traffic flowing over them. All modern operating systems include IPv6 dual stacks (which also provide backwards compatibility for IPv4). These operating systems, including Windows, Unix and Linux all use IPv6 by default when they can. As a result, current IPv4 networks must be secured against attacks via IPv6 and associated technologies even though they may not have explicitly deployed IPv6.

Whilst, IPv6 in and of itself is to a large extent neither more or less secure than IPv4, it’s existence in a network immediately increases the “attack surface” and therefore the security risks. Since the increased risk is not simply the sum of the two protocols but a complex interaction of IPv4, IPv6, transition mechanisms and other protocols, it is fair to say that the attack surface is somewhat more than doubled by IPv6. Furthermore, IPv6 includes many new features that make it significantly different from IPv4. This not only further increases the “attack surface” but it also means that many new mitigation and security techniques must be learned.

For those who might consider the “increased risk” a reason not to deploy IPv6; remember that IPv6 already exists whether you deploy it or not. Therefore you need to secure against IPv6 threats in your IPv4 networks.

It is essential that network security managers and others responsible for network and system security learn about IPv6 now and implement appropriate security measures as soon as they can. Erion provides the world’s most comprehensive range of IPv6 training. This includes in-depth IPv6 security training, for example, our 3-day Securing IPv6 course.

Copyright Erion Ltd 2010.

Today the pool of IPv4 addresses dropped below 5% of the total IPv4 address space. The cause was the allocation of two blocks of IPv4 addresses to APNIC, the Regional Internet Registry (RIR) for the Asia Pacific region by the Internet Assigned Numbers Authority (IANA). The speed with which IPv4 addresses is being consumed is demonstrated by it being only 9 months ago that the remaining space dropped below 10%.

There are now only twelve blocks available for allocation. The first seven of these blocks will be allocated under the normal allocation policy. Once these are assigned, the final five blocks will immediately be assigned, one to each RIR.

At current depletion rates, the IPv4 pool will be exhausted early in 2011.

The solution to the address space exhaustion is IPv6, the next generation of the Internet Protocol. All organisations need to take seriously the deployment of IPv6 to avoid a chaotic migration at the last moment.