IPv6 security issues: myths and reality

Ivan Pepelnjak
NIL Data Communications
One of the main selling points of IPv6, according to the early IPv6 evangelists, was that it had better security than IPv4, supposedly because IPv6 includes mandatory support for end-to-end encryption with IPsec (Internet Protocol Security). But that’s just a myth, because IPv4 supports IPsec as well.
 
You can be IPv6-compliant without implementing any of the IPsec encryption algorithms, and the key distribution (or remote endpoint authentication) problems remain as difficult as ever.
 
To understand IPv6 security issues, we need to move past the IPv6 security myths and consider the hard practical questions: How secure is IPv6 compared to IPv4? (After all, the last IPv4 blocks allocated by the Internet Assigned Numbers Authority (IANA) could be gone in days).
 
The IPv4 and IPv6 protocols are very similar architecturally. IPv6 is really just IPv4 with longer addresses, revamped and more complex headers, and a few extra protocols (the Address Resolution Protocol, or ARP, has been replaced by ICMP Neighbor Discovery, for example).
 
The security mechanisms we’ll use in the IPv6 world are almost the same as the ones we’re using in IPv4, which include:
  • Endpoint security with firewalls embedded in the operating systems;
  • Standalone firewalls performing either layer-4 packet filtering or deep packet inspection;
  • Access lists (packet filters) on routers and switches;
  • Intra-subnet security mechanisms (DHCP snooping).
  • IPv6 doesn’t change anything above the network layer. TCP and UDP haven’t been changed, and the protocols run over IPv6 as well as they did over IPv4. The only major difference is the glue between network and transport layer:
  • IPv4 includes Layer 4 protocol identifier in the Layer 3 header (TCP = 6, UDP = 17; for other protocols, check out this IANA protocol numbers document).
IPv6 allows a chain of extension headers, making Layer 4 inspection potentially more complex. Long chains of extension headers can even reduce the forwarding performance of devices that implement packet filters in hardware (Cisco has an excellent white paper describing IPv6 extension headers and related performance issues.)
 

Pages

Commentary

5G and data center-friendly network architectures

Matt Walker / MTN Consulting

Webscale and transmission network operators' interests are aligning as the 5G era dawns

Matt Walker / MTN Consulting

Webscale and transmission network operators' interests are aligning as the 5G era dawns

Rémy Pascal / Analysys Mason

The launch of 5G by South Korean operators serves as a first benchmark for other operators around the world