Does supporting both IPv4 and IPv6 in a multi-tenant cloud introduce any unique security concerns? If we choose not to deploy IPv6 in our cloud, is there a way hackers can exploit that in a multi-tenant environment?
Let's settle one issue up front: While IPv6 security has several IPv6-specific security considerations, it is neither a less nor a more secure protocol than IPv4, with most challenges coming from vendor support constraints.
In the case of a dual-stack deployment (IPv4 and IPv6 operating over the same links), the attack surface for this type of environment will approximately double. The defense mechanisms, however, are pretty similar. In a properly architected environment, the infrastructure manager simply needs to apply the same security principles to the IPv6 part of the infrastructure -- isolation, control plane protection, monitoring and so on -- that are already applied to IPv4 traffic.
From an implementation perspective, it's advisable to match the security policies in place for IPv4 and then address the IPv6-specific threat vectors, which can, for example, present hackers with new ways to drive distributed denial-of-service (DDoS) attacks.
In this context, implementers face many new challenges. For instance, doubling the attack surface means the probability of detecting security threats due to operational mistakes (misconfigurations and the like) also doubles. This makes automation and good processes twice as valuable.
It's also important to be aware that IPv6 security features in many products still have not been fully tested. Vendors are trying to catch up. This makes it more important to have clear product requirements at purchase time, to test the products and to push vendors to be ready and consistent in the quality of their IPv6 support.
IPv6 security is a rapidly evolving technology domain. In order to understand and properly mitigate IPv6-specific risks, education and continued monitoring of technology and best practices developments become critical.
Compliance might also become an issue if the IPv6 deployment provides a less secure backdoor and compromises the security of the overall environment. Staying current with new developments in compliance is essential.
The key takeaway, however, is this: Yes, you need to address IPv6 security diligently, but do not let IPv6 security concerns, often media-hyped, deter you from enabling it in your cloud infrastructure. IPv6 is the current plan of record for next-generation IT infrastructures. Period.
Dig Deeper on Telecommunication networking
Related Q&A from Ciprian Popoviciu
Various factors, including financial burden, will influence how long the transition from IPv4 to IPv6 will take, says IPv6 expert Chip Popoviciu. Continue Reading
Cloud elasticity and cloud scalability are both characteristics of cloud services, but support different goals, says cloud expert Chip Popoviciu. Continue Reading
One of the benefits of IPv6 is that it makes software defined networking and network virtualization scale easily, IPv6 expert Ciprian Popoviciu says. Continue Reading