Cisco Blogs


Cisco Blog > Security

IPv6 – What’s New

IPv6 is becoming more widely deployed as the availability of IPv4 addresses continue to decline. In June, Cisco will be participating in World IPv6 Day, a 24-hour global “test drive” of IPv6 that is organized by the Internet Society.

Hopefully this introductory post will give you a basic idea of how IPv6 works and some initial security concerns. In upcoming posts, I will explain in more detail the security impact on your network of various aspects of IPv6. I am willing to address other topics as well if there is interest, just let me know. Currently the upcoming topics will be:

IPv6 Myths
IPv6 ICMP and Security
IPv6 Addressing
Securing IPv6
IPv6 Testing
IPv6 Transition Methodologies

Since this is the first blog in the series, I will examine the major differences between IPv6 and IPv4. Everyone has probably realized by now that one of the changes has to do with IP addresses. Have you wondered, however, what other changes come with IPv6? Let’s take a look at some of the changes and how they may impact your network.

Addresses

The first obvious difference is that DNS names will almost exclusively be used instead of IP addresses. With IPv4, the addresses are only 32 bits, but IPv6 IP addresses are 128 bits long (much too long to remember). In fact it is hard to even visualize how many more addresses are available in IPv6 compared to IPv4. The analogy that I like is the following. If you take all of the IPv4 addresses and stuff them in a golf ball, then all of the IPv6 addresses--compressed the same--would fill the Sun. This size increase definitely requires new thinking when designing networks, especially when it comes to determining subnet boundaries.

Address Configuration

IPv6 provides both a stateful and a stateless address configuration functionality. Stateful address configuration is similar to the existing DHCP functionality in IPv4.  IPv6 also supports Stateless Address Auto Configuration (SLAAC). In this mode, nodes can automatically configure their network configuration by generating a local IP address, locating neighbors on the same local segment, locating a default router, and even generating a globally routable address using the prefix supplied by the router through ICMP messages. All of this occurs without any user interaction. Another interesting note is that IPv6 provides the ability to easily renumber these global addresses via the routers on the network instead of configuring the hosts individually. Securing these interactions is definitely something to consider when deploying IPv6.

ICMP

In IPv6, ICMP is a crucial component. Besides the basic ICMP messages found in IPv4, IPv6 incorporates numerous new ICMP messages. ARP functionality in IPv4 has effectively been replaced with Neighbor Discovery (ICMP Types 135 & 136) and Router Discovery (ICMP Types 133 & 134) messages. Fragmentation in IPv6 is only done by endpoints (not by intermediate routers). To signal that a packet needs to be fragmented, an ICMP Type 2, “Packet Too Big,” is sent to the originating host after the original packet is dropped. Therefore, ICMP Type 2 packets need to be allowed into your network, including messages from external addresses, otherwise fragmentation will be broken. On the positive side, however, the minimum MTU for fragmentation in IPv6 is 1280 octets. This is a large increase from the minimum 576 octets for IPv4. So hopefully fragmentation will not be required very often.

IPv6 Packet Structure

One of the changes that is less obvious to the normal user is the IPv6 packet header.  The basic IPv6 header has been streamlined to only contain the following fields: Version, Traffic Class, Flow Label, Payload Length, Next HeaderHop Limit, Source Address and Destination Address. Routers can process this streamlined header more efficiently. The Flow Label is designed to allow a router to efficiently identify packets that belong to the same flow or connection. By placing this in the header, routers have access to this information when traversing the multiple extension headers that will be present in a typical IPv6 packet. The Next Header field enables the IPv6 packet to incorporate other functionality, such as Fragmentation, IPsec (AH & ESP) and the traditional transport protocols (such as TCP & UDP). Essentially, each IPv6 packet is comprised of a linked list of extension headers.  Each Next Header field indicates the structure of the following header block and each extension header block defines fields for a specific type of functionality such as Fragmentation. To maintain backwards compatibility with IPv4, the extension headers understand many traditional IP protocol numbers (such as 6 for TCP). These traditional IPv4 protocol headers must occur as the last extension header in the linked list since they do not have a Next Header field in them. Using extension headers allows the protocol to be easily extended by just defining a new extension header with one of the unused extension header values. This new linked list structure, however, provides a major challenge for developers to adequately test the new IPv6 packet structure and verify that products using IPv6 are robust against malformed packets.

Multicast

Multicast enables you to send a single packet but still communicate with multiple systems on the network. Although IPv4 can employ multicast, in IPv6 multicast takes a much more prominent role. IPv6 does not have a broadcast address, which is not surprising considering the default subnet size is 2^64. Multicast is used in various ways to communicate with specific device groups, such as All Hosts on the local network or All Routers on the local network.  ICMP messages to these multicast groups enable IPv6’s Neighbor Discovery to operate efficiently. Other groups include All DHCP Servers and All Mobile Agents. The increased reliance on multicast goes hand-in-hand with the increased dependence on ICMP. While enabling efficient communication between systems, multicast also presents some challenges, such as trying to secure multicast traffic with IPsec.

Summary

Hopefully this post provided you a basic understanding of IPv6 and some of the security concerns, at least from a 10,000 foot view.  Which protocol do you think is more secure, IPv4 or IPv6? Not sure? Check out the upcoming IPv6 Myths post to find out more. Each of the upcoming IPv6 blog posts will expand your knowledge of IPv6 functionality as well as security.

Tags: , ,

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

4 Comments.


  1. Will Cisco be updating firmware on older routers (RV042) to handle IPv6? Or, will users be forced to buy new equipment?

       1 like

  2. I’ve been using IPv6 for almost a decade now.

    Even having an IPv6 only VLAN etc (back in the day of having a funneled connection rather than native)

    Why has it taken Cisco so long to get some of its act into gear? Why only now is kit starting to deal with this properly? Why is even now kit coming out that doesn’t have parity between 4 and 6? When will Cisco kit start using v6 for its management?

    It’s 2011 … its quite pitiful how Cisco keeps tweeting about its fairly mediocre handling of IPv6

       0 likes

  3. Cisco has a long track record of ‘listening to our customers’. That is a double edged sword though, as for the last decade the vast majority of our customers have repetitively de-prioritized IPv6 in relation to other development efforts they required. While IPv6 functionality has been incorporated in many products in anticipation of the IPv4 pool exhaustion, often it dropped just below the line of available resources when the high-priority customer requirements were moved to the head of the queue.

    While as you note we still have a fair amount of work to do, the fact that many more customers recognize IPv6 as a priority is helping adjust the development efforts to make sure IPv6 fits within the resources available. We do take our customer’s priorities seriously, and work hard to meet those needs. When rapid changes in direction occur, as is happening now, gaps in our ability to meet anticipated needs are exposed.

       0 likes

  4. Myth #1, Cisco support IPv6 on all products, including Linksys, prior to the IPv4 exhaustion day. Sorry Tony and Earl, it’s not your fault, it was a business decision made at the top to delay many IPv6 product offerings, be it security, interoperability, VOIP, etc.

    Myth #2, Other product vendors support IPv6.

       0 likes