The World After IPv6 Day: A Conversation with Comodo's Paul Lee
We’re happy to report the Internet is still standing nearly a week aftering heavyweights like Google and Facebook – enabled the much talked-about IPv6 standard on their websites. Overall, no major outages were reported. Now what? Well, Facebook plans to leave its developer site dual-stacked, supporting both IPv4 and IPv6 and Google will enable IPv6 access for only the users of its Google over IPv6 program.
VPN Haus: Can you tell me how Comodo enabled its main page to IPv6 enabled?
Paul Lee: We implemented dual stack on both the webservers (our NGINX platform that runs them), the kernel of said machines, firewalls and all of our core and edge Juniper comms equipment. We used GRE tunnels internally. [Comodo enabled 22 sites, in addit
VPN Haus: What are the key issues and lessons that came to light as a result of this experiment – both for Comodo and on a higher-level for all participating organizations?
Lee: When taking full routes from upstream providers, IPv6 has a lot more address space and so simple things like more RAM for routers is needed to hold the greater number routes (as IPv6 adoption takes hold, this will be a bigger problem). Ensuring that
We learned that adoption is very small at the moment, with a greater proportion of users in Japan, due to their poorer IPv4 to headcount ratio (hence a greater incentive to adopt than the U.S.).
VPN Haus: How has Comodo been preparing for IPv6?
Lee: Ensuring routers are compliant, upgrading Linux kernels to handle IPv6, procuring IPv6 transit links from upstreams and testing (some upstreams see more routes than others…you know who you are!) and ensuring content and applications are not hardcoded
VPN Haus: Do you think security risks around IPv6 are overrated? Isn’t this more of an infrastructure issue right now?
Lee: The long overlap period of dual stack networking will undoubtedly increase the potential for security vulnerabilities, due to the necessary interaction of two separate fundaments, each with their own specific security problems. It must be said though
Aside from the problems a dual stack environment causes, this issue of security is one of my personal interests in the change. As you know, IPv4 uses NAT extensively. It is a widely held assertion that NAT will protect a network / endpoint better than a machine on the end of a routable IP. I would voice a rebuttal to this, in that any basic firewall rule which tracks and requires an associated outbound connection to be present for an inbound connection to be allowed will give one the same security as NAT. I can see that some may believe that there will be the same issues as the consumer would have with Home Wireless Security (i.e. that home routers were shipped without security initially and likewise, the world will take time to catch up and most home users don't manage their security well), this is where the real lessons will need to be learned.
If people lose the perceived protection of NAT or if they aren't aware or don't want to have to be aware of their firewall rules, security will be pushed to the edge, people will be encouraged to take responsibility of their own security at the point which matters to them, their machine. Empowering people to secure their own machine, not trusting that somehow their cafe wireless Internet connection is protecting them, will be the word of the day and I welcome that day.
VPN Haus: Does IPv6 still require IPsec? If not, why was that change made and what impact will that have on IPv6 security?