Home > IPv6 > IPv6 Increases Security for the Internet

IPv6 Increases Security for the Internet

Just finished Kenneth Geers book, “Strategic Cyber Security”, and finally discovered someone agrees with me about IPv6!

“This research suggests that IPv6 has the potential to be a more influential factor in strategic cyber security than three current cyber attack advantages, including  asymmetry and inadequate cyber defense. This result is the most significant revelation in this study. Two powerful IPv6 attributes. First, IPv6 is extremely resistant to outside influence, so it is more “reliable” than other factors in the system. Second, IPv6 influences the single most powerful cyber attack advantage, anonym ity, at a “very high” level. These factors combine, via indirect influence calculations, to radiate the impact of IPv6 throughout the system and to magnify its importance. Thus, for decision makers, this research suggests that IPv6 is currently the single most efficient way to change the dynamics of strategic cyber security in favor of cyber defense.”

“IPv6 is the most likely to have a tangible impact on reducing the key advantages of a cyber attacker, and thus it is the most likely strategy to improve a nation’s strategic cyber defense posture. The simple reason is that it can reduce the most influential advantage of a cyber attacker, anonymity, and it does so with a higher degree of reliability than the other factors in this research. Thus, the influence of IPv6 grows over time and impacts all other factors in strategic cyber security”

I have been working on a new tool which will greatly add defensive capabilities to IPv6, but having a challenge in finding funding to complete the tool. Anyone have any ideas?
Advertisements
Categories: IPv6
  1. April 25, 2013 at 00:28

    Corrected website : https://www.ccdcoe.org/278.html

  2. April 25, 2013 at 20:53

    In response to a personal e-mail about this topic.

    The migration to IPv6 only networks allows the security community a ‘redo’ and an innovative leap to the game. I see IPv6 as a disruptive technology for attackers. If the defenders are able to leverage the many overlooked features in IPv6 to provide faster detection, better profiling of the initial attack, and faster disruption of attacks in progress, then IPv6 could live up to the ideas in that paper.

    The problem today is security vendors see IPv4 and IPv6 as the same hammer, nailing in every screw and bolt as if they were all 10 penny nails. With this as a motivator, the ‘C-Suite’ crowd sees no justification to invest in any IPv6 innovation, but instead license the technology from others. Have you noticed the large amount of security vendors claiming they can now scan IPv6 networks?

    So based on my detailed knowledge of attacking and defending IPv6, years of experience in security, I have been developing tools, techniques and concepts to bring the real power of IPv6 as a defensive tool to light. I presented one piece of that idea at GOGO6 last year, on the topic of “IPv4 vs. IPv6 The Shifting Security Paradigm”. A video of the speech can be found here: http://www.gogo6.com/video/ipv4-vs-ipv6-the-shifting-security-paradigm-by-joe-klein-at .

    The presentation goes through just one of many features that I think are powerful enough to change the cyber security game, but up to this point I have been unable to find anyone interested in moving the ball forward. As an example, one of the tools I have been creating is an IPv6 only behavior IDS/IPS which detects all of the current attack tools, and many I have not disclosed. Currently, once a data flow is profiled, I have the ability to respond within seconds or less to a known tool or attack posture.

  3. June 4, 2013 at 13:27

    I know this sounds like a dumb question, but what exactly is Kenneth Geers talking about? Does he know what he’s talking about? I see ‘cyber’ being dropped seven times into one paragraph, and what looks like pseudo-technical prose.

    These factors combine, via indirect influence calculations, to radiate the impact of IPv6 throughout the system and to magnify its importance.
    Seriously, WTF?

    and thus it is the most likely strategy to improve a nation’s strategic cyber defense posture.
    IPv6 is not a strategy. They need a strategy for implementing it properly.

    The simple reason is that it can reduce the most influential advantage of a cyber attacker, anonymity, and it does so with a higher degree of reliability than the other factors in this research.
    We’ll see about that after IPv6 address blocks start fragmenting over time.

    So, I’m not denying that IPv6 will be a ‘game changer’. It most definitely will be, but in ways that can severely degrade security or greatly enhance it, depending on how it’s used. For example, IPsec over IPv6 could protect your communications, or it could be used for exfiltrating data from your network. Or an IPv6 connection going straight through a firewall that’s only configured for IPv4. The address spaces could be used for defeating IP address blacklists, which is good for anti-censorship but bad for perimeter security – enumeration problems work both ways here.
    One thing I’m pretty certain of is security will require a carefully thought out redesign to make IPv6 work to your advantage.

    • June 25, 2013 at 00:53

      Kenneth Geers is a brilliant guy, someone I truly respect and understand his pressure to drop the ‘c-bomb’. My editor keep on returning papers and the book I have been working on, stating “Use Cyber more often”. Oh well, so goes the buzzwork game.

      The influence calculation is a modeling technique to understand the direct and indirect influence of multi-variable decisions. Sometime used in game theory to determine obvious and non-obvious influences on a decision, similar to using Hidden Markov model (HMM) to identify unobserved (hidden) states.

      Good security engineering will help us avoid the continuous Jugaad Principle ( aka MacGyvering ) our networks to function, and finding we have not included security in it’s design.

      This is how I see IPv6 as a ‘game changer’, the ability to rethink our network, dataflows, devices which we installed years ago, but never removed. This rethink should lower the cost of managing our networks, increasing their efficiencies and lower complexity.

      The examples you have given, “IPsec over IPv6 could protect your communications, or it could be used for exfiltrating data from your network. Or an IPv6 connection going straight through a firewall that’s only configured for IPv4. The address spaces could be used for defeating IP address blacklists, which is good for anti-censorship but bad for perimeter security – enumeration problems work both ways here.” are all valid, and are being addresses by many researchers. Currently the biggest problem we have, not to fall into the ‘just like IPv4’ mindset and preconception, are the vendors and the lack of trained security professional which understand IPv6.

      Stay tuned to this blog to get an idea what I am working on…

  4. WMIPv6
    June 9, 2013 at 22:54

    Hi there, in response to your comment: “I have been working on a new tool which will greatly add defensive capabilities to IPv6, but having a challenge in finding funding to complete the tool. Anyone have any ideas?”

    I have some ideas:
    http://www.kickstarter.com/
    If you have a good project, you can also try to reach to NIST, or other major IPv6 entities. Many of them have great sponsors and funds for this kind of projects.

    Best Regards and Good Luck.

    • June 25, 2013 at 00:23

      I am in the process of doing that now. Thank you for the suggestion and modivation!

    • November 5, 2013 at 23:53

      WMIPv6 – Ok, I am working towards the Kickstarter. More at the beginning of the year.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s