Deploy360 24 March 2015

IPv6 Security Myth #10 – Deploying IPv6 is Too Risky

Chris Grundemann
By Chris GrundemannGuest Author

Security in an IPv6 WorldAfter a quick break to catch our breath (and read all those IPv6 Security Resources), it’s now time to look at our tenth and final IPv6 Security Myth. In many ways this myth is the most important myth to bust. Let’s take a look at why:

Myth: Deploying IPv6 Makes My Network Less Secure
Reality: Deploying IPv6 Now is the Best Way to Ensure Ongoing Network Security

I can hear you asking “But what about all those security challenges we identified in the other myths?” To really dig into this, let’s walk through the first 9 IPv6 Security Myths and see what turns up:

In Myth #1 we learned that IPv6 traffic often shows up on networks long before that network has deployed IPv6. Once you know that “Your Devices are Using IPv6” and “Your Users are Using IPv6” it’s easy to see that the best way to mitigate risk on your network is by turning on and protecting IPv6 now. You can’t protect against what you can’t see.

Myth #2 may have scared many of you, and it should have! Network security is all about mitigating risks. Knowing where the risks are hiding is the first step. Any good security expert must be a little paranoid, always seeking out potential sources of harm. We must also take a step back from these risks and look at the big picture though. When we do this, it is clear that Myth #2 provides a set of risks that must be considered. However a careful examination will show that none of them are serious enough to prevent the deployment of IPv6. The bottom line remains that securing an IPv6 host or IPv6 network does not happen automagically. It takes the same forethought and diligence required to secure any valuable asset. Hopefully the challenges outlined in Myth #2 give you a head start in that process.

Myth #3 showed us that deploying IPv6 allows the removal of NAT devices, which is a good thing as long as they are replaced by stateful firewalls. NAT is not a security feature and removing NAT from your network will NOT make it less secure. In fact, it may actually increase your overall security.

In Myth #4 we discovered that IPv6 networks are not, in fact, too big to scan. Of course, we also learned several ways to keep them much harder to scan than comparable IPv4 networks. In the end, the larger address space remains an advantage for IPv6.

Myth #5 showed us that while “privacy addresses” are not perfect, there are several options for maintaining user privacy in IPv6 networks. This is another area where attention should be paid but full-on paranoia is likely unwarranted.

Myth #6 introduced us to some existing IPv6 security tool-kits and repositories of IPv6 bugs and vulnerabilities. The great news here is that they are all publicly available. This means that you can use them to probe, test, and harden your own network before the bad guys get their chance!

In Myth #7 we examined many of the fundamental differences between IPv4 and IPv6 from a security perspective. As I’m sure you’ll agree, there is a need for training and awareness of these differences in order to maintain network security when deploying IPv6. What I think is just as clear is that none of these changes make IPv6 any less secure than legacy IPv4 networks.

Myth #8 is all about ensuring that you get what you pay for. The need to document, verify, and test network security gear is not new. You must treat IPv6 like you would any other new technology being deployed on your network. Ensure that all new equipment meets your specific needs, and remember to trust but verify when it comes to IPv6 support.

Finally, in Myth #9 we learned that we’re not alone! There are IPv6 security resources out there for us to reference and learn from. When it comes to network security, knowing the risks ahead of time may make it scarier, but it also makes it safer to deploy.

In summary, these nine IPv6 security myths have given us the tools and information we need to securely deploy IPv6. So what about today’s myth?

Myth: Deploying IPv6 is Too Risky
Reality: Deploying IPv6 Now Lowers Your Risk

The bottom line here is that the sooner you deploy IPv6, the more secure your network will be in the long run. From giving you visibility into the IPv6 that may already be on your network, to giving you time to find and mitigate IPv6 risks, to providing staff more time for training and experience; all indicators suggest that your best bet is to deploy IPv6 today.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...