IPv6 security issues: myths and reality

Ivan Pepelnjak
19 Jan 2011

One of the main selling points of IPv6, according to the early IPv6 evangelists, was that it had better security than IPv4, supposedly because IPv6 includes mandatory support for end-to-end encryption with IPsec (Internet Protocol Security). But that’s just a myth, because IPv4 supports IPsec as well.

You can be IPv6-compliant without implementing any of the IPsec encryption algorithms, and the key distribution (or remote endpoint authentication) problems remain as difficult as ever.

To understand IPv6 security issues, we need to move past the IPv6 security myths and consider the hard practical questions: How secure is IPv6 compared to IPv4? (After all, the last IPv4 blocks allocated by the Internet Assigned Numbers Authority (IANA) could be gone in days).

The IPv4 and IPv6 protocols are very similar architecturally. IPv6 is really just IPv4 with longer addresses, revamped and more complex headers, and a few extra protocols (the Address Resolution Protocol, or ARP, has been replaced by ICMP Neighbor Discovery, for example).

The security mechanisms we’ll use in the IPv6 world are almost the same as the ones we’re using in IPv4, which include:

  • Endpoint security with firewalls embedded in the operating systems;
  • Standalone firewalls performing either layer-4 packet filtering or deep packet inspection;
  • Access lists (packet filters) on routers and switches;
  • Intra-subnet security mechanisms (DHCP snooping).
  • IPv6 doesn’t change anything above the network layer. TCP and UDP haven’t been changed, and the protocols run over IPv6 as well as they did over IPv4. The only major difference is the glue between network and transport layer:
  • IPv4 includes Layer 4 protocol identifier in the Layer 3 header (TCP = 6, UDP = 17; for other protocols, check out this IANA protocol numbers document).

IPv6 allows a chain of extension headers, making Layer 4 inspection potentially more complex. Long chains of extension headers can even reduce the forwarding performance of devices that implement packet filters in hardware (Cisco has an excellent white paper describing IPv6 extension headers and related performance issues.)

Related content

No Comments Yet! Be the first to share what you think!

This website uses cookies

This provides customers with a personalized experience and increases the efficiency of visiting the site, allowing us to provide the most efficient service. By using the website and accepting the terms of the policy, you consent to the use of cookies in accordance with the terms of this policy.