Network security protection under large-scale deployment of IPv6 - Seven questions and answers on IPv6 security technology

Due to its huge address space, IPv6 has a natural advantage in dealing with some security attacks. It improves network security in terms of traceability, anti-hacker sniffing capabilities, neighbor discovery protocol, secure neighbor discovery protocol, and end-to-end IPSec secure transmission capabilities.

In response to the Action Plan for Promoting Large-Scale Deployment of Internet Protocol Version 6 (IPv6), this article provides a detailed interpretation of network security protection under the large-scale deployment of IPv6. Continuing from the previous issue on the impact of IPv6 on the industry, this issue focuses on IPv6 security technology.

Traceability

The huge address space of IPv6 allocates a unique network address to each network device, eliminating the need to solve the address shortage problem through NAT as in IPv4 networks. This facilitates subsequent tracing and improves security.

[[220016]]

Anti-hacker sniffing capability

Due to the large number of IPv6 addresses, sniffing scans, which are often used by hackers in IPv4 networks, become more difficult in IPv6 networks.

NDP & SEND

In IPv6, the function of ARP is replaced by the Neighbor Discovery Protocol (NDP). The Neighbor Discovery Protocol finds other nodes on the link, determines the addresses of other nodes, and finds available routes. Compared with ARP, NDP is only implemented at the link layer and is more independent of the transmission medium. The Secure Neighbor Discovery (SEND) protocol of the next generation Internet ensures the security of transmission through another encryption method independent of IPSec.

End-to-end IPSec secure transmission capability

IPSec provides data source authentication, integrity, and confidentiality capabilities for each node in an IPv6 network, achieving end-to-end security encryption.

Q1What are the differences between the new security features of IPv6 and IPv4?

As for the security of IPv6 network, since only the IP packet header and addressing method have changed and an end-to-end security mechanism has been built in, IPv6 does not provide much improvement in preventing various current security risks compared to IPv4.

Q2 Based on security considerations, IPv4 networks use NAT technology to hide intranet IP addresses. Do IPv6 networks also need similar technology to improve security?

The IPv6 NPT (Network Prefix Translation) (RFC6296) protocol can achieve functions similar to IPv4 NAT, allowing 1:1 mapping of IPv6 addresses to achieve the effect of hiding internal IPv6 addresses.

Q3: What impact do IPv6 network defense methods and approaches have on application layer attacks?

Application layer defense functions generally include protocol identification, IPS, anti-virus, URL filtering, etc., which mainly detect the application layer load of the message and are almost unaffected by the network layer protocol IPv4/IPv6. Therefore, most application layer security capabilities under the traditional IPv4 protocol are not affected in the IPv6 network.

However, a small number of IPv4 network protocols need to change under the IPv6 network. For example, the DNS protocol needs to be upgraded to DNSv6. In this case, the corresponding application layer security detection needs to be adjusted according to the protocol changes.

Q4IPv6 adds IPSec's end-to-end encryption capability in the extension header. If the application enables this function, how can network security devices detect and defend against encrypted traffic?

Generally, network security devices cannot decrypt IPSec encrypted traffic and can only control it based on IP addresses. However, from the current situation, this "embedded" IPSec requires the use of key distribution technology, which is generally not mature and has high management costs. In addition, since network security devices cannot normally decrypt IPSec traffic, network security devices such as firewalls cannot detect IPSec traffic at the network & application layer. In a sense, the security of the system cannot be fully guaranteed. For general enterprise applications, based on management costs and security considerations, it is recommended to still use firewalls to implement IPSec VPN encryption and decryption, and perform security checks such as IPS and stateful firewalls at the gateway location, and deploy end-to-end encryption after the technology matures.

Q5Is the SSL proxy function affected under IPv6 protocol?

SSL proxy does not depend on the specific protocol of the network layer and can still decrypt IPv6 SSL encrypted traffic.

Q6: For IPv6 networks, how do you implement security policy management through firewalls? How is the security policy different from that of IPv4?

The security policy management of IPv6 is the same as that of IPv4, and still needs to be configured one by one based on the ACL five-tuple. The only difference is that the IPv6 address is longer, making the policy configuration more complicated.

Q7: What impact will the IPv4/IPv6 dual stack function have on the IPv4 service in terms of function and performance after it is enabled on the existing security devices?

Enabling IPv4/IPv6 dual stack generally does not affect the functions of security devices, but mainly affects the performance of the devices, because the IPv6 protocol stack will occupy the CPU and memory resources of IPv4 services, resulting in varying degrees of decline in the session table capacity, new creation rate, and throughput of existing IPv4 services. It is recommended to evaluate the processing capacity of existing security devices before upgrading/enabling IPv4/IPv6 dual stack, and replace existing security devices if necessary to avoid affecting existing IPv4 services.