Take away #2: IPv6 & IPv4 don’t cohabitate well

As I mentioned earlier, IPv6 and IPv4 make insecure bedfellows. There have been no predefined standards in the way to handle the facilitation of the cohabitation of IPv4 with IPv6 so there has been shortage of ‘transition mechanisms’ which have popped up and have been, in most part, widely adopted.

Once again, these transition mechanisms facilitate the transitioning of the Internet from its initial IPv4 infrastructure to IPv6. As IPv4 and IPv6 networks are not directly interoperable, these technologies are designed to permit hosts on either network to participate in networking with the opposing network.

The Internet Engineering Task Force (IETF) conducts working groups and discussions through the IETF Internet Drafts and Requests for Comments processes to develop these methods. Some basic IPv6 transition mechanisms have been defined; however nothing has yet emerged as a proposed uniform standard. As such, the world is awash with the mechanisms, which are all over the map but are largely defined in the following categories:

Plethora of IPv4 to IPv6 (and vice versa) Transition Mechanisms such as the following:

• Encapsulating IPv4 in IPv6 (or 4in6)
• Encapsulating IPv6 in IPv4 (or 6in4)
• IPv6 over IPv4 (6over4)
• DS-Lite
• 6rd
• 6to4
• ISATAP
• NAT64 / DNS64
• Teredo
• SIIT.

If you are familiar with network perimeter security devices, one of the things they do well is deep packet inspection and Stateful aware analysis. However, some of the dirty little secrets is that nearly none of today’s technologies have a capability to inspect encrypted traffic such as SSL (BTW – this is an area where Radware is a true leader), or the ability to inspect tunneling protocols such as L2TP, PPTP, etc.

What IPv4 and IPv6 transition does is effectively exacerbate these “Achilles heels” in security detection capabilities by introducing a whole new category of nearly undetectable transmissions.


Don’t be fooled by a vendor’s claim that they inspect a v4 packet in v6 or vice versa, because even if true for one or two methodologies, the ways in which to accomplish this task are almost immeasurable today. This is really a true community-wide problem and one that must be addressed.

Of course, we’ve been looking at this conundrum for a while and have some strong solutions which often require some trade-offs. What controls don’t? Oh, one tangential thought: No scanners or vulnerability software is yet ready to provide you with visibility to the encapsulated transmission problem either!

So, what is the risk associated with ignoring this threat?

Take away #3: Meet your old vulnerability – Same as the new vulnerability!

Much of our defense is single threaded, and should an adversary be able to pass through your perimeter defenses, many of the ‘older’ vulnerabilities would find a receptive home having passed through the ‘corporate scrubbers.’

Moreover, just think of the new opportunities available to more nefarious organizations that don’t have your interests in mind