Impacts of IPv4 to IPv6 Conversions

Background: The Internet is growing. The problem is that the Internet was based on a concept called IP (internet protocol). IPv4 (version 4) to be exact. When you see an IP address like 12.34.56.78 you are seeing a single point on the routable Internet. The problem is there are a finite amount of numbers. There are 2^32 useful IPv4 addresses approximately - if you start subtracting 127.0.0.0/8 (loopback) 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 (non routable) and all the IP used for routing packets across the Internet, that number starts looking a lot smaller. Now add on the fact that countries are coming online quickly buying up huge blocks of IP space, IP based mobile devices are approaching 100% penetration and there has been a run on static IPs for home users it is easy to realize that while the Internet is growing, the total number of non allocated IPs is shrinking at an increasing rate.

IPv6 brings a number of positive security benefits along with the problems associated with the implementation. Some of these include decreased susceptibility to man in the middle attacks and larger environment surface area, making worm propagation less efficient. While these benefits are small, they should absolutely be embraced within the economic cost breakdown of implementation.

The Problem With IPv4 According to IANA and RIR it is expected that the available non-allocated IP space for IPv4 will become exhausted somewhere between 2010 and 2012. While this issue was predicted in the 1980s and IPv6 was first proposed in 1996, it still has not been widely embraced by the Internet community, even though the date of exhaustion is looming close on the horizon. The issue thus far has been considered mostly a networking problem with networking solutions, however this paper will discuss many of the other issues as they relate to web based applications and the overall security ramifications of the migration between IPv4 and IPv6 as it comes ever closer. It is no longer an option, if you and your company have not yet considered IPv6 you are already falling behind.

Economic Impacts Of IPv4 to IPv6 Conversion: A number of interesting business issues may arise from the switch between IPv4 and IPv6. It is important to realize that while IPv4 spaces may be allocated that does not necessarily mean that they are used for anything. The first interesting possibility is that there may be a huge increase in cost for IPv4 address spaces as ISPs may decide that their apparent value is higher with less and less IP space available. This issue could lead to IPv4 barons who hoarde and eventually resell or rent IP space in smaller blocks at a premium. Additionally it is plausible that legislation may be instituted to fine companies for squatting on IPs that are unused yet allocated to prompt them to return unallocated IPv4 addresses back to the global pool of unallocated addresses. This would have the effect of further punishing businesses who are unable to make the switch to IPv6 for whatever reasons.

Short Term Issues With Conversion: A number of services advertise themselves as quick solutions to IPv6 to IPv4 conversions. One such company is 6gate who essentially proxies all the inbound connections to your website for you. This would allow 6gate to "see" any connections made to the host in question. While that may be ideal for insensitive transactions it also creates a great place to perform man in the middle attacks or sniffing attacks, similar to the ones used against Tor.

Similarly there are a number of IPv6 to IPv4 tunnel brokers that aim to make IPv6 to IPv6 over IPv4 enabled networks possible (since IPv4 cannot speak IPv6). These tunnelbrokers are technically capable of reading all of the traffic routed over them. While it is unlikely, these aggregate points are a high visibility point for attack within networks, and must be guarded as such.

IPv6 Networking Performance Impacts: Although not often addressed, there are performance impacts associated with IPv4 to IPv6. At least one of the major networking hardware manufacturers has estimated that the operational efficiency of their devices drop 4:1 for IPv6 enabled devices. That means that for certain types of hardware either a four times increase in networking equipment or costly upgrades of existing equipment. If additional equipment is required this could include supplemental equipment like uninterruptable power supply manufacturers, HVAC manufacturers, remote management devices (EG: Cyclades and Arula). This will require large scale migrations for networking staff, increases in physical space requirements within data centers and increase manufacturing needs for networking companies. This includes companies like Cisco, Juniper, Nortel and Acatel-Lucent amongst others - each of whom stand to make a substantial short term revenue growth for the switch and a sustained smaller long term growth based on the estimated 4:1 reduced efficiency of IPv6. Ultimately, the budget for the change must be accurately estimated for all the associated components for a seamless global transition.

IPv6 and Security Tools: Many tools that are enabled to help identify vulnerable applications within networks are IPv4 enabled to be able to route to addresses that have either no name associated with them or use something like NetBios instead of DNS to help users identify their location on the network. Many security tools have no IPv6 functionality, meaning that IPv6 enabled networks can often pass network security audits simply because the tools were not designed to operate in IPv6 enabled networks. Further, many security tools do parsing based on certain regular expressions. Here's two examples:


An example IPv4 URL: https://12.23.45.67:443/


An example IPv6 URL: https://[2001:0db8:85a3:08d3:1319:8a2e:0370:7344]:443/

A regular expression could often be used for parsing in security tools that are designed to parse apart hostnames. Many existing tools fail when faced with a URL of this kind for various reasons. Firstly, the routable address no longer contains decimals, which in of itself is not a current requirement of IPv4 (an example of this is Dwords which are often used by phishers: http://1113982867/).

Another difference is the size of the string, which often is bounded by database string size. It is often that databases use the IP address rather than the host name for logging purposes, which normally requires 15 characters (12 numbers plus three periods), while IPv6 can be 39 characters. The last change is in URL structure which can include square brackets. The square brackets can fool logging that attempts to look at referring URLs. Nefarious users can force legitimate requests through a system which may give erroneous results based on how the logging is built.

An example of what someone might see when looking at a IPv6 DNS entry is:


$ dig www.ipv6.ac.uk |grep AAAA
ns0.ecs.soton.ac.uk. 1782 IN AAAA 2001:630:d0:f102::53a
ns1.ecs.soton.ac.uk. 1782 IN AAAA 2001:630:d0:f110::53b
ns2.ecs.soton.ac.uk. 1782 IN AAAA 2001:630:d0:f102::53b

Note: An example of a valid IPv6 URL that may fool logging which looks for the first occurence of /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\ to base security decisions upon: http://[2001:0db8:85a3:08d3:1319:8a2e:0370:7344]/a.aspx?12.34.56.78/

As a side note a variation of this URL structure was used to deny service to a particular client side application code during testing. It will become necessary to perform this sort of regression testing against both IPv4 and IPv6 going forward to insure stability of any application that interacts with the web.

Future: There are many locations in many different types of applications that may use IP as hostname verification or for logging. Every instance should be identified and dealt with as soon as possible to ensure a smooth transition to an IPv6 environment. While IPv4 is not going away, the replacement version 6 will ultimately require further engineering thought. This will include security and networking tools (many of which are already getting attention or have already been ported to work in IPv6 environments), web applications, logging and of course the networking that ties it all together. While IPv6 is not widely understood amongst the majority of Internet professionals, it will quickly become an important aspect of all future network and Internet application development.