Security within an evolving Internet

This time, I have invited a guest blogger: Pierre Françon , who is the president of Quaelys and a respected IP security expert. Pierre describes the new security challenges created by the coexistence on the Internet of both IPv4 and IPv6.

The Internet, as we know it, is based on IPv4, considered as homogeneous and open. Communications are established end to end. The only exception is the NAT (Network Address Translation) feature, used and controlled on the equipment of the subscriber/end customer (ADSL Box).

The depletion of public IPv4 addresses is accelerating. Therefore the Internet is going to evolve in the very short term (even if some Internet Providers may adopt slower migration then others). We will see a dual Internet based on two similar protocols but still incompatible (IPv4 & IPv6). Technically, the customer will be given two parallel communication channels being usable simultaneously on two independent networks of network at IP level.

The historical way of using IPv4 addresses end to end will cease. Instead Internet Providers will use NAT on their own network. We are talking about Carrier Grade NAT or CGN. This method will request new application gateways for protocols carrying IP addresses such as VoIP-SIP for example. More, the IPv4 traffic collected from the customers ADSL boxes to the CGN will be encapsulated on IPv6 using a method named Dual Stack Lite.
From the security point of view, besides the introduction of IPv6 and the CGN complexity, the real breakdown comes from this duality notion ... and how someone can use it for this own benefit.

This duality is twofold: (1) First, one has at his disposal two simultaneous and separate communications channels on the same technical environment (LAN and Desktop). (2) Second, from both channels one can join simultaneously the same servers or networks, infrastructures ... and targets (CGN, routers, cache, applications servers, desktops...)

In this new context, IPv4 and IPv6 cannot be treated separately. Risk analysis has to take this duality into account, as there is not a lot of IPv6 experience and because it has weakened the IPv4 world (when dual stack). Preventive security mechanisms must also be dual. For example, a spammer using one channel has to be black listed on both channels. It’s not easy as the protocols are different and because the user identification methods are not identical: prefix (full subnet) allocated to the subscriber in IPv6 versus the IP address and port numbers per protocol in IPv4 (the same IP address is shared on the CGN between many subscribers).

In parallel, legal requirements on this new Internet are far more complex. To detect illegal usage, the subscriber behaviour has to be analysed within the duality IPv4/IPv6. Similarly, filtering subscribers or dual web sites becomes more complex: allocated IP addresses based filter versus filter of the user identity authentified at the application level. Gathering evidences of illegal usage can become a big problem: Just imagine a P2P dual tool, where the contents research is made partially on IPv4 sessions and IPv6 sessions when the traffic is routed end to end without NAT.

Confronted to these new challenges, we have to rethink the security of data exchanges, communication infrastructures and end-equipment (servers or desktops). In parallel, putting in place traffic/flow and behaviour analysis on a dual basis requires new tools taking into account the diversity and sophistications of the Internet usage. To summarize, it is really urgent to think and act differently towards in the face of the evovling Internet.