Security

Example IPv6 Background Paper for a Business

Hello Tom Pierce,

As requested, I have compiled a background paper on IPv6, exploring what it is, how it’s different than IPv4, and why it is more secure than previous versions. I will also share several risks associated with the technology, cover its deployment, and finally, describe why its implementation is vital to the success of your company. I hope this information persuades you to decide that IPv6 is the right choice for Harry and Mae’s, as sooner than later, IPv6 will become the new standard.

 IPv6 (Internet Protocol Version 6), the newest Internet Protocol version, has been slowly-adopted around the globe. Since 1998, IPv6 has been in the process of replacing IPv4’s lack of available IP addresses as the world continues to use more devices; in the business world alone, the sheer number of IoT devices can be extensive. Aside from being able to have a larger number of addresses, IPv6 features increased performance and security, making it a task that holds many benefits for a company such as Harry & Mae’s. One of the most significant reasons IPv6 hasn’t yet become widely-adopted is due to NAT’s ability to change source addresses of packets. With NAT, a single public IP address can represent various privately-addressed computers, leading to the ability of IPv4 to accomplish what IPv6 can do (in terms of reducing the dwindling number of available addresses). While NAT can be useful, IPv6’s benefits go beyond NAT’s capabilities, leading organizations to make the switch as soon as possible.

IPv6 was designed to solve the problems of the outdated IPv4; it achieves this by creating a newer version of the IPv4 protocol without any of its limitations. Some of the significant differences between an IPv6 and an IPv4 are its abilities in the areas of security, addressing, routing, administrative workload, and its support for mobile addresses. IPv6’s stateless auto-configuration means that there is no more need to configure IP addresses. The security of virtual private networks is also strengthened in IPv6 due to its built-in support using encrypted and authenticated virtual private network protocols. While IPv4 uses 32-bit addresses, the IPv6 uses a staggering 128-bits; this gives it a 128-bit address space, which is a significant increase.

IPv6 addresses utilize eight sets of four hexadecimal addresses separated by a  colon (:). There are sixteen-bits in each group. Since IPv4 was running out of existing computer addresses, IPv6 was introduced. IPv4 uses 32-bits of digits, so it has a maximum of 4.3 billion potential addresses; while this may seem like a sizable number, every computer, laptop, video game console, and even some vending machines require a unique address. Due to the always-rising number of devices in the IoT (Internet of Things), IPv4, based merely on its scalability, immediately poses potential issues.

IPv6’s 128-bits gives it a trillion-trillion-trillion, also called an undecillion (3.4 X 10^38) possible addresses; this is such an absurdly large number that we should have plenty of available IPv6 addresses far into the future. The change from IPv4 to IPv6 remains mostly unseen by the public as the devices we buy already includes the upgrade, and for many businesses, upgrading to IPv6 can be quite costly and time-consuming. The first half of IPv6’s digits are used as an address for the network and the second part as an address for the device. The first three of the eight groups are the site prefix, the fourth group describes the topology, and the last four groups contain the interface ID. With the added address space, IPv6 addresses are quite different than the previous IPv4 addresses, which were held back by a 32-bit maximum address space; because of this, the way an IPv6 address is designed is different too. Instead of using decimals and separated by periods like on an IPv4, an IPv6 uses hexadecimal and is separated by colons.

An example of an IPv6 address would be- 2ffe:1901:4545:3:200:f8ff:fe21:67cf. The first three bits would be the Format Prefix (FP) such as (001.) The next thirteen bits include the Top-Level Aggregation Identifier (TLA ID.) The following eight bits are reserved for future use (RES.) The next twenty-four bits would be the Next-Level Aggregation Identifier (NLA ID.) The Site-Level Aggregation Identifier (SLA ID) takes the next sixteen bits, with the last sixty-four bits being the Interface Identifier.

IPv6 holds many benefits and enables all of the Internet-connected devices of the world to be joined together. More efficient routing, packet processing, directed data flow, support for new services, as well as enhanced security, give IPv6 the ability to carry us into the future of technology. Using IPv6 not only has the advantage of an increased number of usable IT addresses, but it also has several other improvements over the older IPv4. IPv6 offers more efficient routing, which allows ISP’s to aggregate prefixes of their networks into a single prefix and allows them to be announced as such to the IPv6 Internet. IPv6 is also more efficient at packet processing due to its simplified packet header. Getting rid of the checksum enables a faster-operating speed. Directed data flows are also beneficial due to supporting multicast, whereas IPv4 only supports broadcast. Another strength of IPv6 is the built-in address auto-configuration; this allows a host to generate its own address. There is excellent support for using new services by eliminating Network Address Translation (NAT.) Peer-to-peer networks are far easier to maintain as well as upgrades to VoIP and Quality of Service (QoS.) By far, the security of an IPv6 might be the most significant benefit it has. IPSec provides additional confidentiality, data integrity, as well as authentication in an IPv6. Overall, it is safe to say that IPv6 is vastly superior to an IPv4 in many areas and should be used whenever possible.

While IPv6 offers significant improvements to IPv4, there are, like everything, specific risks to consider. First, IPv6’s effective rate limiting can be challenging to achieve due to a large number of addresses; this is utilized to defend against automated attacks. Due to IPv6’s 128-bit addresses, logging systems may not work as correctly as they do with IPv4. For example, if your current IPv4 logging systems desire 15-character IP addresses, a 39-digit IPv6 address may cause significant challenges. As the current level of technology grows, you may find yourself facing IPv6 running by default, leaving you to quickly scramble to make everything work (primarily if you are used to IPv4). Furthermore, hosts in IPv6 can have several IPv6 addresses at the same time, while in IPv4, this isn’t common. Finally, in IPv6, its addresses can be written in multiple methods, so log files can be hard to create and read (Rubens, 2012).

As I have mentioned before, IPv6 can be challenging to deploy, requiring extensive training, deployments in sandboxes (virtual environments), and constant maintenance and troubleshooting. To begin, a comprehensive inventory of both hardware and software should be compiled to better understand the complexity and method of the switch from IPv4 to IPv6. All third-party services need to be IPv6-enabled, posing great difficulties in selecting vendors. Thankfully, the switch to IPv6 can be helped by various technologies, such as tunnel brokers like 6in4, 6to4 and Teredo protocols, 6rd, and NAT64; these will greatly impact the effectiveness of the transition, as well as reduce the headaches caused by manually configuring networks to accommodate IPv6’s settings (Levy, 2011).

DNS can help the transition to IPv6 by supporting IPV6 PTR, AAAA, and glue records, as well as being able to deploy IPv6 name servers. With some routing work, a native dual-stack network can be used with sophisticated IPv6 upstream transit and peering. Software can typically be made IPv6 compliant with updates; however, one must ensure that they are compatible with other sections of a network or a vendor’s services (Levy, 2011). While deploying IPv6 can be quite the project, the time is coming where it isn’t just an option, but a requirement. In the world of technology, a company that succeeds must be ahead of the curve, not chasing their competitor’s tails. As much of the material in this paper can be intimidating, I wish to convey to you the confidence I have in a company-wide IPv6 deployment, as I have faced this daunting task several times in my career. I have already performed a test roll-out of an IPv6-deployment on multiple sections of your network using a virtual environment so that if you decide to pull the trigger on this project, we can know what to expect, what it will cost, and the length of time we will need to ensure the complete effectiveness of the task.

Please let me know if you have any questions or wish to view my results from my test deployments.

Thank you,

William Donaldson, IT

References

Stallings, W. (2017). Network Security Essentials: Applications and Standards (Sixth). Pearson.

Networking Computing. (2019, January 10). Six Benefits of IPv6. Retrieved May 18, 2020, from https://www.networkcomputing.com/networking/six-benefits-ipv6.

Gil, Paul (2017). What is IPv4?  IPv6? Why is this Important? Retrieved from https://www.lifewire.com/what-is-ipv4-ipv6-2483315.

Hardiman, Nick (2013). IPv6 Address Breakdown. Retrieved from http://active-technologies.com/content/ipv6-address-breakdown.

Rubens, P. (2012, October 18). 7 IPv6 Security Risks. Retrieved May 19, 2020, from https://www.esecurityplanet.com/network-security/7-ipv6-security-risks.html.

Levy, M. (2011, July). The Switch to IPv6: How to Make a Smooth Transition. Retrieved May 19, 2020, from http://milldampr.com/wp-content/uploads/2015/12/fundamentals-the-switch-to-ipv6_8733470.pdf.

Shaw, K. (2018, September 27). What is IPv6, and why aren’t we there yet? Retrieved May 19, 2020, from https://www.networkworld.com/article/3254575/what-is-ipv6-and-why-aren-t-we-there-yet.html.

 

 

 

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s