IPv4 vs IPv6 Differences
Address Length
IPv4 - 32 bits
IPv6 - 128 bits
IPv4 vs IPv6 Differences
Default Prefix length
IPv4 - varies, typically /24
IPv6 - /64 in host subnets
IPv4 vs IPv6 Differences
Address configuration
IPv4 - DHCPv4
IPv6 - Stateless Autoconfiguration, DHCPv6
IPv4 vs IPv6 Differences
Addresses used
IPv4 - Private OR Global
IPv6 - Link-local AND Global
IPv4 vs IPv6 Differences
Address resolution
IPv4 - ARP
IPv6 - Neighbour Solicitation (NS) / Neighbour Advertisement (NA)
IPv4 vs IPv6 Differences Minimum MTU (Maximum Transmission Unit)
IPv4 - 576
IPv6 - 1280
IPv4 vs IPv6 Differences
Fragmentation
IPv4 - by hosts or routers
IPv6 - only by hosts
IPv4 vs IPv6 Differences
Host Path MTU discovery
IPv4 - Optional
IPv6 - Required
IPv4 vs IPv6 Differences
IPsec
IPv4 - optional
IPv6 - ‘SHOULD’
IPv4 vs IPv6 Differences
Private addressing
IPv4 - RFC1918
IPv6 - Unique Local Addresses (ULA) (not for use with NAT)
Dual Stack Network
Means running IPv4 and IPv6 on the same infrastructure
- managing two protocols as one network
DS is preferable today in campus sites rather than running IPv6 only with NAT64/DNS64 at the edge
- UN unis early adopters of DS
Introducing IPv6 should not subvert IPv4 security
- need to understand required policies
- have equivalent implementations where appropriate
New risks added by IPv6
New attack paths
- IPv6 is a new protocol, not just IPv4 with 128-bit addresses
Growing pains
- lack of wide-scale operational experience
- immature security implementations (firewalls, IDS…)
- many IPv6-specific security advisories published
Lack of admin staff knowledge and training
- need to ‘think IPv6’ for security & troubleshooting
IPv6 incidents/issues not detected
- most sites prob not looking for IPv6 traffic, native or tunnelled
- there is support for IPv6 Netflow & others
Address scopes
IPv4
- usually just one address
- global or private (rfc1918 or NAT)
IPv6
- link-local (under fe80::/10, not routed)
- Unique Local Addresses (under fc00::/7)
- Global
Address scope issues
IPv6 hosts are naturally multi-addressed
- in dual stack networks have an IPv4 address too
- hosts need a way to decide which addresses to use
- management/monitoring tools must cope
Address management
Most IPv6 deployments are dual stack
- IPv4 address config by DHCPv4
- IPv6 Stateless Autoconfiguration (SLAAC)
SLAAC autoconfigures basic network settings by
soliciting/receiving IPv6 Router Advertisements (RAs)
- hosts form their own address by combining 64-bit network prefix in the RA with MAC address + 16bits of padding
In addition, hosts may have IPv6 privacy addresses
Voila, mucho addresses!
SLAAC operation
Totally dependent on Router Advertisements
- RA is multicast on local subnet
- (link-local) RA source address implies default router
Implications of RAs
Host autoconfiguration is nice, but Hosts can send RAs too - accidental or malicious Networks should mitigate this - use RA Guard - Filter ICMPv6 Type 134 on non router switch ports - Deploy RAmond
RAmond
Monitors IPv6 networks for router advertisements. When an advert is received, a configurable action occurs.
The tool was designed to `clear’ (by sending spoofed zero lifetime adverts) rogue-routes sent by users running 6to4 gateways on a campus network.
ND cache exhaustion
Possibly rapid scans to non existent IP addressed in a /64 subnet can fill a router’s ND cache before the ND operations complete
-
1. Data, Bandwidth & Information20
-
2. Modulation & Multiple Access0
-
3. Forward Error Correction0
-
4a. Wireless Networking0
-
4b. Wireless Networking0
-
5a. Wireless Sensor Networks0
-
5b. Wireless Sensor Networks0
-
6. ZigBee Practical0
-
7. WLAN Authentication & Roaming29
-
8. Mobile IP21
-
9. IPv6 Transition I22
-
10. IPv6 Transition II & Coexistence with IPv47
-
11. Advanced Multicast0
-
12. Routing Futures6
-
13. Network Security Monitoring26
-
14. Network Attack Phases27
-
15. Dual-Stack Network Security20
-
16. Software Defined Networking20
-
Abbreviations28
