lolloj - Fotolia

Get started Bring yourself up to speed with our introductory content.

How IPv6 deployment affects the security of IoT devices

IPv6 deployment is looming, but what does this mean for the security of IoT devices? Expert Fernando Gont explains.

IPv6, the successor to the IPv4 protocol, will provide vast address space to enable the present and future growth of the internet.

IPv6 is usually seen as a key enabler technology for the internet of things, since it can easily accommodate the increasing number of smart sensors connecting to the internet. However, the possible security interactions between IPv6 and IoT devices are generally overlooked, as well as the possible inadvertent shift in the paradigm associated with the security of IoT devices. 

Inside the I of IoT

The de facto basic security architecture for most networks consists of an internal network connected to the public internet via a network address translation (NAT) device. The NAT device not only allows a single address -- or a group of addresses -- to be shared among multiple systems on the internal network, but, as a side effect, also enforces a security policy only allowing outgoing communications. That is, outgoing communications, such as TCP connections, initiated from the internal network to the public internet are allowed, while communications initiated from the public internet to the internal nodes are blocked.

Many protocols and applications assume that both the nodes on the internal network and the internal network itself can be trusted, while any networks and nodes outside of the internal network cannot. As a result, most smart devices employ two different sets of protocols: one set of insecure protocols that operate on the local network, and another, typically secured set that operates across the internet.

On the local network, smart devices typically employ simple proprietary protocols lacking authentication, authorization and confidentiality. In some cases, some operation and management functions that do not require authentication, or that employ default credentials that are rarely changed or updated by the user, are also available via a web interface. This is bad for the security of IoT devices, as witnessed in the October 2016 IoT distributed denial-of-service attack. On the other hand, operation over the internet frequently employs some form of cloud service provided by the device vendor, with communication being carried out over HTTPS.

Thus, these smart devices go along believing that the local network is trusted, while the external network -- the internet -- is not. This model is certainly questionable, as having access to the local network need not imply permission to operate local smart devices. However, at the very least, a border between the trusted and untrusted network should be enforced. For some simple network setups and scenarios, one may get away with this model.

The impact of IPv6 deployment on the security of IoT devices

As mentioned earlier, the main driver for IPv6 deployment is its vast address space, which can accommodate the present and foreseeable future growth of the internet and internet-connected devices.

As a result of their vast address space, IPv6 devices are provisioned with at least one unique global address and, thus, NATs are doomed to disappear. Therefore, a NAT's enforcement of the filtering policy to only allow outgoing communications is also likely to disappear, meaning communication between internal and external systems may no longer be policed by the network.

In fact, the distinction between internal and external networks may disappear altogether if a filtering policy is not enforced at the network border. While this could have potential benefits -- for example, for peer-to-peer applications, in which unsolicited inbound communications are common -- this clearly comes at the expense of increased attack exposure.

Unless explicit measures are taken, IPv6 deployment could result in all the internal nodes of a network becoming directly reachable from the public internet. This would mean, for example, that on-packet attacks, such as the IPv6-based ping of death, could be readily exploited against IoT devices. In addition, protocols that have been engineered to operate on a local trusted network may inadvertently end up operating on the untrusted public internet.

Does IoT really need IPv6?

When it comes to IPv6 and IoT, many believe that IPv6 is required for IoT to unleash its full potential. However, it is interesting to analyze the extent to which IPv6 -- and, in particular, global addressing and any-to-any connectivity -- may be required for IoT.

In the IPv4 world, the use of private address space can be problematic for a number of reasons, such as when networks employing overlapping private address space need to be merged or interconnected. Provisioning all devices with global addresses can help avoid this and other associated problems -- although the unique local address space, fc00::/7, which provides addresses of local scope that are statistically unique, could also be used with similar results.

Regardless of whether global address space is employed, the question arises whether any-to-any connectivity -- including unsolicited inbound communications -- is desirable, as well as the effect it would have on the security of IoT devices. In the IPv4 world, unsolicited inbound communications are blocked as a result of the use of NATs. With the possible disappearance of NATs and their network filtering policies in the IPv6 world, global any-to-any communication can enable increased flexibility -- albeit at the expense of increased attack exposure.

Whether to enforce the same filtering policy for IPv6 and IoT devices will depend on the communications model of the associated devices; whether external entities are expected to poll the IoT devices, or if the IoT devices are expected to notify the external entities. If it is the former, the IoT network would need to accept inbound, unsolicited communications. If it is the latter, incoming communications could be blocked by the network, while IoT devices would be able to contact external systems as needed.

Since IoT is still an area of current development, it is hard to make any educated predictions regarding which communications model will be preferred. Note, however, that since IoT devices currently operate on IPv4 with the paradigm that only outbound communications are allowed, it is extremely likely that the same paradigm will be employed for IPv6. Thus, the same filtering policy from the IPv4 world will be enforced for IPv6-based IoT networks.

A possible way forward

Besides the possible communications model for IoT devices, one may wonder if, when communication from an external network to an IoT network is desirable, such communication should directly involve the IoT devices, or whether it should be performed via an intermediary IoT proxy that serves as a gateway between the external network and the IoT network and devices. Clearly, such a gateway is likely to be in better shape security-wise, and may be in a good position to police traffic to the typically fragile IoT devices.

The vast IPv6 address space represents the present and foreseeable future growth of the internet. Unless concrete actions are taken, IPv6 deployment may inadvertently hinder the security of IoT devices by increasing their attack surface.

Whether the associated increased exposure is warranted or not will depend on the communications paradigm employed by the IoT devices. As a rule of thumb, the principle of blocking communication unless it is actually required should be applied.

Next Steps

Is IoT speeding up IPv6 deployment?

Internet pioneer Paul Vixie talks IoT, IPv6 and security

Stay secure as you transition to IPv6

This was last published in October 2017

Dig Deeper on Internet of Things (IoT) Security Strategy

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do you think the benefits of IPv6 deployment outweigh its potential IoT security risks?
Hi Fernando, Thanks for the interesting article.
Ironic that conventional wisdom has held that IoT will drive IPv6 adoption, but maybe IoT will hinder IPv6 adoption?

There is an old argument that NAT ruined the flatness of the internet and revoked true endpoint-to-endpoint packet flow. And that the loss of flatness has resulted in the loss of applications that would have flourished in a flat environment.

But IPv6 would restore flatness to the internet! Would enable those lost applications! And would finally rid the world of the flaky kludge that was NAT.

Except that NAT worked, and continues to work. And NAT virtually increased the IPv4 address, obviating the only real motivation for IPv6, which is increased address space (and flatness!).

And now NAT is so baked-in-the-cake that security assumptions of IoT devices in an IPv4NAT environment are problematic in an IPv6 flat environment.

What is the answer? Better use of IPv6 firewalls, I suppose, to maintain that LAN/WAN boundary to which we have grown so accustomed.

Mike Burns

You know for sure that NAT does not provide real protection from internal attacks on the "internal" (hence "secure" cough cough) network => so, the 'things' of IoT MUST anyway become more resistant (and I agree they are not now). Moreover, it is not NAT which "protects" but rather the fact that inbound connections are blocked which could also be done by an IPv6 firewall (being on the 'thing' or in a router somewhere).

The suggested approach of a gateway/proxy is indeed the common one and is a nice location to apply security. All large scale deployment of IoT (with thousands or millions) are using this approach. IoT is a vast landscape from your 10 EUR camera to 1000 EUR endpoints ;-)

Finally, I am afraid that if cheap IoT device are only protected by NAT, then IoT security will never increase.

This article displays a fundamental misunderstanding of IPv6 addresses. By default each device will get a non-routable link local address. Note: non-routable. These are not addressable outside of that link. The next step up is unique site local addresses which can be assigned by the organisation, and addressed and routable within that organisation's space. This article assumes the third type, unique global. Usually you have to buy these, and it is most unlikely that IoT devices will have such addresses. That is, they won't be visible on the internet, to general firewalls etc, unless specifically configured to be so.
Just found this paper which is about Windows pushing Mirai code into IoT behind a NAT...

Clearly, NAT44 does not protect your IoT device. So, let's move to IPv6 ;-)