We’re happy to report the Internet is still standing nearly a week after IPv6 Day. More than 400 organizations — including heavyweights like Google and Facebook – enabled the much talked-about IPv6 standard on their websites. Overall, no major outages were reported. Now what? Well, Facebook plans to leave its developer site dual-stacked, supporting both IPv4 and IPv6 and Google will enable IPv6 access for only the users of its Google over IPv6 program.
At VPN Haus, we spoke with Paul Lee, director of IT at Comodo, about what his company learned from IPv6 Day.
VPN Haus: Can you tell me how Comodo enabled its main page to IPv6 enabled?
Paul Lee: We implemented dual stack on both the webservers (our NGINX platform that runs them), the kernel of said machines, firewalls and all of our core and edge Juniper comms equipment. We used GRE tunnels internally. [Comodo enabled 22 sites, in addition to its main page.]
VPN Haus: What are the key issues and lessons that came to light as a result of this experiment – both for Comodo and on a higher-level for all participating organizations?
Lee: When taking full routes from upstream providers, IPv6 has a lot more address space and so simple things like more RAM for routers is needed to hold the greater number routes (as IPv6 adoption takes hold, this will be a bigger problem). Ensuring that the kernel of machines is IPv6 enabled as well as any software running on them (can cause unforeseen issues).
We learned that adoption is very small at the moment, with a greater proportion of users in Japan, due to their poorer IPv4 to headcount ratio (hence a greater incentive to adopt than the U.S.).
VPN Haus: How has Comodo been preparing for IPv6?
Lee: Ensuring routers are compliant, upgrading Linux kernels to handle IPv6, procuring IPv6 transit links from upstreams and testing (some upstreams see more routes than others…you know who you are!) and ensuring content and applications are not hardcoded to IPv4 in any way, if so, changing that or tabling changes for the near future.
VPN Haus: Do you think security risks around IPv6 are overrated? Isn’t this more of an infrastructure issue right now?
Lee: The long overlap period of dual stack networking will undoubtedly increase the potential for security vulnerabilities, due to the necessary interaction of two separate fundaments, each with their own specific security problems. It must be said though, that most of the issues which may be talked about are not a direct result of IPv6 design flaws but of misconfiguration in this transition environment.
Aside from the problems a dual stack environment causes, this issue of security is one of my personal interests in the change. As you know, IPv4 uses NAT extensively. It is a widely held assertion that NAT will protect a network / endpoint better than a machine on the end of a routable IP. I would voice a rebuttal to this, in that any basic firewall rule which tracks and requires an associated outbound connection to be present for an inbound connection to be allowed will give one the same security as NAT. I can see that some may believe that there will be the same issues as the consumer would have with Home Wireless Security (i.e. that home routers were shipped without security initially and likewise, the world will take time to catch up and most home users don’t manage their security well), this is where the real lessons will need to be learned.
If people lose the perceived protection of NAT or if they aren’t aware or don’t want to have to be aware of their firewall rules, security will be pushed to the edge, people will be encouraged to take responsibility of their own security at the point which matters to them, their machine. Empowering people to secure their own machine, not trusting that somehow their cafe wireless Internet connection is protecting them, will be the word of the day and I welcome that day.
VPN Haus: Does IPv6 still require IPsec? If not, why was that change made and what impact will that have on IPv6 security?
Lee: IPsec is an intrinsic part of IPv6. Also, since IPv4 IPsec is so very widely implemented and supported, IPv6 IPsec is deployable pretty much out of the box. A lot of this was driven by government edicts over the last few years, but underlying infrastructure manufacturers have been baking in support for IPv6 IPsec since after Y2K.