IPV6 The Security Network architecture

Security mechanism of IPv6

The security mechanism of IPv6 is mainly manifested in the following aspects: (1) Placing the header authentication and security information package which is independent of the IPv4 protocol family as IPv6 into the IPv6 Basic protocol, which provides the guarantee for the IPv6 network to realize the whole network security authentication and encryption encapsulation. (2) Address resolution is placed in the ICMP (internetcontrolmessageprotocol) layer, which makes it less coupling with the media than ARP (resolution Protocol), And you can use the standard IP authentication and other security mechanisms. (3) for some of the protocols that may bring security risks to the network operation, the IPv6 protocol itself has done a better protection. For example: Because a link of multiple interfaces at the same time to initiate the sending of Neighbor request message, the link congestion hidden trouble, IPv6 use in a certain range of random delay to send the method to reduce the link to create congestion, which also reduces the number of nodes at the same time competing for the same address possible. (4) Other security protection mechanisms are still valid on IPv6, in addition to the security measures that IPSec and IPv6 themselves are doing. such as: nat-pt (NET address Translate-protocol translate) can provide the same protection as Nat in IPv4; extended ACLs (Access control List) can implement all the security protection provided by the IPv4 ACL on the IPv6. In addition, based on VPLS (Virtual private LAN segment), VPWS (Virtual Private wire service) security tunnels and VPN (virtual private network) and other technologies, It can be fully implemented on the IPv6.

Of course, the large-scale use of IPSec will inevitably have an impact on the forwarding performance of network devices, and therefore requires more high-performance hardware to protect. In general, IPv6 greatly improved the status of network security.

IPv6 The Security Network architecture

The security of IPv6 network is realized mainly through 3 levels: Protocol security, network security and security encryption hardware. The following is an example of ZTE's IPv6 router Zxr10 series, which describes how to achieve the security of IPv6 networks at these 3 levels.

Protocol security

The extension headers in IPv6 's AH (Authenticationheader) and ESP (encapsulatingsecurity payload) combine a variety of cryptographic algorithms to provide security at the protocol level. As shown in Figure 1 of the actual network scheme, the routing protocol message adopts the ESP encryption package, for IPv6 neighbor Discovery, stateless address configuration and other protocol messages using AH authentication to ensure the security of protocol interaction. In the AH authentication aspect, may use hmac_md5_96, hmac_sha_1_96 and so on authentication encryption algorithm, in ESP encapsulation aspect, frequently uses the algorithm to have 3 kinds: DES_CBC, 3DES_CBC and null.

In view of the current network environment, on the implementation, the default method of manually providing key configuration management. However, in order to meet the requirements of future large-scale security network formation, the IKE (Internet Key Exchange) protocol interface is also reserved. The router system in Figure 1 defaults to AH-head authentication for IPv6 pmtu (path Maximum transmission unit), stateless address autoconfiguration, and Neighbor Discovery protocol messages. You can configure the use of ESP encapsulation or AH authentication to secure routing protocol messages.

In transmission mode, routers can encrypt and authenticate messages based on protocol, source port and source address, destination port and destination address. The user can configure flexibly through the management module.