Brief Introduction to IPv6 Protocol configuration and security

Among the many features of the IPv6 protocol, we can feel the excellent services that the new network brings to us. In this article, we will introduce the automatic configuration and security features of the IPv6 protocol. Let's take a look at the content of automatic configuration.

Automatic Configuration of IPv6 protocol

1 stateless and stateful Configuration

IPv6 network configurations can be divided into Stateful and Stateless. Stateless refers to IPv6 Neighbor Discovery and stateless automatic configuration protocols, defined by RFC2461 and RFC2462. Through the interaction between IPv6 nodes neighbor request/neighbor announcement message, the IPv6 router and IPv6 terminal exchange the router request/router announcement message to achieve automatic stateless configuration of the IPv6 network, this replaces the ARP protocol used in IPv4, eliminating the hassle of configuring IPv6 addresses and default gateways for each terminal in the IPv6 network. The stateful configuration is consistent with the IPv4 protocol and is completed by the DHCPv6 protocol.

However, in the stateless automatic configuration mechanism of IPv6, IPv6 terminals cannot obtain the configuration of DNS servers. This is reasonable for IPv6 protocol designers: the IPv6 address prefix and default gateway of the terminal are advertised by the router, generally, the router does not know or need to know the information of the DNS server to be used by the terminal. The DHCPv6 protocol can allocate IPv6 addresses and DNS server addresses to terminals, but it cannot allocate information about the default gateway to terminals for the sake of network reliability.

Therefore, in a complete IPv6 network, the IPv6 Neighbor Discovery Mechanism and DHCPv6 are required to allow the host to get the IP address, default gateway, and DNS server information at the same time. In other words, IPv6 networks cannot achieve complete stateless automatic configuration.

2. Support for terminal mobility

Even so, IPv6 Neighbor Discovery and stateless automatic configuration protocols provide good support for IPv6 terminal mobility.

First, when a user roaming from one network to another, it can automatically obtain the IPv6 address to access the network through this mechanism. IPv6 hosts support the features of multiple IPv6 addresses so that mobile terminals can maintain multiple Internet connections, facilitating seamless and smooth switching between networks.

Secondly, Mobile IPv6 uses IPv6's extended Header features Routing Header and Destination Header to eliminate the triangle Routing problem in the Mobile IPv4 protocol network, it provides IPv6 mobile terminal mobility at the IP layer and is transparent to high-level protocols. In addition, the Mobile IPv6 protocol removes the external proxy devices in Mobile IPv4, making it easier to deploy.

IPv6 Protocol Security

IPv6 designers have a good intention to design a future IP network into a secure network. Therefore, IPv6 enforces the IPsec protocol.

IPv6 enforces the IPsec protocol to provide good support for deploying end-to-end security virtual private cloud. Because the IPsec protocol and IPv4 protocol are two sets of protocol stacks, and NAT devices have been widely deployed on the Internet, the current IPv4 IPsec VPN is mostly used between sites, implemented by the IPv4 Security Gateway. The IPv6 terminal can use its own IPsec protocol for end-to-end security communication, without the need to consider the problem of NAT traversal. After good planning and management, secure IPv6 services will become one of the important attributes of IPv6 networks.

Because the application layer security protocol, such as SSL, runs on the IP protocol and has nothing to do with IPv4 and IPv6 protocols, there is no essential difference between IPv4 and IPv6 protocols in the application layer protocol. The application layer security protocol is more suitable for some specific applications such as Web), while the IPsec protocol is more flexible. Once an IPsec Security channel is established, all traffic between the communication peer can be protected by IPsec.

Currently, the Windows XP + SP2 and Windows Server 2003 operating systems support the IPv6 IPsec protocol, but do not support the IPv6 IKE. Linux kernel 2.6 and later versions also support the IPv6 IPsec protocol, and third-party software provides IKE protocol support. Some bottom-end routers and firewalls also support the IPv6 IPsec protocol.