Thoughts on IPv6 Security of Microsoft SP2

Author: China eLab lab
 

In Windows Server 2003, Windows XP Service Pack1, and Windows XP Service Pack 2, Microsoft has bound Internet Protocol version 6 (IPv6), but it is not installed by default, in other versions of Windows, IPv6 is generally available through third-party attachments, because they do not have plans to release IPv6 for Windows 2000 and earlier versions.

Microsoft's IPv6 only provides enhanced security for Windows networks of organizations that have fully installed and configured this Protocol. However, there are still some security issues that need to be understood before installing this new IP protocol.

IPv6 advantages

By executing Microsoft IPv6, We can moderately improve security. At the beginning, any attempt to attack your network must scan the IPv6 address space (which means a much larger address space than IPv4) to search for your network segment. This can be said to be a black hole in address scanning, but do not rely too much on this fuzzy security.

This is almost the case for enhanced security. Isn't it a pity ?! If you are using the advanced features of IPv4, you need to consider the primary security degradation before configuring IPv6.

IPv6 Defects

Microsoft must redesign its IPv6 before obtaining a new security key. The most obvious problem is the "crash" of Microsoft IPv6 IP Security (IPSec) protocol ". IPSec supports Authentication Header (AH) ① and Encapsulating Security Payload (ESP) ② for transmission and channel modes. However, Microsoft ESP does not support data compression. In addition, Microsoft IPv6 does not support Internet Key Exchange (IKE, Internet Key Exchange) Negotiation Security Association (SAs ). We will not be able to set IPv6 PSec security through group policies. Instead, you must manually configure them to calculate the SA and message classification of each server (MD5) and the key of hash algorithm 1 (SHA-1.

Manual configuration of security keys and static security calculation rules on each server in your organization is a catastrophic prescription. If your security keys are manually and statically configured, then your data will eventually be damaged. Even if you are using the correct key, the key will be easily damaged.

Install IPV6

You can install IPV6 as an additional network protocol. Remember that you must install IPV4 before loading IPV6.

Install IPV6 as follows:

1. Start --> control panel --> double-click Network Connection

2. Right-click Local Connection and select Properties

3. Click "Install ".

4. select Microsoft IPV6 and click OK.

Summary

Microsoft has released the IPV4 technology preview version for Windows 2000. You can download it from the msdn web site. However, it is recommended that you perform a full test on it before deploying it into a product environment.

Note:

① The IPsec Authentication Header [AH] specification provides a similar service, through the calculation of Authentication data, this computation covers the data portion of a message and the unchanged portion of the IP header during transmission.

② [ESP] specifies that an optional encryption algorithm is used to provide confidentiality, and an optional authentication algorithm is provided to provide authentication and integrity. The NULL encryption algorithm is a convenient way to avoid encryption.

Although IPv6 seems to be a distance away from us, it does not prevent us from discussing its advantages and disadvantages in advance. As the IPv6 that many experts are eager to come, its huge address space makes us coveted, but even so, its security remains the key point we need to consider. I hope you can love or hate a software giant like Microsoft, its Windows security deserves our attention, just as we care about whether refrigerators or air conditioners are safe at home. Isn't it?