IPv6 Routing Protocol makes the Internet more secure

Regardless of the network, we must pay attention to security issues. The current IPv4 network has many security vulnerabilities and various attacks. These are the reasons for IPv6 implementation. Here we will give you a detailed description of some of the improved technologies of IPv6 routing protocol and look at some of its new security features.

The IPv6 Routing Protocol (IPSec) IPSec is an optional extension protocol for IPv4, while IPv6 is an essential component. The IPSec protocol can provide IP Security Features seamlessly, such as access control, data source authentication, data integrity check, and confidentiality assurance, as well as anti-Replay (Replay) attacks. The new IPv6 routing protocols OSPFv3 and RIPng use IPSec to encrypt and authenticate route information to improve the performance of anti-route attacks.

Although IPSec can prevent multiple attacks, it cannot defend against Sniffer, DoS, Flood, and application layer attacks. As a network-layer IPv6 routing protocol, IPSec is only responsible for the security of its lower-layer networks. It is not responsible for the security of its upper-layer applications such as Web, e-mail, and FTP.

The biggest advantage of end-to-end security assurance IPv6 is to ensure end-to-end security and meet users' requirements for end-to-end security and mobility. IPv6 restricts the use of NAT, allowing all network nodes to communicate with each other using the unique address in the world.

Each time an IPv6 connection is established, data packets are encapsulated over the two hosts. The intermediate router implements transparent transmission of IPv6 data packets with an IPSec extension header, by verifying the communication end and encrypting and protecting the data, sensitive data can be securely transmitted on the IPv6 network. Therefore, you do not need to deploy ALG (Application Layer Gateway) for special network applications ), this ensures end-to-end network transparency and helps improve the speed of network services.

Address Allocation and source address check in the IPv6 address concept, there is a concept of local subnet (Link-local) Address and local Network (Site-local) address. From a security perspective, such address allocation provides convenience for network administrators to strengthen network security management. If a host only needs to establish contact with other hosts in the subnet, the network administrator can assign only one local subnet address to the host. If a server only provides access services for Intranet users, you can assign only one local network address to this server, and no one outside the enterprise network can access these hosts.

Because the IPv6 address structure is aggregate-able and hierarchical, the IPv6 Access Router checks the source address when the user enters, this allows the ISP to verify the validity of its customer address. For the sake of security and multi-service, many core routers can enable reverse routing detection as needed to prevent source route tampering and attacks. Preventing unauthorized access IPv6 inherent support for identity authentication, as well as support and Improvement for data integrity and confidentiality, IPv6 enhances its ability to prevent unauthorized access, it is more suitable for applications that require special processing of sensitive information and resources.

The IPv6-Based Domain Name System (DNS) serves as the foundation of the Public Key Infrastructure (PKI) system, helping to defend against online identity camouflage and theft, using the DNS Security Extension (DNSSecurityExtensions) IPv6 routing protocol that provides authentication and integrity security features can further enhance the protection against new DNS attacks, such as "Phishing) "attacks," DNS poisoning (DNSpoisoning) "attacks, etc. These attacks will control the DNS server and tamper the IP addresses of legitimate websites with fake and malicious website IP addresses.

In addition, experts believe that it is necessary and important for China to establish an IPv6 Domain Name System root server. Flexible extension header A complete IPv6 packet can include multiple extension headers, for example, one-by-one route segment option header, destination option header, Route Header, segment header, identity authentication header, payload Security Encapsulation Header, and final destination header. These extension headers not only lay the foundation for IPv6 application extension, but also provide security assurance.

Prevents network scans and virus worms from spreading. When viruses and worms are infected with a host, they start to scan other hosts randomly. After scanning other hosts with vulnerabilities, the virus is transmitted to the host.

The propagation speed of this mode is very fast in IPv4 environments (for example, the speed of Nimdar virus is 4 ~ Can infect millions of computers within 5 minutes ). However, this propagation method is not applicable because of the huge IPv6 address space. It is very difficult for viruses and network worms to spread in IPv6 networks. To prevent network amplification attacks (BroadcastAmplicationAttacks), ICMPv6 is designed not to respond to multicast addresses and broadcast addresses, and does not have broadcasts. Therefore, you only need to filter multicast packets at the edge of the network, attackers can prevent network amplification attacks caused by sending packets to the broadcast CIDR block.

To prevent Fragment attacks, IPv6 deems that the packet whose MTU is smaller than 1280 bytes is illegal. during processing, the packet whose MTU is smaller than 1280 bytes will be discarded (unless it is the last packet ), this helps prevent fragment attacks. From this point of view, IPv6 routing is indeed more secure than IPv4. Some common attacks in IPv4 will fail in IPv6 networks, such as network reconnaissance, header attacks, ICMP attacks, fragment attacks, fake addresses, viruses and worms.

However, IPv6 still cannot cope with a series of problems in IPv4 networks, such as packet listening, man-in-the-middle attacks, flood attacks, denial-of-service attacks, and application layer attacks, it is easier to trace the source of the attack in IPv6 networks than in IPv4 networks.