Does supporting both IPv4 and IPv6 in a multi-tenant cloud introduce any unique security concerns? If we choose not to deploy IPv6 in our cloud, is there a way hackers can exploit that in a multi-tenant environment?
Let's settle one issue up front: While IPv6 security has several IPv6-specific security considerations, it is neither a less nor a more secure protocol than IPv4, with most challenges coming from vendor support constraints.
In the case of a dual-stack deployment (IPv4 and IPv6 operating over the same links), the attack surface for this type of environment will approximately double. The defense mechanisms, however, are pretty similar. In a properly architected environment, the infrastructure manager simply needs to apply the same security principles to the IPv6 part of the infrastructure -- isolation, control plane protection, monitoring and so on -- that are already applied to IPv4 traffic.
From an implementation perspective, it's advisable to match the security policies in place for IPv4 and then address the IPv6-specific threat vectors, which can, for example, present hackers with new ways to drive distributed denial-of-service (DDoS) attacks.
In this context, implementers face many new challenges. For instance, doubling the attack surface means the probability of detecting security threats due to operational mistakes (misconfigurations and the like) also doubles. This makes automation and good processes twice as valuable.
It's also important to be aware that IPv6 security features in many products still have not been fully tested. Vendors are trying to catch up. This makes it more important to have clear product requirements at purchase time, to test the products and to push vendors to be ready and consistent in the quality of their IPv6 support.
IPv6 security is a rapidly evolving technology domain. In order to understand and properly mitigate IPv6-specific risks, education and continued monitoring of technology and best practices developments become critical.
Compliance might also become an issue if the IPv6 deployment provides a less secure backdoor and compromises the security of the overall environment. Staying current with new developments in compliance is essential.
The key takeaway, however, is this: Yes, you need to address IPv6 security diligently, but do not let IPv6 security concerns, often media-hyped, deter you from enabling it in your cloud infrastructure. IPv6 is the current plan of record for next-generation IT infrastructures. Period.
Related Q&A from Ciprian Popoviciu
Many new technologies are driving the need for IPv6 deployment, and the Internet of Things may be the biggest driver. IPv6 expert Ciprian Popoviciu ...continue reading
If services providers want to improve their cloud services and build large-scale cloud infrastructures, they must look to IPv6. IPv6 expert Ciprian ...continue reading
As the transition to IPv6 looms, the need for OpenStack to be IPv6-ready is greater than ever. Expert Ciprian Popoviciu explains the steps being ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.