Compared with IPv4, IPv6 has many advantages. First, IPv6 solves the shortage of IP addresses. Secondly, IPv6 greatly improves many imperfections in the IPv4 protocol. The most significant one is to integrate IPSec into the Protocol. From then on, IPSec will no longer exist separately, but as an inherent part of the IPv6 protocol, it runs through various fields of IPv6. Of course, the large-scale use of IPSec will inevitably affect the forwarding performance of network devices, which requires higher hardware performance assurance. This article describes the security and security mechanisms of IPv6 networks.
1. Protocol Security
In terms of Protocol Security, IPv6 fully supports authentication headers AH) authentication and encapsulation of Security Payload ESP) Information Security encapsulation extension headers. AH authentication supports hmac_md5_96 and hmac_sha_000096 encryption algorithms. ESP encapsulation supports three algorithms: DES_CBC, 3DES_CBC, and Null.
2. Network Security
① End-to-end security assurance. Packets are encapsulated by IPSec on both hosts. The intermediate router implements transparent transmission of IPv6 packets with an IPSec extension header to achieve end-to-end security.
② Keep the internal network confidential. When the internal host communicates with other hosts on the Internet, the configured IPSec gateway can be used to ensure the security of the internal network. Because IPSec, as the IPv6 extension header, cannot be parsed by the Intermediate router but can only be parsed by the destination node, the IPSec gateway can be implemented through the IPSec tunnel, you can also use the Routing Header provided in the IPv6 extension header and the hop-by-hop option header combined with the application layer gateway technology. The latter is more flexible in implementation, which is conducive to providing comprehensive internal network security, but complicated.
③ Build a secure VPN through a secure tunnel. The VPN is implemented through the IPSec tunnel of IPv6. Establishes an IPSec Security Tunnel between routers to form a secure VPN. The IPSec Gateway Router is actually the destination and starting point of the IPSec tunnel. To meet the forwarding performance requirements, the router needs a dedicated encryption board.
④ Implement network security through tunneling nesting. Multiple security protection measures can be achieved through tunneling nesting. When a host with IPSec configured is connected to a router with IPSee gateway configured through a secure tunnel and the router is used as the end point of the external tunnel, nested Internal Security tunnels constitute security isolation for internal networks.
3. Other security measures
IPSec guarantees the validity, consistency, and integrity of network data and information content. However, the security threats of data networks are multidimensional, they are distributed in the physical layer, data link layer, network layer, transmission layer, and application layer.
For security risks of the physical layer, you can configure redundant devices, redundant lines, safe power supply, ensure the electromagnetic compatibility environment, and enhance security management. For security risks at or above the physical layer, the following measures can be taken: use security access control protocols such as AAA, TACACS +, and RADIUS to control users' access permissions to the network to prevent attacks at the application layer; bind the MAC address and IP address, limit the number of MAC addresses used on each port, set the traffic threshold for each port broadcast packet, use the port and VLAN-based ACL, and establish a secure user tunnel to prevent layer-2 attacks. network attacks; the security of L3 networks is enhanced by filtering routes, encrypting and authenticating route information, controlling targeted multicast, improving route convergence speed, and reducing the impact of route oscillation. The complete support of routers and switches for IPSec ensures the validity, consistency and integrity of network data and information content, and provides many solutions for network security.
- Topic: IPv6 protocol unlimited network space
- Features and evolution of next-generation networks and IPv6 protocols