IPv6 Security Risk Analysis

Regarding IPv6, we compared its differences and advantages over IPv4. But what we don't touch is its security.

IT experts must remember that IPv6 can be traced back to the 1990s s, before many existing security threats evolve or spread widely. Therefore, IPv6 has its own known and unknown security vulnerabilities that need to be addressed.

In this article, we mentioned how IPv6 uses SLAAC instead of DHCP to provide IP addresses for the endpoints. Only when you realize that many administrators use DHCP snooping as a way to understand network devices can you understand that this is a great system. A lan switch with DHCP snooping only allows access to the authorized IP address or MAC address. In addition, this function allows administrators to track host addresses and prevent unauthorized DHCP servers from being installed on the network.

However, if IPv6 is used, no DHCP server can query the link information between the given IP address and Its Related MAC address. On the contrary, IPv6 uses SEND to protect the security of the neighbor sending protocol. It uses several policies to protect hosts and routes, including encrypted IP addresses, network discovery information and information timestamp protected by the RSA key.

Pat Calhoun, Vice President and General Manager of Cisco Security Systems, revealed the bad news that many of the leading operating systems, including Microsoft and Apple, do not support the SEND technology.

However, there are many ways to fill this security gap. The general method is to deploy an access control list (ACL) on the switch port. Most vendors support this performance because it can be used in IPv4, however, the more complex IPv6 headers make it more complicated to deploy the ACL under IPv4. Some vendors deploy indoor solutions, such as Cisco's use of Router Advertisement Guard. However, even security patches may have vulnerabilities.

Another dangerous area is tunnel technology. Although the tunnel technology between IPv4 and IPv6 enhances the interoperability between the two networks, it will be another security risk if it is not under supervision. In this tunnel, malicious links may exploit IPv6 data streams in an improperly configured IPv4 system.

According to Meyran, some networked hardware claim that they have IPv6 Security, but it is inevitable that they are actually said. In many cases, preparing for IPv6 means downloading and installing special patches that may not comply with industry standards for IPv6 branches. Therefore, some security performance may be deleted.

The intrusion defense device puts Deep Packet detection into a hardware-based engine. Only because these devices claim that they support IPv6 does not mean that the device's Deep Packet detection engine also supports it. The IPv4 firewall is used to unload IPv6 data because the new protocol is completely external. This means that, in the absence of IPv6 Security configurations, other users may run malicious IPv6 data streams on the network.

Generally, IPv6 includes appropriate security tools, but users need to learn how to configure and manage new protocols to maximize their advantages.

Edit recommendations]