Another interesting article about IPv6 on Cisco’s blog site today, this time from Michael Sanchez. It’s about the secure transition from IPv4 to IPv6.

While not stated explicitly in the blog, it mentions one of the reasons why some companies are hesitant to implement IPv6: they are unfamiliar with the security implications. Companies generally see migrating to IPv6 as a slow task that takes time, testing, and money. Unfortunately, there’s not much argumentation against this: while for smaller companies the migration can be done quite quickly, a full migration of a large company takes time.

Security during the transition does indeed become complex as Michael mentions: dual stack means double the amount of firewall rules, as well as the added risk of tunnels. To give just one example: NAT-PT can cause serious problems, even if deprecated.

Most modern computers have IPv6 enabled by default. This may cause a man-in-the-middle attack when someone sets up a rogue IPv6 router on a subnet with NAT-PT (which I’ve been able to do with as little as a small virtual machine, no physical evidence). Most modern operating systems (especially Windows) prefer IPv6 over IPv4 in a dual stack environment and will sent all data to the rogue gateway, who will then pass the data on as IPv4 using NAT-PT, but scanning all data in the process.

Again a small word of advice to the companies that sell firewalls (both appliance and software): try researching and promoting the IPv6 side of the story a bit more. If people see firewalls, IDS and IPS systems that can scan IPv6 traffic, maybe things will be put into motion a bit faster. Solutions for IPv6 already exist but they are barely marketed, giving the impression the IPv6 internetwork is “The Wild West” (a quote by my CCNA Teacher).

What are your thoughts? Let me know in the comments.