IPv6 Security
-
Is IPv6 more secure?
-
Is IPsec built-in to IPv6?
-
In Layer 2 more secure in an IPv6 network?
-
Layer 4 <- ESP
-
Layer 3 <- IPv4
-
We are not doing anything different in IPv6 than leveraging an ESP header.
- Header is responsible for encapsulation of everything inside of it.
IPv6 Header
/CAP/Network+/Visual%20Aids/Pasted%20image%2020250317132231.png)
- Payload Length is what we are carrying, its an envelope
- Next Header
- Layer 4 ESP
- Hop limit
- TTL prevents the package to loop forever.
- In IPv6 the concept of time to live is "Hop Limit"
- IPv6 is a bigger envelope than at an IPv4 Header and yet it has less fields
- Remember IPv4 has more fields because it can support fragmentation.
- Destination IP Address
- IPv6 Extension Header
IPsec Transport vs Tunnel
- You will probably have endpoint to endpoint communication.
- Transport
- Traffic never in clear Host requires IPsec configuration
- Network should allow ESP between endpoints (from end-to-end)
- Tunnel
- Protection applied in transit
- Host doesn't require configuration
- ESP is reserved for public networks
/CAP/Network+/Visual%20Aids/Pasted%20image%2020250317132833.png)
Layer 2 IPv6
- ICMP replaces ARP
- ICMP Neighbor Discovery
- Stateless Address Auto Configuration
- /64
- DHCPv6
- We have a record of when people have been coming and going.
- Router Advertisements
- Timer
- Route Solicitations
ICMP Neighbor Discovery
- Route Advertisements
- Route Solicitations
- Neighbor Solicitations
- Neighbor Advertisement
- ICMP Redirect
SEN (Secure Network Discovery)
- Cryptographically generated address
- Asymmetric encryption
- We use two different keys a private key and a public key, anyone can known your public but only you know your private.
- Not really a new concept.
- RSA key pair
- Take a portion of my key space and use it as any address, this is how they can verify the information is coming with me.
- RPKI support