Does supporting both IPv4 and IPv6 in a multi-tenant cloud introduce any unique security concerns? If we choose not to deploy IPv6 in our cloud, is there a way hackers can exploit that in a multi-tenant environment?
Let's settle one issue up front: While IPv6 security has several IPv6-specific security considerations, it is neither a less nor a more secure protocol than IPv4, with most challenges coming from vendor support constraints.
In the case of a dual-stack deployment (IPv4 and IPv6 operating over the same links), the attack surface for this type of environment will approximately double. The defense mechanisms, however, are pretty similar. In a properly architected environment, the infrastructure manager simply needs to apply the same security principles to the IPv6 part of the infrastructure -- isolation, control plane protection, monitoring and so on -- that are already applied to IPv4 traffic.
From an implementation perspective, it's advisable to match the security policies in place for
IPv4 and then address the IPv6-specific threat vectors, which can, for example, present hackers
with new ways to drive distributed
denial-of-service (DDoS) attacks.
In this context, implementers face many new challenges. For instance, doubling the attack surface means the probability of detecting security threats due to operational mistakes (misconfigurations and the like) also doubles. This makes automation and good processes twice as valuable.
It's also important to be aware that IPv6 security features in many products still have not been fully tested. Vendors are trying to catch up. This makes it more important to have clear product requirements at purchase time, to test the products and to push vendors to be ready and consistent in the quality of their IPv6 support.
IPv6 security is a rapidly evolving technology domain. In order to understand and properly mitigate IPv6-specific risks, education and continued monitoring of technology and best practices developments become critical.
Compliance might also become an issue if the IPv6 deployment provides a less secure backdoor and
compromises the security of the overall environment. Staying current with new developments in
compliance is essential.
The key takeaway, however, is this: Yes, you need to address IPv6 security diligently, but do not let IPv6 security concerns, often media-hyped, deter you from enabling it in your cloud infrastructure. IPv6 is the current plan of record for next-generation IT infrastructures. Period.
This was first published in March 2013