The Cybersecurity and Infrastructure Security Agency enhanced its Trusted Internet Connections (TIC) 3.0 program to support the implementation of IPv6 across all federal IT systems with guidance issued Thursday.
IPv6‘s 340 undecillion Internet Protocol (IP) addresses solve the problem of IPv4 running out of readily available addresses in 2015, while supporting the end-to-end visibility and microsegmentation agencies need to implement zero-trust security.
The Office of Management and Budget renewed its 2005 pledge to transition federal networks to IPv6 with a 2020 memo, in which CISA was tapped to address the expanded cyber threat landscape presented with guidance for agencies and industry. The draft “IPv6 Considerations for TIC 3.0” is but the first piece.
“IPv6 has its own operational security concerns, and agencies should seek to understand the protocol’s effect on their network security architecture,” reads CISA’s guidance. “Similarly agencies should consider how IPv6 networks may affect their adoption of the TIC 3.0 guidance, as characteristics of the protocol are expected to impact some network management operations.”
CISA‘s guidance attempts to align the security objectives and capabilities of the two while remaining architecture agnostic.
A table included in the guidance provides a high-level summary of IPv6 characteristics that might impact TIC 3.0 architectures. For example, the ability of IPv6-addressed devices to communicate directly between trust zones without first passing through a virtual private network (VPN) tunnel opens the door for eavesdropping and injection attacks.
Large IPv6 subnets increased the likelihood router can be overwhelmed by address resolution requests, increasing the opportunity for Neighbor Discovery Protocol (NDP) Denial-of-Service (DoS) attacks. And NDP router advertisements are vulnerable to spoofing.
Manually addressed hosts may be vulnerable to rogue Dynamic Host Configuration Protocol (DHCP)v6 server attacks that send packets containing malicious IP address assignments to devices. And extension headers that don’t conform to recommended order or maximum number of repetitions could intentionally confuse or crash performance-enhancing proxies.
CISA’s guidance proposes mitigations for these potential conflicts between IPv6 and TIC 3.0 and others.
The public has until Friday, Oct. 15 to comment on the draft document. CISA is particularly interested in being alerted to IPv6-TIC 3.0 considerations and security challenges it may have missed, as well as more targeted guidance agencies would find helpful.
“As the TIC program continues to identify and evolve the security capabilities to secure the .gov, additional modernization and technology areas may be identified to guide the federal government,” reads CISA’s guidance. “IPv6 offers a wide variety of benefits that opens opportunities to leverage other emerging technologies and concepts.”