Skip to content

Latest commit

 

History

History
64 lines (52 loc) · 3.03 KB

04. Security.md

File metadata and controls

64 lines (52 loc) · 3.03 KB

Security

Security has ever-growing importance in general and the IP protocol has been a big area for security research and development. The majority of IPv4 practices remain applicable to IPv6. Exceptions exist for aspects of the first hop and for extension headers that are significantly different in IPv6. Distributed address acquisition (SLAAC, 2. Auto-configuration) creates its own additional security challenges. Multiple addresses per host improve privacy, but not without complications. Extension headers give IPv6 great flexibility and extensibility that may be abused, leading to additional security precautions.

Initially, it was expected that end-to-end cryptography (encryption and authentication) would be a mandatory part of IPv6 (IPsec, RFC 4301 and SEND, RFC 3971). This proved unrealistic, so cryptography has been accepted as optional at the networking layer, exactly as it is for IPv4. At the same time, cryptography has become widespread at the transport or application layers.

IPv6 aims at restoring end-to-end connectivity to the networking layer. Therefore, IPv6 security in no way relies on the presence of network address translation. IPv6 has no standardized NAT66 and even network prefix translation (NPTv6, RFC 6296) is little used. NAT or NPTv6 provide at best weak security protection at the network boundary, so this is not seen as a defect. The normal approach to boundary security for IPv6 is a firewall; most firewall products support IPv6 as well as IPv4. Topology hiding is addressed in a later section of this chapter.

Today, the “Zero-trust” approach in security tends to move the stress from perimeter protection to the authentication and encryption for all traffic (including internal for any perimeter). If this approach succeeds, some enterprises may choose to reduce the role of firewalls in future. IPv6 is well positioned for this change.

A good design and policy rule to follow is that in a dual-stacked deployment, which is by and large the largest percentage of IPv6 deployments, security policy for IPv4 and IPv6 should match in order to ensure consistency of operational and user experience. In an IPv6-only deployment, implementation of policy should be derived from overall network security policy, taking into account protocol specifications that may require adjustments from legacy IP (i.e. differences in ICMP handling between IPv4 and IPv6).

There is a good overview of IPv6 security in RFC 9099. This is a good repository of references to many documents on various IPv6 security aspects.