Cisco Blogs


Cisco Blog > Security

IPv6 Myths

In the first installment of our series of IPv6 posts, we covered some basic differences between IPv4 and IPv6. In this post, we’ll talk about some common myths regarding IPv6.

The initial IPv6 standards originated in 1998 with the publication of RFC 2460 – “Internet Protocol, Version 6 (IPv6) Specification.” The main intent behind IPv6 was to solve the issue of the limited address space available in IPv4. Over time, other features such as Stateless Address Autoconfiguration (SLAAC), Network Renumbering, and mandatory IPSec support were also added to IPv6. In reality, however, the main benefit of IPv6 is the expansion of the address space. Over those 10+ years, numerous myths, however, have surfaced, many of which can impact the security of your IPv6 network. Understanding the truth behind these misconceptions is important, especially now, as IPv6 is being deployed on more and more networks.

Myth 1: We Don’t Need It

One of the first myths is that we do not need IPv6. Many people have taken this position, as indicated by the more than 10 years that have elapsed from the development of the standard, still without significant IPv6 deployment on a global scale. Today, however, that picture is changing rapidly. IPv4 address depletion is no longer a distant speculation but a concrete reality. In January 2011, the Internet Assigned Numbers Authority (IANA) allocated the last free IPv4 blocks to the Regional Internet Registries (RIRs). The RIRs still have free IPv4 addresses, but they can’t last forever.

Myth 2: Immediate Switchover

When the IPv4 addresses are depleted, IPv6 will be rapidly deployed everywhere. This, however, is also another myth. Unfortunately, the time for a smooth and fairly rapid transition has come and gone, and even though the depletion of IPv4 addresses is looming closer than ever before, the transition from IPv4 to IPv6 is still going to occur over the span of years instead of months. The phrase “kicking and screaming” comes to mind in this process much more often than “that’s a great idea.” During this transition both IPv4 and IPv6 will coexist on the Internet, along with numerous mechanisms to communicate between services in each environment.

Myth 3: NAT Provides Security

Our next myth is that IPv6 networks will be less secure because of the elimination of Network Address Translation (NAT). One of the reasons that the IPv4 addresses have lasted as long as they have is the extensive utilization of NAT. Many people, however, falsely believe that NAT is a security mechanism. Instead of a security mechanism, NAT is solely designed to allow many private addresses to share the same global IP address. This does little to nothing to increase your security posture. The real protection comes from having stateful inspection of inbound traffic into your network. The size of the IPv6 address space eliminates the need for this overloading. Without NAT, IPv6 network configuration will definitely be less complex, but eliminating NAT will not increase or decrease the security of IPv6 networks as long as you make sure that you deploy appropriate access controls on the boundary of your network.

Myth 4: Smaller Routing Tables

Another common myth is that IPv6 will reduce the size of the routing tables required on the Internet. Although the common routing protocols were rebuilt to support IPv6 more efficiently, there were no significant improvements to these protocols. Many plans exist for efficiently allocating addresses in an IPv6 world so that address blocks can be aggregated (similar to techniques used in IPv4), which can reduce the size of routing tables. During the transition period, the need to support both IPv4 and IPv6 routing tables could definitely cause problems. Even after the transition, however, the growth of routing tables is still a concern in IPv6 given the drastic increase in available addresses for IPv6, unless sufficient route aggregation is maintained.

Myth 5: Improved QoS

The notion that IPv6 provides better Quality of Service (QoS) than IPv4 is another common misconception.  QoS on IP networks is delivered using a couple of different architectures. Both IPv4 and IPv6 provide Differentiated Services and Integrated Services, the two common architectures to provide QoS on an IP network. So what makes IPv6 different? Besides these QoS architectures, IPv6 also provides a 20-bit Flow Label field in the IPv6 Header. This Flow Label field, which does not exist in IPv4, has the potential to improve the efficiency of flows in an IPv6 network. Currently, however, this field is largely unused and does not provide a significant improvement of QoS on IPv6 networks.

Myth 6: IPv6 Means Improved Security

The most common security myth is that IPv6 is more secure than IPv4. From the beginning, the IPv6 standard has mandated support for IPSec. Many people have falsely translated that to mean an increase in security for IPv6 networks (even though IPSec only deals with authentication, integrity and confidentiality of connections). First of all, IPSec by itself can not stop all attacks against the IPv6 protocol, such as application-level attacks. Secondly, although mandatory IPSec support is a good start, it can’t even be realistically used for all connections. Many necessary ICMP messages utilize multicast. Utilizing IPSec for these multicast messages is not feasible. Key management for supporting IPSec for each and every connection on an Internet-wide scale for IPv6 is also definitely not trivial. Therefore, the utilization of IPSec in IPv6 networks will not dramatically increase beyond the levels currently used for IPv4 networks for some time to come. So in reality, both IPv4 and IPv6 have associated security issues (not necessarily the same), but neither protocol is really more secure than the other.

Well that’s all for now. Hopefully your understanding of some common IPv6 misconceptions has been clarified. Stay tuned for the next IPv6 post on how ICMP has changed in IPv6.

Tags: , ,

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

1 Comments.


  1. Actually, getting rid of NAT increases one’s security posture, as the stateful DoS vector represented by NAT is eliminated from the network.

    Unfortunately, the advent of IPv6 will result in *more* undesirable state in the network, in the form of CGNs on the IPv4 side and 6-to-4 gateways.

       2 likes