People say that IPv6 is more secure than IPv4 because IPSec is mandatory with IPv6.
First, the use of IPSec is not mandatory. The IPv6 node requirements are changing, and one of those changes is reducing IPsec from a MUST to a SHOULD, see <http://tools.ietf.org/html/draft-ietf-6man-node-req-bis-11#section-11>.
But that still does not mean that every IPv6-capable router and IPv6-capable switch implements IPsec. High end core routers don’t implement IPsec. IPSec may not be found on some cheap CPEs as well.
IPSec makes sense between CPE routers interconnecting remote sites through a public network, whether this public network is providing a level 1 (i.e. SDH), a level 2 (i.e. ATM) or a level 3 (MPLS-VPN, IPv4 or IPv6) service.
IPSec also makes sense between hosts but for lots of reasons, hosts use mostly ssh, TLS, or other non-IPsec security mechanisms.
– Currently IPv6 is mostly provided thanks to transitions methods. This means that your IPv6 traffic may get through an IPv6 in IPv4 tunnel to reach its destination. This extra encapsulation process is not free regarding performances (bandwidth, delay).
– IPv6 in IPv4 Tunnels are easy targets for attacks by…
Read the rest of this entry »