About IPv6 Security Considerations

Larus Team 2021-01-14 09:20:41 IPv6

When a new protocol such as IPv6 is introduced in the market, the security status of the protocol is one of the users' considerations, especially in terms of network attacks. Although there is widespread discussion about protocol security, there is usually no single channel to obtain information about potential attacks, research references for attacks, potential counters, and operational challenges. However, in the case of the IPv6 protocol, you can find relevant information by searching the document name: draft-ietf-opsec-v6. This document collects and investigates IPv6 security information provided by the operator. If you have deployed IPv6 or are considering deploying IPv6, then this article may help you.

The draft is divided into four main parts. The first is the longest, which addresses general security considerations. The first thing to consider is whether operators should use provider independent (PI) or provider assigned (PA) address space. One of the dangers of a large address space is the absolute size of the potential routing table in the default availability zone (DFZ). If every network operator chooses IPv6/32, the potential size of the DFZ routing table is 2.4 billion routing entries. If you think it is not good to converge on about 800,000 routes, wait until there are 2.4 billion routes. Of course, the actual PI space is distributed on the /48 boundary, which causes the size of the potential table to grow exponentially. Therefore, in some very important aspects, the PI space is not good for the Internet. This document provides another side of the argument-security is an issue of PA space. Although IPv6 should be renumbered as "easy", in fact, it is far from that. Some reports indicate that IPv6 re-addressing is more difficult than IPv4. The long and difficult renumbering process shows that there are many opportunities for security failure, so the attack surface is also large. The priority of PI space over PA space has become a problem of reducing the operational attack surface.

Another interesting question is whether static addressing should be used for certain services when managing IPv6 networks, or should all addresses be known dynamically. It is generally believed that because the IPv6 address space is too large, it cannot be "scanned" to find the host to be attacked. As the draft pointed out, studies have shown that this is simply incorrect. In addition, static addresses may expose specific servers or services to locations that can be easily identified by attackers. What the author points out here is that no matter which way, endpoint security needs to rely on the actual security mechanism, rather than hiding the address in some way. Other very useful topics considered here include: Unique Local Address (ULA), numbering and management of point-to-point links, privacy extensions of SLAAC, use of /64 per host, extension headers, protection of DHCP, ND/RA filtering and control Plane safety.

IPv6 deployment can be complicated and time consuming, make sure everything is being setup correctly. If you need help in IPv6 deployment, LARUS is providing IPv6 training and guide you step to step on your IPv6 deployment. For further information, contact us through the live chat at bottom right or submit your contact details below.

Hot Reading

What is a Dedicated Server?

infrastructure service 2020-10-12 02:00:33

A dedicated server will actually gives you maximum output for all your applications because it enables your owner to have direct access to it and its resources.

Benefits of Using Dedicated Server Hosting

serverhosting dedicatedserver dedicatedserverhosting 2020-10-16 08:22:49

Some corporations are facing with a wide range of choices for hosting their website, web application, or mail server.

Why you need an IP address?

IPv4 2022-07-28 08:39:57

An IP address is a critical piece of your online presence. It's how your device is identified and connected to the internet.

IPv4 lease price 2023

leaseipv4 2022-02-24 06:48:12

It's important to recognize that IPv4 lease prices vary across the market. Here, we delve deeper into the details.

Related Reading

How secure is a VPS

VPS 2023-11-30 14:11:56

Exploring the security features of a VPS is critical to understanding its dependability in protecting your data and operations.

What is the use of VPS

VPS 2023-11-23 04:45:51

A virtual private server (VPS) is a virtualized server that is produced by splitting a real server into many isolated virtual environments.

What is APNIC

APNIC 2023-11-16 13:06:10

The Asia-Pacific Network Information Centre (APNIC) is a critical pillar in the realm of Internet infrastructure, serving as the Asia-Pacific region's regional Internet address registry (RIR).

IP Address Blacklisting

IP address 2023-11-09 13:37:27

IP address blacklisting, or IP banning, is a way to manage access to websites and content on the internet. It involves preventing requests from certain IP addresses. This usually happens to IP addresses that have a history of spamming or illegal activities.

A Guide to Buy IPv4 Subnets Safely

Buy IPv4 Subnets IPv4 2023-11-03 06:50:39

Unlock the Secrets of Safely Buying IPv4 Subnets: Explore Our Comprehensive Guide to Secure Transactions and Maximize the Value of Your Internet Resources. Larus Network's Expert Insights Await.

What is a Dedicated IP Address

dedicated IP address IP address 2023-10-26 09:28:12

A dedicated IP address is the opposite. Also called a static IP address, it is allocated to one computer or network so that no one else can use it. Let's look into what a dedicated IP address is in different contexts.