IPv6 security - a new playing field in Nigeria
By Mark McCallum, CIO, Orange Business Services
The slow migration of African countries from Internet Protocol Version 4 (IPv4) to Internet Protocol Version 6 (IPv6) has become a source of concern in the region. Even Nigeria, boasting West Africa’s largest economy, has been slow in adopting the new Internet protocol, which could undermine efforts to secure online transactions and develop the Internet in the region.
The Internet Assigned Numbers Authority (IANA) is the entity responsible for handing out IP addresses for the Internet. IANA has already run out of IPv4 addresses, which means that each region around the world will soon be out of addresses to allocate, making the migration to IPV6 a must for all businesses, especially those operating across borders.
IPv6 being the most recent version of the Internet Protocol (IP), provides an identification and location system for computers on networks and routes traffic across the Internet. Mark McCallum, CIO, Orange Business Services states, “IPv6 was developed to deal with the long-anticipated problem of the exhaustion of IPv4, by using a longer set of numbers to allow more devices to connect to the Internet, and offer more security than the previous version. This is vital for Nigeria, as it continues to be an area of interest for multinational businesses looking to move into and invest in Africa.”
In a Nigerian context
IPv6, as a solution to the IP address problem, is not a new standard, but one that has been largely ignored in recent years due to still having so many IPv4 addresses left. Countries continuing to ignore IPv6 could cause themselves a number of potential problems including inability to migrate to IPv6 when there is no longer a choice, complete loss of connectivity with the Internet, and no longer being competitive with other organisations whose systems are primed for IPv6 and ready to move to the next generation of Internet addressing and use.
According to a Nigerian IPv6 Council survey (2015), only four telecommunications networks out of over a hundred autonomous systems are currently using the latest communications protocol in Nigeria. “IPv6 will open a sum of Internet addresses larger than a total of IPv4 addresses, and if not adopted soon enough, end-to-end connectivity as required by specific applications will not be universally available on the internet until IPv6 is fully implemented. Furthermore, the implementation of IPv6 ready networks is critical in addressing the current cyber crime statistics in the Nigerian market, as these are a concern for those businesses currently operating and those looking to operate the region,” explains McCallum.
The imminent arrival of IPv6
IPv6 offers a significantly larger pool of addresses by using 128-bit addresses: 340 undecillion (3.4×1038), compared with the 4.3 billion available in 32-bit IPv4 addresses. This extended pool provides scalability, but also introduces additional security by making host scanning and identification more challenging for attackers. IPv6 also provides a range of benefits in terms of network integrity and performance.
IPv6 also supports more-secure name resolution. The Secure Neighbor Discovery (SEND) protocol is capable of enabling cryptographic confirmation that a host is who it claims to be at connection time. This renders Address Resolution Protocol (ARP) poisoning and other naming-based attacks more difficult. And while not a replacement for application- or service-layer verification, it still offers an improved level of trust in connections. With IPv4 it’s fairly easy for an attacker to redirect traffic between two legitimate hosts and manipulate the conversation or at least observe it. IPv6 makes this very hard. This added security depends entirely on proper design and implementation, and the more complex and flexible infrastructure of IPv6 makes for more work. Nevertheless, properly configured, IPv6 networking will be significantly more secure than its predecessor, addressing many cyber crime and Internet security concerns in Nigeria.
Assessing risk with IPv6
If we assume that total security risk equals the sum of “probability x criticality” for each threat, how does IPv6 measure up? For now, the threats identified for IPv6 do not seem to be evolving very much, so probability is not changing greatly. At the same time, because security products have not fully integrated IPv6 (battery management by the central processing unit as opposed to an Application-Specific Integrated Circuit or ASIC, for example), threats tend to be much more critical. This all means that IPv6 threats are riskier than IPv4 threats—at least during this transition phase. So just managing a simple Transmission Control Protocol flood can become a total nightmare for network and security admins.
Primary IPv6 threats
Take all the IPv4 threats we already know about (spoofing, flooding, denial of service, etc), get rid of a couple (network address translation, Address Resolution Protocol, etc), add a bit of IPv6 (Type 0 Routing Header, IPv4-IPv6 tunneling), and your new technical playing field is up and running. And don’t forget to train security teams, office teams and users if they will be using IPv6 addresses
The Nigerian Internet Registration Association (NIRA) Academy has signed a memorandum of Understanding (MOU) with AFRINIC, one of the world’s five Regional Internet Registries (RIRs) to develop and certify skills in Internet Number Resources Management and Internet Protocol Version 6 (IPV6) in Nigeria.
The future of IPv6
The Association of Telecommunications Companies of Nigeria (ATCON) has expressed worries over the slow migration process from IPv4 to IPv6 in the country. Fortunately, IPv4 and IPv6 can coexist within a network, since the changeover will take years. However, support for both must be maintained in order to utilise them at the same time during the migration process.
“It is important that businesses are aware of the benefits around IPv6 deployment, and if they have not already, that they make this a priority item within their strategies,” concludes McCallum.