IPv6 and cybercrime – what’s the story?

I’ve recently returned from the Australian IPv6 Summit 2010 in Melbourne, where I was invited to give a talk about IPv6 and cybercriminality.

Does switching to IPv6 have the handy side-effect of kicking the Bad Guys in the teeth at the same time?

In case you don’t know, IPv6 is a replacement for our current internet connectivity protocols. The changes are conceptually simple – instead of the 32-bit IP number your computer is equipped with today, you use a 128-bit number. The problem with 32-bit numbers is that, in 32 binary digits, you can only count up to about four thousand million. At that point, the count wraps ambiguously back to zero – much as a car’s odometer does after 99,999 or 999,999 miles.

It seems crazy to believe that there could ever be more than 4,000,000,000 devices on-line. (In practice, the actual IPv4 maximum is well short of that – not every number can legally be used – but 4 billion is a convenient value, since it is an absolute upper bound.)

But 4 billion concurrently-connected internet devices is not only a possible event, it’s highly likely.

Apple, for example, shifted something like 1,000,000 iPads in the first month of sales. That’s just one type of device from one vendor going on-line in one month. And the iPad is expressly designed to live on-line. So is every modern laptop, netbook and phone sold. In the future, these devices will be joined on-line by cars, traffic lights, road signs, airport noticeboards, washing machines, TV remotes, power outlets, children’s toys, and much, much more.

Before you criticise the IPv4 designers for short-sightedness, remember that each IP packet needs to carry both the sender’s and the recipient’s IP number. So longer numbers mean that more of your bandwidth goes on protocol overhead – even for the simplest packets. So IPv4 was an excellent compromise between address space and packet size when it was introduced. But IPv6 offers a way to escape from that 4-billion limit by offering a very much larger address space.

IPv6 is quite different from IPv4, and is not directly compatible with it. Backwards compatibility is usually very useful, but almost always requires unhealthy or annoying compromises in design. Another difference is that features such as safety, privacy and security were built into IPv6 from the start, whereas they are acheived though extensions or add-ons in the IPv4 world.

For this reason, you occasionally hear cries that IPv6 represents a brave new security world for its early adopters. Network worms? Spam? Cybercriminality? All a thing of the past!

This isn’t true, of course. Whilst IPv4 and IPv6 are incompatible at packet level, they can co-exist perfectly on your network. This makes migration much easier and less expensive than some IPv6-naysayers might lead you to believe, but it also means that we will have to live with the sins of the past for as long as IPv4 remains in use on anything but a minority of networks.

Also, since IPv6 is aimed at improving end-to-end internet connectivity, and since an awful lot of cybercriminality relies on social engineering, or plain trickery, to persuade users to infect themselves, the network infrastructure on its own will never be enough to sort out the cybercrooks. A better, quicker network may actually increase your exposure to cybercriminality.

Nevertheless, the intrinsic support in IPv6 for safety, privacy and security means that when we get around to “sixing” our own networks, we have an opportunity to build all of those features into our attitudes and our corporate DNA at the same time.

In short, let’s learn to see privacy and security as part of our organisational value, rather than merely part of the cost of doing business.