IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite. IPsec ◦ ◦ ◦ ◦ Internet Engineering Task Force (IETF) Encrypts the IP connection between computers Data is encrypted at the packet level The standard for IP encryption IPSec provides four major functions: Confidentiality – The sender can encrypt the packets before transmitting them across the network. If the communication is intercepted, it cannot be read by anybody. Data Integrity – The receiver can verify whether the data was changed while travelling the internet. Origin authentication – The receiver can authenticate the source of the packet. Anti replay protection – The receiver can verify that each packet is unique and not duplicated. ◦ IPsec is a framework of open standards which uses the following three protocols: Security association Authentication Header Encapsulating Security Payload Security Association: Handles protocols and algorithms used to generate the encryption and authentication keys used by Ipsec. Authentication Header provides connectionless integrity and data origin authentication for IP datagrams. Encapsulating Security Payload provides confidentiality, data origin authentication and connectionless integrity. IPsec was developed in conjunction with IPv6 and it is required in all implementations of IPv6. Although IPsec was designed for IPv6 it can be and has been used to secure IPv4 traffic for some time now. Although IPv6 itself has built in security, the coming change to IPv6 and away from IPv4 has raised security concerns over how the change from one protocol to another may be exploited. The main catalyst for IPv6 is the soon to be depleted number of IPv4 addresses. Some estimates say it may take more than a decade for IPv6 capabilities to spread throughout the network community. During this transition time and even afterwards there will be servers available over IPv4 only, some will only be available to IPv6 and some available to both protocols. Support and security for both of these protocols will be needed for an extended period. The security concerns at this early stage deal with the minimal but growing amount of IPv6 traffic running across IPv4 networks that are not secure against threats arriving via this IPv6 traffic. Most U.S. organizations have hidden IPv6 traffic running across their networks. They can have IPv6 running on their networks and not know it. Windows 7, Vista, Windows Server 2008, MAC OS X, Linux And Solaris all ship with IPv6 enable by default. The main concern lies with security meant to monitor IPv4 traffic. This security needs to be updated to include IPv6. Firewalls need to be able to distinguish between IPv4 and IPv6. If you only have an IPv4 firewall you can have IPv6 running between you and the threat. Tunneling is another area of concern. IPv6 traffic can be tunneled over IPv4 using programs such as Teredo, 6to4, or ISATAP. Typical IPV4 security devices are not tuned to look for tunneled traffic. Tunneled traffic can be hard to discern and decipher in any case as the following example suggests >> you can tunnel IPv6 over HTTP over IPv4. Rogue IPv6 traffic can include attacks such as botnet commands and controls. One example of an botnet attack using IPv6 had the IPv6 protocol hiding itself as IPv4 through the router. It was then attacking and issuing command and controls to a botnet in the far east. Another type of threat has seen illegal file sharing that leverages IPv6 for peer to peer communications. The type 0 routing header is another potential security problem with IPv6. This feature of IPv6 allows you to specify in the header what route is used to forward traffic. A hacker could use this to overwhelm a part of the network generating denial-of-service traffic. RFC 5095 dated December 2007 called for measures to confront this problem. Implemented yet? The number of attacks via IPv6 has been low but this can be attributed to the low amount of IPv6 traffic and the fact that the vast majority of the prime targets are still using IPv4. Organizations will have to mirror what they have done for IPv4 security with IPv6. Until recently IPv4 was the only protocol used and the only one that network security needed to be concerned with. Now there is IPv4, IPv6 and IPv6 tunneled over IPv4. Companies are now coming out with products to deal with these issues. Command Information Assure 6 and McAfee Network Security Platform both provide full IPv6 and tunnel inspection. Cisco and Juniper offer IPv6 enabled routers and firewalls.