IPv6 solves the shortage of IP addresses first. Secondly, it makes major changes to many imperfections in the IPv4 protocol. The most significant one is to integrate IPSecIPSecurity) into the Protocol. From then on, IPSec does not exist independently, but runs through all parts of IPv6 as an inherent part of IPv6.
IPv6 Security Mechanism
IPv6 security mechanisms are mainly manifested in the following aspects: 1) header authentication and security information encapsulation, which were originally independent of IPv4 protocol families, are placed as IPv6 extension headers in the basic IPv6 protocol, it provides protocol assurance for IPv6 networks to implement full-network security authentication and encryption encapsulation. 2) Address Resolution is placed in the ICMP InternetControlMessageProtocol) layer, which makes it less compatible with the media than the ARPAddress Resolution Protocol, and can use standard IP authentication and other security mechanisms. 3) The IPv6 protocol provides better protection for operations that may pose security risks to the network. For example, the link congestion risk caused by the simultaneous sending of neighbor request messages by multiple interfaces on a link, IPv6 uses a random delayed transmission method within a certain range to reduce the possibility of link congestion, which also reduces the possibility that multiple nodes compete for the same address at the same time. 4) In addition to the IPSec and IPv6 security measures, other security protection mechanisms are still effective on IPv6. Such as: NAT-PTNet Address Translate-Protocol Translate) can provide the same protection functions as NAT in IPv4; through the expanded ACLAccess Control List) all security protections provided by IPv4 ACL can be implemented on IPv6. In addition, technologies such as Security tunneling and VPNVirtual Private Network Based on VPLSVirtual Private LAN Segment) and VPWSVirtual Private Wire Service can also be fully implemented on IPv6.
Of course, the large-scale use of IPSec will inevitably affect the forwarding performance of network devices. Therefore, more high-performance hardware is required. In general, IPv6 greatly improves network security.
Architecture of IPv6 Security Network
IPv6 network security is achieved through three layers: Protocol security, network security and security encryption hardware. The following uses ZTE's IPv6 router ZXR10 series as an example to describe how to implement IPv6 network security in these three layers.
Protocol Security
The extension headers in IPv6 AHAuthenticationHeader) and ESPEncapsulatingSecurity Payload can be combined with a variety of encryption algorithms to provide security at the protocol level. The actual networking scheme shown in 1 adopts ESP encryption encapsulation for routing protocol packets, and AH authentication is used for protocol packets such as IPv6 Neighbor Discovery and Stateless Address Configuration to ensure the security of protocol interaction. For AH authentication, hmac_md5_96 and hmac_sha_000096 encryption algorithms can be used. For ESP encapsulation, three common algorithms are used: DES_CBC, 3DES_CBC, and Null.
In view of the current network environment, the key configuration management method is provided manually by default. However, to meet the requirements of large-scale security network construction in the future, you must also reserve IKEInternet Key Exchange Protocol APIs. The router system in Figure 1 performs AH header authentication on the maximum PMTU Path Transmission unit of IPv6 by default, automatically configures stateless addresses, and messages in the Neighbor Discovery protocol. You can configure the use of ESP encapsulation or AH authentication to ensure the security of routing protocol packets.
In transmission mode, the router can encrypt and authenticate packets in multiple modes, including Protocol, source port and Source Address, destination port and destination address. You can use the management module for flexible configuration.
Network Security
IPSec tunneling and transmission modes can be combined to provide security at all layers of the network. Such as: end-to-end security assurance, internal network confidentiality, building a secure VPN through a security tunnel, and implementing different levels of network security through a nested tunnel.
End-to-end security assurance
As shown in figure 2, IPSec encapsulation is performed on both hosts. The intermediate router implements transparent transmission of IPv6 packets with an IPSec extension header to ensure end-to-end security.
Internal Network confidentiality
As shown in figure 3, when the internal host communicates with other hosts on the Internet, the IPSec gateway is configured to ensure the security of the internal network. Because IPSec, as an IPv6 extension header, cannot be resolved by an intermediate router but can only be parsed by the destination node, the IPSec gateway can be implemented through an IPSec tunnel, alternatively, you can use the Routing header and hop-by-hop option header provided in the IPv6 extension header and the application layer gateway technology. The latter is more flexible, which is conducive to providing comprehensive internal network security, but complicated.