It's a testimony to the scalability of version 4 of the Internet Protocol that it has scaled from a a network of a few dozen hosts to a globe-spanning network indispensable to hundreds of millions of people.

But, like all good things, the reign of IPv4 is coming to an end. It's really an example of necessity - large swaths of the world are running out of IP space. The United States federal government has mandated that all its systems be capable of supporting IPv6 by 2008. Operating system and networking equipment vendors are scrambling to make sure they're prepared for the latest and greatest internet protocol.

What's interesting about this is that it has all the hallmarks of a major security SNAFU: rapid and urgent deployment, large amounts of new code, lack of experience with configuration and management, and a protocol that has yet to be truly tested in the wild and dirty underbelly of the Internet.

It's therefore not surprising that some old vulnerabilities, as well as some new ones, have cropped up in common implementations of IPv6. Does anyone remember the LAND attack? It was simple in both concept and execution: send a spoofed IP packet containing the same IP address for its source and destination. The target machine will attempt to response to the "source" with an unreachable message. Since it responds to itself, it sends a response back to the host that just sent that message, and soon you get an infinite loop.

The LAND attack was originally discovered eleven years ago, back in 1997. To put that more in perspective: it was discovered before Windows 98 was released. It was repaired relatively quickly (for example, Windows 98 itself wasn't affected).

LAND would have been relegated to the annals of history were it not for a (humorous in retrospect) happening: Windows XP and early versions of Vista were vulnerable! Not to the IPv4 LAND attack, but to the same attack against IPv6. It was the same design oversight, committed again, and resulting in the same vulnerability.

Another excellent example: IPv4 supported "loose source routing". This protocol option made it trivial in certain circumstances to spoof packets to appear as though they came from a trusted IP address. IPv6 included an extremely similar mechanism, using the Type 0 Routing Header. It's another example of the same design oversight rearing its ugly head, this time making it extremely easy to perform denials-of-service.

(As an aside: the Type 0 Routing Header has been essentially excised from IPv6. It's still officially part of the protocol, but several implementations fail to respond or process it at all.)

I have the sinking suspicion that a lot of IPv6 deployments are going to be like this. Not necessarily with old IPv4 bugs simply translated to the IPv6 world, but with a whole new slew of bugs. It took many years for all the bugs to be worked out of common IPv4 implementations.

Bugs in protocol implementations happen all the time, but IPv6 is something that's going to be everywhere. A bug in the implementation of HTTP by some web server is catastrophic, but it only affects web servers. A flaw in the implementation of IPv6 has the potential to affect every single machine on the Internet. Already several denials-of-service and remote code execution vulnerabilities have been found in IPv6 implementations from vendors like Microsoft and Cisco. Even the mighty OpenBSD (widely considered to be the most secure of the general purpose operating systems) had a remote code execution bug in its implementation of IPv6.

Part of me (the optimistic part) hopes that most of the bugs will be found before IPv6 is truly widely adopted. I mean, after all, we as a community are far more security conscious today than we were ten years ago. However, I don't know if that security consciousness is enough to overcome the rapidity with which IPv6 is going to have to be deployed, or the inexperience of the network administrators who are going to have to configure this newfangled protocol.

I hope everyone out there shares my cautious optimism. I'd love to hear (via the little comment box below) any experiences you've had security-wise with deploying IPv6 within your organization.