Move to IPv6 may create a "security nightmare"

end-to-end communications, so it may not always be available, Bowne warned. Many organizations require the use of the extended unique identifier so they can keep tabs on their employees’ internet usage, he added.

IPv6 offers many features, including a method for easier end-to-end encryption, that should make networking more secure. “We’ve got a lot of benefits and we’ve taken a lot of the learning from a security perspective from IPv4 and implemented a lot of new security features into IPv6,” said Joe Klein, a subject matter expert with the North American IPv6 task force, who was also attending DefCon. “The problem with it is we’re in a transition period and that’s going to take anywhere from five to 10 years to fully implement it and start to provide end-to-end encryption.”

 

The new protocol, because it has not been tested as widely as IPv4, is also likely to suffer from vulnerabilities resulting from buffer overflows and similar bugs, he said. The flaws will likely be worked out as it gains wide acceptance, but that will also take years, he added.

Goodin writes that Bowne and Klein are not the only people warning of growing pains in the net’s addressing system. This recent submission to the Full-disclosure list claims Google’s Gmail service is also having trouble adapting to the scheme.

Bowne — who teaches classes in ethical hacking, network defense, and Windows 7 — also outlined several attacks that exploit unique characteristics of IPv6 to wreak havoc on networks. Packet amplification attacks place a 0 in the routing header of each packet, causing them to travel in a looped path.

Ping-pong exploits take advantage of the wealth of /64 subnets available in the protocol, allowing attackers to send packets from one non-existent connection to another. The result is an endless series of “ICMP unreachable” error messages. As a result, networks are flooded with garbage data.

The transition to IPv6 is necessary to deal with the growing exhaustion of IPv4 addresses. The older protocol, which is based on a 32-bit addressing system, yields about four billion unique numbers, fewer than the seven billion humans who populate the planet. At the current usage rate, the allocation of free addresses could be used up by June of next year, according to some estimates. IPv6, by contrast, is a 128-bit scheme that allows for over 3.4x1038 addresses, which ought to keep the world going for quite some time.

See here for slides and other materials from Bowne’s talk.