Internet Protocol Version 6
IPv6 is designed to succeed Internet Protocol version 4 (IPv4) as the communication protocol for the Internet.
Information Security - More Information
Boundary Security
The introduction of IPv6 fundamentally changes the ability of boundary security systems to perform their security functions because it changes the way hosts are addressed and the way in which services are conducted. Boundary security systems use firewalls to implement proxies and filters, and to perform network address translation (NAT), and port translation. In conventional security architectures, hosts within enclaves have only private-space addresses that cannot receive incoming connections from outside the enclave, unless there is a firewall rule to proxy allowed connections.
This situation changes with IPv6, which was designed around the principle of end-to-end host connectivity, without NAT and with end-to-end authentication and encryption. One of the motivations for NAT is to provide a way for multiple computers in an infrastructure to share a small number of public IP addresses. The need to share IP addresses is eliminated with the vast number of IPv6 addresses enabled by the 128-bit address space. This large address space allows each host to have its own unique public IP address, unlike IPv4 where internal hosts have only private IP addresses. The public addresses expose internal hosts to discovery and attacks from the untrusted internet. IPv6 auto-configuration and mobile addressing facilitates dynamic routing topologies, which can change network topologies and boundaries. Tunneling transition strategies create opportunities for backdoors that can bypass boundary security and monitoring systems.
Firewalls enforce security policies through proxies and filtering rules. Both of these are complicated by the changes in IPv6. Application firewalls are beginning to support the IPv6 addresses, but there is a dearth of products from which to select, and these still must provide meaningful proxies and filters. The dynamic host addresses and routing further complicate policy enforcement, since boundary systems will not have a consistent, predictable way to associate detected source or destination addresses with specific users.
IPv6 encryption further restricts the useful information content available to firewalls for inspection. Discrimination between normal and harmful activity based on the content of the traffic may not be possible, with each source and destination communicating through IPsec VPNs. Although mixed IPv4 IPv6 proxy servers have become commercially available, implementing this capability will involve replacing legacy equipment.
Topology Mapping
Network engineers design and monitor their network topology to implement security domains and enclaves. This topology includes the networks, subnets, hosts, and users, along with the routing structures and boundary security systems. The network topology also shows the logical location and routing connectivity among users and hosts. This topology is useful as a context for defining risks, boundary security policies, assessing vulnerabilities, and interpreting intrusion alarms. The larger IPv6 space, its dynamic nature, and the provisions for mobility complicate developing and maintaining awareness of network topology, since the host addresses and the routing are dynamically determined. The result is that the topology changes over time.
The IPv6 host auto-configuration service makes it easy for a rogue host with physical access to a network to obtain a valid IPv6 address configuration and begin communicating on the network using the neighbor discovery and DHCPv6. A rogue host could also use these same protocols to advertise improper routes to disrupt network services.
Network Intrusion Detection
Conventional network intrusion detection systems utilize attack signatures based on network traffic, including values in packet headers and data content. Examples of parameters examined by conventional intrusion detection systems include source and destination addresses, port, packet header values, and packet content. While a large data base of these signatures has been developed for IPv4, few of these signatures extrapolate to IPv6. The dynamic addressing limits the value of source or destination address information. Additionally, IPsec encryption limits the visibility of content for inspection. While there are now commercial intrusion detection products designed IPv6 implementing this capability will involve replacing legacy systems.
Vulnerability Assessment
Vulnerability assessments are developed through the use of automated scanning tools which conduct a series of selected tests against a set of designated hosts. The first problem is that there is only a small number of scanning tools for IPv6. The vast IPv6 space and the dynamic self-configuration features require that a much larger number of addresses be scanned, necessitating significantly longer scan times.
Certification & Accreditation
The certification and accreditation process includes managing risks by designing, documenting, and verifying compliance with security requirements. With limited established IPv6 models and experience, this process is more difficult.
Security Testing
Security testing involves verifying the implementation of solutions for security requirements. Given the difficulty in mapping many of these requirements, there is also a limited knowledge base of test methods and procedures, as well as a limited set of testing tools.
