Welcome to World IPv6 Day. I hope yours is going better than mine -- I have a UTM from a vendor that's lagging woefully behind the IPv6 curve -- but I've yet to hear of any major problems due to the global testing taking place. That's a good thing, but I don't come here today to praise IPv6, but to worry about it. That's because the transition from IPv4 to IPv6 has some potentially serious security "gotchas," and they start with three little letters: NAT.
Network Address Translation (NAT) is the crutch that has kept IPv4 hobbling along as well as it has for the last few years. With NAT, a single IP address on the outside interface of the router is matched to a whole network's worth of IP addresses on the inside interface. Translating requests and traffic between the one and the many is handled by the router itself. It's a decent way to magnify the address space of the Internet, but some folks have decided it's good for more than addressing -- it's also a security feature. That has led to the opening line of many a Router Guy's speech to the masses: NAT is NOT Security.
There are a surprising number of folks who will tell you that a NAT network is inherently more secure because the address of each machine is not directly exposed on the Internet. That's true, if you assume that anyone attacking your network is lazy, stupid, and incompetent. Think of it as the electronic equivalent of hanging one of those fake "security system installed" decals in your car window, and you're on the right track. Reaching through the router to a machine on the inside is trivial once you've installed a piece of software delivered via email or web application, so you're really only stopping some fairly basic port scans. But that doesn't stop a lot of companies from including it as part of the "security program."
The security aspect of NAT, such as it is, may disappear completely with IPv6. Why? Since IPv6 has a sufficiently large address space to give every user about as many addresses as exist on the Internet today, NAT just isn't necessary. That means network designers won't be able to include it as part of their security designs (that's a good thing) and will have to deal with each machine having an address that's exposed to the Internet as a whole.
It would be easy, or at least easier, to be confident in the brave new world of NAT-less security if we could be confident in the IPv6 implementations themselves. Unfortunately, there are indications that many of the networking stacks (the software that binds the addressing to the physical interface) for IPv6 and IPv6 transition are not as robust as we might hope. The combination of new internal/external network dynamic and immature network stacks could lead to serious security issues for companies making the transition, if they don't pay special attention to the issues.
The big news in this for IT shops is two-fold. First, if you're depending on NAT for any sort of security, stop it -- now. Next, when you're planning the transition to IPv6, be sure to prepare for vulnerabilities in networking components you've come to think of as stable -- components like the TCP/IP stack. Those two actions alone will go a long way toward keeping your network more security during the long transition to IPv6.