IPv6 security issues: myths and reality

Tags

IPv6 security issues: myths and reality

Ivan Pepelnjak  |   January 19, 2011
NIL Data Communications
One of the main selling points of IPv6, according to the early IPv6 evangelists, was that it had better security than IPv4, supposedly because IPv6 includes mandatory support for end-to-end encryption with IPsec (Internet Protocol Security). But that’s just a myth, because IPv4 supports IPsec as well.
 
You can be IPv6-compliant without implementing any of the IPsec encryption algorithms, and the key distribution (or remote endpoint authentication) problems remain as difficult as ever.
 
To understand IPv6 security issues, we need to move past the IPv6 security myths and consider the hard practical questions: How secure is IPv6 compared to IPv4? (After all, the last IPv4 blocks allocated by the Internet Assigned Numbers Authority (IANA) could be gone in days).
 
The IPv4 and IPv6 protocols are very similar architecturally. IPv6 is really just IPv4 with longer addresses, revamped and more complex headers, and a few extra protocols (the Address Resolution Protocol, or ARP, has been replaced by ICMP Neighbor Discovery, for example).
 
The security mechanisms we’ll use in the IPv6 world are almost the same as the ones we’re using in IPv4, which include:
  • Endpoint security with firewalls embedded in the operating systems;
  • Standalone firewalls performing either layer-4 packet filtering or deep packet inspection;
  • Access lists (packet filters) on routers and switches;
  • Intra-subnet security mechanisms (DHCP snooping).
  • IPv6 doesn’t change anything above the network layer. TCP and UDP haven’t been changed, and the protocols run over IPv6 as well as they did over IPv4. The only major difference is the glue between network and transport layer:
  • IPv4 includes Layer 4 protocol identifier in the Layer 3 header (TCP = 6, UDP = 17; for other protocols, check out this IANA protocol numbers document).
IPv6 allows a chain of extension headers, making Layer 4 inspection potentially more complex. Long chains of extension headers can even reduce the forwarding performance of devices that implement packet filters in hardware (Cisco has an excellent white paper describing IPv6 extension headers and related performance issues.)
 
12
Singapore’s MDA helps fund an R&D project for advanced telepresence technologies.

Frontpage Content by Category

As 2011 dawns, industry experts predict what might happen in the year ahead

businessweek_industryview

Adam Satariano and Peter Burrows
Deal delayed by lengthy trials, technical negotiations
Mark Sten, Globys
Carriers need to shift from blasting large segments to delivering highly personalized communications

Frontpage Content by Category with Image

Sponsored by SAP
The activity-based costing methodology enables telcos to acquire a deeper understanding of costs and profitability. Find out more in this webinar.

lighter_side_telecom_career

Staff writer
Experts disagree on whether the phenomenon exists
Staff writer
Paul Fegan named group MD of Strategy & Corporate Services