6 minute read
Cybersecurity
IPv6 Is Here: Thoughts for Migrating Your Health Care Organization
BY MICHAEL JOHNSON AND JOSH GARVIN
For so long we’ve been accustomed to the IPv4 protocol. We’ve spent countless hours understanding the ins and outs of networking, subnetting and more based on IPv4 addressing. With the everchanging needs of our society, including more and more devices that require a connection to a network, the world is running out of available IPv4 addresses. Enter IPv6, the solution to IPv4 address exhaustion.
One of the main exciting differences between IPv4 and IPv6 is the available IP space. Where IPv4 had approximately 4 billion IP addresses, IPv6 has more IP addresses available than stars in the universe. The total amount of available IP Addresses in IPv6 is so large that it is hard to comprehend, it is best shown as 2128. That equals 340 undecillion IP addresses. A number that virtually guarantees that there will never be a shortage of available IP addresses.
The reason IPv6 has more available IP addresses is due to bit size. With IPv4, the IP address contains 32 bits, broken into four 8-bit blocks separated by a period. IPv6 IP addresses contain 128 bits, made up of eight 16-bit blocks that are represented by hexadecimal (alphanumeric characters represented by A-F and 0-9) separated by colons. IPv6 packets have been updated to include a more streamlined header compared to IPv4. The header is designed to only include the minimal amount of information needed to decrease the processing time a router needs to send your packets across the network.
IPv6 no longer utilizes Address Resolution Protocol (ARP). ARP is replaced with an ICMP based Neighbor Discovery Protocol (NDP). NDP uses special IPv6 ICMP messages to find and resolve Layer 2 neighbor’s IPv6 addresses. NDP provides a simple way for hosts to learn the IPv6 addresses of neighboring devices within the same subnet as itself. This includes other hosts as well as routers in the local network.
Subnetting in IPv4 is used to save IP space and segment your network. In IPv6, subnetting is configured and implemented within the network portion of the IP address itself. The last 16 bits of the 64-bit network address denote the subnet, this allows the use of 65,535 unique subnets. With 64 bits left for the host portion, variable limit subnet masking should no longer be required. In fact, using VLSM is not recommended and would cause failures in some built-in IPv6 features.
There is no exact date when every network must be migrated to IPv6. However, some government and private organizations are setting their own deadlines to implement the newer protocol. In some rare cases, an organization may decide to never make the change to IPv6, using NAT protocols to publicly route the devices in their private network. When your organization migrates from IPv4 to IPv6, ensure your budget includes room for upgrading network appliances if necessary (e.g., routers, switches, firewalls, etc.). Make sure you’re considering IPv6 function as part of your internal equipment lifecycle planning reviews.
When your organization begins to migrate; it will take time and a phased approached will likely be required. Dual stack, tunneling and translation are methods used to help provide that transition period. Dual stack environments use IPv4 and IPv6 protocols concurrently. With dual stack, every capable device on the network will have one of each type of IP address. The stack used for communication is determined by the protocol version returned with the DNS query responses. Tunneling provides IPv4 encapsulation on IPv6
Michael Johnson
packets. It allows separated IPv6 locations to connect over IPv4 infrastructure, using similar methods we use with VPNs. Translation uses an intermediary system to convert from one IP stack to the other. One of the downsides of these transition strategies is that they rely on the continued use of IPv4. Depending on the scale and complexity of your organization, you may still not have a lot of time to confront IPv4 address exhaustion. There are also concerns with higher overhead using these methods, due to increased processing requirements and potential latency.
When planning for IPv6, you need to consider the addressing method that will be used to configure your network, there are a few options available. While some have familiar terminology, the functions can be different. • Static – Functions the same as it does with IPv4. You manually enter the IP, the subnet prefix length, default gateway and DNS details. This method removes some of automatic features provided with IPv6. This is still the recommended configuration for your servers. • Stateless Auto Address Configuration (SLAAC) – Provides a device the default gateway and network prefix when connected to a network, no other information is sent. The end device can use a technique called EUI-64 to create a 64-bit identifier based on its MAC address. The EUI-64, when combined with the SLAAC provided prefix, allows a device to create its own unique IP address. EUI-64 is considered a security risk, as it can expose your MAC address to external networks. Privacy extensions have been incorporated to compensate. However, privacy extensions cause your device IP to change at predefined intervals, making network inventory and auditing much more difficult. Auto-addressing and privacy extensions, if any, are determined by the device
operating system. Identifying how this will play out for each device may require extra research. • Stateless DHCPv6 – Uses the SLAAC process. Once the address is assigned, stateless DHCPv6 can provide details regarding domain name and DNS. It does not assign addresses or manage lease time. • Stateful DHCPv6 – Functions like DHCPv4. Assigns IPs, gateways, DNS and manages leases.
Converting and expanding your existing network security is a significant obstacle during your migration. During the transition phase, dual stack will be doubling your attack surface. You have spent a lot of effort over many years building policy designed to protect your medical device systems in an IPv4 environment. Now those policies need to be converted to IPv6, or in some cases created from the ground up. IP based rules will need to have the IPv4 addresses translated to their IPv6 addresses. Policies will need to be written to cover the new IPv6 subnets. New access control lists (ACLS) and firewalls will need to be applied to the appropriate interfaces, ports and/or VLANs. It would be very easy to miss a single rule or forget to apply a ruleset to a specific interface. Creating and managing these policies could be further complicated if privacy addressing is in use. Attention to detail and careful testing will be required. If systems are using IPv6 and network security policies have not transitioned correctly, you could be allowing unrestricted traffic on segments of your network. If your organization is not already moving towards a zero-trust architecture, it should be considered with your IPv6 conversion. A zero-trust framework can prevent unnecessary lateral (internal) access, which will help keep medical device systems isolated and protected from inside threats. It isn’t possible to cover all the aspects of the required changes in this column. Network infrastructure and cybersecurity are deep and complex areas. Hopefully this information can provide a basic understand, and kickstart some self-learning. The RFC and NIST documents in the sources listed below have a lot of depth. For those that don’t enjoy reading technical documents, reach out to your IT office, they may be able to fill in a lot of the blanks. They are probably already addressing network hardware compatibility, new routing protocols and a myriad of other items. The larger your organization is, the more likely this process has already begun in some capacity. The changeover won’t be simple, and it will take time. Don’t be intimidated by the complexity of the process, dig in and collaborate. Delaying the process will only make it more difficult, while being part of the transition will provide you invaluable experience and knowledge for the future.
Joshua Garvin
Michael Johnson works for the Dayton Veterans Affairs Medical Center as the Team Lead for Biomedical Equipment Support - Information Systems.
Joshua Garvin is the VISN 10 Cybersecurity Lead/Information Systems Biomedical Equipment Support Specialist (IS-BESS) at the Department of Veterans Affairs.
REFERENCES:
RFC 8200 - Internet Protocol, Version 6 (IPv6) Specification (ietf.org) RFC 7381 - Enterprise IPv6 Deployment Guidelines (ietf.org) NIST SP 800-119, Guidelines for the Secure Deployment of IPv6
