Cisco Blogs


Cisco Blog > Security

Securing IPv6 Transition Technologies

In the previous installment of our series of IPv6 security posts, we covered some of the basic things you need to consider when performing security testing on your IPv6 network. In this post, we will examine some of the things that you need to consider to secure the transition from IPv4 to IPv6. IPv6 is being deployed on more and more networks, but IPv4 is not going away any time soon. During this transition period, security is crucial since you will be running both IPv4 and IPv6, along with various tunneling protocols (even if you did not configure them explicitly) that enable communication between IPv4 and IPv6 networks (such as Teredo, ISATAP, and 6to4).

To begin with, the designers of IPv6 realized that the transition from IPv4 to IPv6 would not happen overnight. There was a hope that there would be a large push and the transition would go rather quickly, but as time moved on, that did not happen. The time for a quick transition has passed and we are in for a long and protracted transition. During this transition, nodes on your network will fit into one of the following buckets:

Read More »

Tags:

Securing IPv6

In the previous installment of our series of IPv6 security posts, we covered some of the ways addressing has changed in IPv6 compared to IPv4. In this post, we’ll talk about some of the things to consider when securing IPv6 compared to IPv4. Before digging into this topic, however, it is important to remember that while IPv6 may have different security concerns than IPv4, it is not necessarily any more secure than IPv4. Furthermore, the post will focus on those aspects that are different or unique to IPv6, since many of the common best practices for IPv4 networks also apply to IPv6 networks.

Read More »

Tags: , ,

IPv6 Addressing

In the previous installment of our series of IPv6 posts, we covered some of the ways ICMP has changed in IPv6 compared to IPv4. In this post, we’ll talk about how addressing has changed in IPv6 compared to IPv4.

While IPv4 addresses are 32 bits log, the IPv6 address space has been extended to 128 bits, which will make it virtually impossible to remember the numeric representation of the address for a given host. This will definitely lead to more reliance on DNS. It will be difficult to operate even very simple test networks  without relying on DNS to resolve host names to IPv6 addresses. Because of this, more attacks will be targeted against your DNS servers. Making sure your DNS configuration and servers are secure will be very more important in IPv6. DNS will also be targeted by attackers to attempt to locate systems on the network by trying to resolve “common host names,” since scanning a remote IPv6 network is essentially impossible due to the size of the IPv6 address space.

Read More »

Tags: , ,

ICMP and Security in IPv6

In the previous installment of our series of IPv6 posts, we covered some common myths regarding IPv6. In this post, we’ll talk about how the role of ICMP has changed in IPv6 compared to IPv4.

In IPv4, ICMP provides error reporting, flow control and first-hop gateway redirection. This functionality, which is also available in IPv6, is usually not essential to the operation of your network. With IPv6, however, ICMP has gained a much more significant and essential role because of new functionality that is now performed through ICMP. Fragmentation, Neighbor Discovery, and StateLess Address AutoConfiguration (SLAAC) represent essential functionality which is now performed using ICMP messages. Furthermore, many ICMP messages are designed to be sent to multicast addresses instead of only unicast addresses. Therefore, ICMP in IPv6 gains a whole new importance along with a new set of security concerns.

Read More »

Tags: , , ,

IPv6 Myths

In the first installment of our series of IPv6 posts, we covered some basic differences between IPv4 and IPv6. In this post, we’ll talk about some common myths regarding IPv6.

The initial IPv6 standards originated in 1998 with the publication of RFC 2460 – “Internet Protocol, Version 6 (IPv6) Specification.” The main intent behind IPv6 was to solve the issue of the limited address space available in IPv4. Over time, other features such as Stateless Address Autoconfiguration (SLAAC), Network Renumbering, and mandatory IPSec support were also added to IPv6. In reality, however, the main benefit of IPv6 is the expansion of the address space. Over those 10+ years, numerous myths, however, have surfaced, many of which can impact the security of your IPv6 network. Understanding the truth behind these misconceptions is important, especially now, as IPv6 is being deployed on more and more networks.

Read More »

Tags: , ,