One of my friends is going to implement IPv6 in his university network environment and he told me it is more secure than IPv4. Is IPv6 more secure than IPv4? If so, how is it achieved on the protocol level?
Asked
Active
Viewed 1.3k times
21
-
3IPv6 originally required [IPSec](https://en.wikipedia.org/wiki/IPsec), though now it's optional and IPv4 uses it too, so that's no longer a point of differentiation. So, my guess is that your friend just means that it has a wider address space for someone to brute-force search through it. Also, I guess since it avoids the need for NAT right now, that's a bonus. – Nat Jan 14 '17 at 23:25
4 Answers
16
Adding to what Chemical Engineer said, IPv6 does have other advantages too, such as:
Native support for end-to-end encryption: This was a feature that was added much later to IPv4, but comes as a standard for IPv6.
Secure neighbor discovery: The improved protocol (SEND) for neighbor discovery in IPv6 actually confirms the identity of the other party during host discovery, using a cryptographic method.
Larger address space: More time needed to bruteforce through addresses (3.4 × 1038 vs the older 4.3 × 109)
But as in most cases, misconfiguration will only make you more vulnerable.
Scott Hogg wrote a brilliant article a while ago here. It covers these points in much greater detail.
-
-
1@MichaelHampton: It's 2^128. But it's actually inaccurate, because only a small fraction of that space has been allocated. But it's still far more than for IPv4. – Gordon Davisson Jan 15 '17 at 06:31
-
Yes, it would be more accurate to at least limit to 2001::/16 because that's what you would be seeing in practice on the Internet. (The actual allocation for Internet unicast is 2000::/3, but the only other actual allocation I know of within that is 3ffe::/16 which has been discontinued.) Also, no need to search subnets that haven't been allocated, so you can probably cut significant numbers of /48 allocations out of the search space. In practice this leaves you with some overhead to check what's been allocated, and somewhere around 30-35 bits of allocated address space at present. – user Jan 15 '17 at 13:37
-
@MichaelHampton Indeed. I'm just lazy, so I didn't really get the numbers for allocated v4. – thel3l Jan 15 '17 at 14:19
-
4@MichaelKjörling I have no reason to remember the number in that form. As for allocated ranges, there's more than just 2001 now. I've seen 2400, 2600, 2601, 2800, 2a01, ... – Michael Hampton Jan 15 '17 at 19:11
-
What do you mean with "Secure name resolution"? If you refer to Secure Neighbor Discovery (SeND), I would really like to have pointers to production quality SeND implementations for end hosts (i.e. for current Windows/Linux/MaxOS distributions). AFAIK there are only experimental implementations, and at least for Linux only quite old ones. But I see there is ongoing work on SenD. OTOH, SeND does not have much to do with name resolution, only address verification, so probably you mean something else. – Dubu Jan 15 '17 at 23:13
-
@Dubu - I was referring to SEND. Sorry 'bout that. I guess I could've been clearer. Also: I'll look around, but the fact is more that the feature exists - which is what the question was about. – thel3l Jan 16 '17 at 00:35
-
@MichaelKjörling The other Michael is correct. 2003:: - 2a00::/16 have been assigned to RIRs for allocations a while ago and you can see a lot of non-Alexa top 100 companies using these blocks. https://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xhtml – billc.cn Jan 16 '17 at 15:33
11
Summary: As currently implemented IPv6 networks might actually be less secure than IPv4. This is not because of the design IPv6 but because of inadequate support in firewalls and because network administrators and security specialist have more knowledge dealing with IPv4 than with IPv6.
It is true that IPv6 was designed with more security in mind. Unfortunately most of the good stuff like builtin IPSec was left out as optional which means that today's IPv6 connection are not better protected than IPv4.
Even worse is that many security products are not fully aware of IPv6 yet. Thus it is not uncommon that OpenVPN and other VPN installations only tunnel the IPv4 traffic but not the IPv6 traffic which obviously is a security problem. Also there are still firewalls which have none or limited support for IPv6 or have no optimizations for IPv6 and thus get slow with IPv6 traffic. Also, IPv6 networks behave slightly different than IPv4 networks (autoconfiguration, multiple IPv6 addresses on the same device...) which means that the existing IPv4 knowledge of network administrators and security professionals cannot be simply applied to IPv6. And then there is the different on-the-wire representation of IPv6 which features a fixed sized main header but then many stacked optional headers which represents a different set of challenges to deal with in firewalls than IPv4. And there are more differences which might cause unexpected behavior and thus security problems.
This together definitly does not make IPv6 more safe than IPv4 in practical use. In fact one might say that IPv6 is less secure in today's reality even though it was designed to be more secure. See also the many talks about this topic from conferences like Black Hat with topics like Evasion of High-End IPS Devices in the Age of IPv6 or Attacking IPv6 Implementation Using Fragmentation.
Steffen Ullrich
- 184,332
- 29
- 363
- 424
8
Sort of.
When IPv4 was designed, security was (intentionally, according to some participants) left out of the design; no encryption, no authentication, no identity verification.
IPv6 was an attempt to right the wrongs of IPv4, and this included the woeful lack of security. Features like encryption and strong identity were built into the protocol. But the design was slightly derailed by the design process (again, intentionally according to some) such that the security protocols are generally optional and often too complex to be usable.
So for the most part, the security of a well-run IPv4 network is roughly the same as that of a well-run IPv6 network. IPv6 in its typical form isn't inherently safer that IPv4 in its typical form.
There's a definite "security by obscurity" advantage in IPv6, though. Malware typically spreads over IPv4, and malware that scans the network for vulnerable targets uses IPv4 almost exclusively.
There's also the frequently-mentioned fact that picking random IPs in IPv6 space nearly always turns up unused addresses, but that's not a particularly strong protection. Choosing targets in IPv6 space won't happen by random selection or sequential scans. There are other ways to discover addresses.
-
1But of course, the fact that IPv6's address space doesn't require NAT for local networks does encourage actual *firewalling* of hosts. NAT *looks like* a firewall, but it isn't one; with IPv6, if you want your hosts to not be accessible by all and sundry from the Internet, you pretty much need firewalling. (Well, there's NATv6, but really, what's the point of that?) – user Jan 15 '17 at 13:40
-
-1 Security through obscurity is **not** security. Furthermore, plenty of malware that spreads over a network uses existing network libraries, making the exact IP version transparent to it. You can however say that the larger IPv6 space makes it impractical to scan any large section of the internet (as opposed to IPv4 where a couple gigabit lines can scan every address fairly quickly), making it harder to automate exploitation, but that would not be security through obscurity, as an increase in popularity of IPv6 would not change its size. – forest Jan 10 '18 at 07:48
1
IPsec is known as internet security protocol architecture. This is mandatory in IPv6 and not a mandatory one in IPv4. Most of the IPv4 systems do not implement this IPsec unless they use VPN. Based on IPsec implementation, we probably say IPv6 is secured more than IPv4.
Basically, IPsec makes IPv6 secure than IPv4
What is IPsec? IPsec is used to protect an IP path between a pair of end-end system
IPSec is used to provide the following features
- Authentication
- Integrity
- Replay detection
- Confidentiality
- Access control
IPsec has two protocols with two modes
Protocols
- IP Authentication Headers - Which is used to provide authentication and integrity mainly.
- IP Encapsulating security payload - which is used to provide confidentiality.
Mode
- Transport mode - the security mechanisms of the protocol is applied only to the upper layer data
- Tunnel mode - both the upper layer protocol data and the IP header of the IP packet are protected or “tunneled” through encapsulation.
When IPsec is mandatory then the authentication, integrity, confidentiality and other security features are preserved so IPv6 generally secures than IPv4.
There are other two factors are adds security further in IPv6
- Anycast address that is used to identify a set of interfaces and a packet is sent to anyone interface of the set.
The default behaviour of the IPv6 is routed to the nearest interface having that address but we can implement source selected policies to enforce security
- Subnet scanning difficulty Subnet mask is 64 bits which is IPv6 subnet addresses (2^64 = 18,446,744,073,709,551,616). So the Difficulty of an attacker scans this address space is higher than the IPv4 address space.
The above factors look like IPv6 more secures than IPv4. yeah, it's true if we have a well-trained network administrative. When we have network administrative without prior knowledge about IPv6 then the situation is worse than IPv4.
For example, We might expose our mac address to the real world if the network admins are not careful enough to use IPv6. Revealing the original MAC address of a device is allowing the attacker to do IP spoofing. Other worst scenarios also illustrate in other answers.
Sivaram Rasathurai
- 390
- 2
- 4
- 15