IPv6 is becoming more widely deployed as the availability of IPv4 addresses continue to decline. In June, Cisco will be participating in World IPv6 Day, a 24-hour global “test drive” of IPv6 that is organized by the Internet Society.
Hopefully this introductory post will give you a basic idea of how IPv6 works and some initial security concerns. In upcoming posts, I will explain in more detail the security impact on your network of various aspects of IPv6. I am willing to address other topics as well if there is interest, just let me know. Currently the upcoming topics will be:
Since this is the first blog in the series, I will examine the major differences between IPv6 and IPv4. Everyone has probably realized by now that one of the changes has to do with IP addresses. Have you wondered, however, what other changes come with IPv6? Let’s take a look at some of the changes and how they may impact your network.
The first obvious difference is that DNS names will almost exclusively be used instead of IP addresses. With IPv4, the addresses are only 32 bits, but IPv6 IP addresses are 128 bits long (much too long to remember). In fact it is hard to even visualize how many more addresses are available in IPv6 compared to IPv4. The analogy that I like is the following. If you take all of the IPv4 addresses and stuff them in a golf ball, then all of the IPv6 addresses--compressed the same--would fill the Sun. This size increase definitely requires new thinking when designing networks, especially when it comes to determining subnet boundaries.
IPv6 provides both a stateful and a stateless address configuration functionality. Stateful address configuration is similar to the existing DHCP functionality in IPv4. IPv6 also supports Stateless Address Auto Configuration (SLAAC). In this mode, nodes can automatically configure their network configuration by generating a local IP address, locating neighbors on the same local segment, locating a default router, and even generating a globally routable address using the prefix supplied by the router through ICMP messages. All of this occurs without any user interaction. Another interesting note is that IPv6 provides the ability to easily renumber these global addresses via the routers on the network instead of configuring the hosts individually. Securing these interactions is definitely something to consider when deploying IPv6.
In IPv6, ICMP is a crucial component. Besides the basic ICMP messages found in IPv4, IPv6 incorporates numerous new ICMP messages. ARP functionality in IPv4 has effectively been replaced with Neighbor Discovery (ICMP Types 135 & 136) and Router Discovery (ICMP Types 133 & 134) messages. Fragmentation in IPv6 is only done by endpoints (not by intermediate routers). To signal that a packet needs to be fragmented, an ICMP Type 2, “Packet Too Big,” is sent to the originating host after the original packet is dropped. Therefore, ICMP Type 2 packets need to be allowed into your network, including messages from external addresses, otherwise fragmentation will be broken. On the positive side, however, the minimum MTU for fragmentation in IPv6 is 1280 octets. This is a large increase from the minimum 576 octets for IPv4. So hopefully fragmentation will not be required very often.
IPv6 Packet Structure
One of the changes that is less obvious to the normal user is the IPv6 packet header. The basic IPv6 header has been streamlined to only contain the following fields: Version, Traffic Class, Flow Label, Payload Length, Next Header, Hop Limit, Source Address and Destination Address. Routers can process this streamlined header more efficiently. The Flow Label is designed to allow a router to efficiently identify packets that belong to the same flow or connection. By placing this in the header, routers have access to this information when traversing the multiple extension headers that will be present in a typical IPv6 packet. The Next Header field enables the IPv6 packet to incorporate other functionality, such as Fragmentation, IPsec (AH & ESP) and the traditional transport protocols (such as TCP & UDP). Essentially, each IPv6 packet is comprised of a linked list of extension headers. Each Next Header field indicates the structure of the following header block and each extension header block defines fields for a specific type of functionality such as Fragmentation. To maintain backwards compatibility with IPv4, the extension headers understand many traditional IP protocol numbers (such as 6 for TCP). These traditional IPv4 protocol headers must occur as the last extension header in the linked list since they do not have a Next Header field in them. Using extension headers allows the protocol to be easily extended by just defining a new extension header with one of the unused extension header values. This new linked list structure, however, provides a major challenge for developers to adequately test the new IPv6 packet structure and verify that products using IPv6 are robust against malformed packets.
Multicast enables you to send a single packet but still communicate with multiple systems on the network. Although IPv4 can employ multicast, in IPv6 multicast takes a much more prominent role. IPv6 does not have a broadcast address, which is not surprising considering the default subnet size is 2^64. Multicast is used in various ways to communicate with specific device groups, such as All Hosts on the local network or All Routers on the local network. ICMP messages to these multicast groups enable IPv6’s Neighbor Discovery to operate efficiently. Other groups include All DHCP Servers and All Mobile Agents. The increased reliance on multicast goes hand-in-hand with the increased dependence on ICMP. While enabling efficient communication between systems, multicast also presents some challenges, such as trying to secure multicast traffic with IPsec.
Hopefully this post provided you a basic understanding of IPv6 and some of the security concerns, at least from a 10,000 foot view. Which protocol do you think is more secure, IPv4 or IPv6? Not sure? Check out the upcoming IPv6 Myths post to find out more. Each of the upcoming IPv6 blog posts will expand your knowledge of IPv6 functionality as well as security.