IPv6-Unidad1

"IPv6 is more secure than IPv4.". True. False.

"IPv6 is more secure than IPv4.". Initially, it was established that any IPv6 stack must support IPsec (RFC 4294 - IPv6 Node Requirements, April 2006 - Obsoleted by 6434). IPsec for IPv6 is in the protocol, using specific IPv6 Extension Headers. IPsec for IPv4 is not part of IPv4 but it is an added layer on top of it. The idea being that if IPsec is mandatory for IPv6, it will be widely used. IPsec was not commonly used for IPv6. As with IPv4, its common use is IPsec-VPNs. The problem for using IPsec Internet-wide is the lack of a global PKI (public key infrastructure) that makes it possible for a host to trust another host. IPv6 was intended for any kind of device, but IPsec imposes some big requirements such as lines of code, memory and CPU, to deal with all of the cryptographic algorithms. In 2011 the RFC 4294 was updated making the implementation of IPv6 no longer mandatory, instead saying it 'should' be (RFC 6434 - IPv6 Node Requirements, E. Jankiewicz, J. Loughney, T. Narten, December 2011). This has resulted in good support of IPsec for IPv6 in most IPv6 implementations. IPsec has been used as a security tool in many IPv6-related protocols: OSPFv3, MIPv6, etc. IPsec was available for both IPv4 and IPv6 since it was first standardised [RFC2401], so both protocols had the same security features using IPsec.

"In IPv6 there is no NAT (Network Address Translation) and GUA (Global Unicast Addresses) are used, meaning that my IPs can always be reached from anywhere on the Internet.". True. False.

"In IPv6 there is no NAT (Network Address Translation) and GUA (Global Unicast Addresses) are used, meaning that my IPs can always be reached from anywhere on the Internet.". In IPv6 there are enough addresses to give GUA to any IPv6 nodes. This is the same as having all IPv4 nodes with public addresses, and not (mistakenly) using NAT as a security tool. This mindset trusts NAT to hide the nodes, and public IPv4 addresses are used only for publicly accessible nodes. Having global addressing does not imply global reachability. The network responsible has to filter the traffic to IPs that need to be reachable. In other words, a firewall is needed to filter packets, allowing only the traffic that is intended.

"There are no new security issues with IPv6, because it is the same as IPv4 but with 128 bit addresses.". True. False.

"There are no new security issues with IPv6, because it is the same as IPv4 but with 128 bit addresses.". From a routing and switching point of view, IPv4 and IPv6 are almost the same. The main difference is in the number of bits used for the addresses (32 vs. 128). We are still talking about packet switching, with many similarities: source/destination address, no changes in other layers, etc. Basic IPv6 header: new addressing scheme. Extension headers. Associated protocols that are new: ICMPv6, NDP, MLD, DHCPv6, etc.

"IPv6 is a security problem in my IPv4 only network.". True. False.

IPv6 is a security problem in my IPv4 Network. When your network infrastructure (routers, switches, firewall, etc.) is only configured and supposed to be used for IPv4 you may be not aware of IPv6 being available. Almost all current Operating Systems come with IPv6 available and enabled by default. Also many infrastructure devices (switches, routers, firewalls, etc.) come with IPv6 enabled by default. All these IPv6-enabled devices can be used for different attacks.

"IPv6 networks are too big to scan.". True. False.

"IPv6 networks are too big to scan.". The IPv6 network prefix that has to be used in a LAN/VLAN is a /64, allowing for up to 18,446,744,073,709,551,616 hosts. The common technique of IP and ports scanning used with IPv4, brute force scanning, where all possible IPs and a range of ports are used to try to get a response and detect if it exists. In a /64 network this approach is not possible. It would take thousands of years! RFC 5157 explains this.

"There are IPv6 security threats and attacks.". True. False.

"There are IPv6 security threats and attacks.". IPv6 is still something new/unknown to many people, or they are not paying attention to it so they don't realise that IPv6 is already happening. This also leads them to think that there are no threats or attacks. Many parts of IPv6 were standardised almost 20 years ago (1998 for basic IPv6). There are tools, threats, attacks, security patches, etc and we will see all of these during this course. Traffic statistics are growing each month. IPv6 enabled devices are the most common case. Attacks over IPv6 exist at local and Internet wide level.

"IPv6 support is a yes/no question.". True. False.

"IPv6 support is a yes/no question.". t’s very common that the answer to the question “does it support IPv6?” is “yes, it supports IPv6”. This answer usually comes from a sales agent or account manager, that wants to keep the client/customer or wants to get new ones. IPv6 support is not a yes/no question. Today, network devices/software have many features, including security tools. You need support for IPv6 in many features, in order to have a service for IPv6 at the same level as for IPv4. Supporting IPv6 for some features doesn’t mean “IPv6 support”. You can find specific features missing, non-mature implementations, interoperability problems, more updates and patches than for IPv4.

"It's not possible to secure an IPv6 network because of a lack of resources (guides, best common practices, tools) and IPv6 security features available on the market.". True. False.

"It's not possible to secure an IPv6 network because of a lack of resources (guides, best common practices, tools) and IPv6 security features available on the market.". IPv6 is completely different to IPv4. People wrongly think that there are no Best Common Practices (BCPs) or resources available for securing an IPv6 network. Many IP related security guidelines could be used for both IPv4 and IPv6. Also, security policies should be IP-version independent. There are many security principles to use with IPv6. As IPv6 is something that is happening, actually, deploying IPv6 and applying IPv6 security measures is the best way to secure your network.

Do you need to be able to filter traffic in the router? Select the correct option. No, it's not needed because you want to keep the same security level as IPv4. No, it's better not to have it because that will make the deployment much more expensive. Yes, you need to filter IPv6 bogus prefixes in your routing protocols. Yes, you decide if you want your IPv6 Global address to be reachable, so filtering is key to protect your IPv6 network.