Transition to New Internet Protocol Raises Security Concerns

Two years ago, on June 6, 2012, thousands of websites and Internet service providers launched a new version of the Internet Protocol, the mechanism that directs and routes communications through the Internet. Though Internet Protocol version 6 (IPv6) currently accounts for only three percent of all Internet communications, this figure is expected to grow to more than 20 percent by 2016. Federal agencies, however, are required to move even faster. OMB guidance from July 2012 mandated that agencies adopt IPv6 for external sites and services by the end of FY2012 and for internal applications by the end of FY2014. But the latest NIST statistics show agencies are struggling to meet these milestones. Just over half (52 percent) of government services and only 32 percent of domains have been IPv6 enabled.

IPv6 is heralded as the future of Internet communications because, among other things, it permits a near limitless supply of IP addresses to accommodate the ballooning “Internet of Things” and promises greater built-in security than IPv4, the original version developed by DARPA to facilitate information sharing among government and academic researchers. Unlike in IPv4, security components were originally developed as mandatory features in IPv6.

But the promise of greater Internet security should not mask the very real security concerns surrounding the transition to IPv6. One such concern is that the Internet Engineering Task Force no longer requires IPsec, the advanced encryption and authentication suite IPv6 natively supports, for IPv6 implementation. This is because many of the less-sophisticated devices now being connected to the Internet often do not have the capabilities needed to handle IPsec’s advanced computing requirements. Those adopting IPv6 therefore cannot assume the protocol will automatically be more secure.

Second, the transition process itself poses security challenges. Because IPv6 is not naturally compatible with IPv4, organizations will have to operate both protocols simultaneously in the short to medium-term, adding further complexity to network security operations. This is then exacerbated by the fact that the tunneling mechanisms developed to make the two protocols interoperable have no built-in-security mechanisms. Since IPv6 will be new for so many organizations, malignant actors may be left with the upper hand. Awareness and management are already significant cybersecurity concerns for federal agencies, but these challenges become even more pressing as IPv6 adoption accelerates.

The need for an updated Internet Protocol is clear: the number of IPv4 addresses is expected to run out by February of 2015, and IPv6 is more security-friendly. But to avoid opening up new vulnerabilities while transitioning, federal agencies will need to vigilantly adapt their cyber security postures.