2.3 KiB
4. Security
Security has ever-growing importance in general and the IP protocol has been a big area for security research and development. The majority of IPv4 practices remain applicable to IPv6. Exceptions exist for aspects of the first hop and for extension headers that are significantly different in IPv6. Distributed address acquisition (SLAAC, 2. Auto-configuration) creates its own additional security challenges. Multiple addresses per host improve privacy, but not without complications. Extension headers give IPv6 great flexibility and extensibility that may be abused, leading to additional security precautions.
Initially, it was expected that end-to-end cryptography (encryption and authentication) would be a mandatory part of IPv6 (IPsec, RFC4301 and SEND, RFC3971). This proved unrealistic, so cryptography has been accepted as optional at the networking layer. At the same time, cryptography has become widespread at the transport or application layers. IPv6 has no standardized NAT66 and even network prefix translation (NPTv6, RFC6296) is not popular – IPv6 aims at End-to-End connectivity. NAT or NPTv6 provide at best weak security protection at the network boundary, so this is not seen as a defect. The normal approach to boundary security for IPv6 is a firewall; most firewall products support IPv6 as well as IPv4. Today, the “Zero-trust” approach in security moves the stress from perimeter protection to the authentication and encryption for all traffic (including internal for any perimeter). If this approach succeeds, some enterprises may choose to reduce the role of firewalls in future.
IPv6 security has a good overview in RFC 9099. This is a good repository of references to many documents on the different IPv6 security aspects.