Blog index > Archives > Posts Tagged ‘Security’

Recommendation for IPv6 Stateful Firewalls

Monday, September 26th, 2011

IPv6 provides an address for each node on the Internet. So NAT has no more use for address depletion.

NAT also provides some basic security. But NAT as any stateful device can also be the target for DoS attacks. And any NAT device within a network provides an easily exploited opportunity for undetected Man In The Middle (MITM) attacks. Only End-to-End security offers protection from exploits related with ARP or ND+MLD where End-to-End security is likely only possible with IPv6. This does not need to be IPsec.

A RFC was written to explain how to get the security benefits provided by NAT without NAT.
This is rfc4864 Local Node Protection

Read the rest of this entry »

No Comments

IPv6 restoring End to End connectivity, is it a myth ?

Saturday, September 10th, 2011


The IPv6 main drivers for adoption are a large address space which does not require any Network Address Translation (NAT) anymore, a simpler header which should permit a more efficient switching and the Extension headers which allow adding any service at the Network Layer rather than the Transport Layer when needed. A great example of an application which benefits from the Extension headers is the IP Mobility which has been greatly optimized with IPv6.

The eradication of NAT is supposed to get us back to the Internet the way it was designed at the origin, before NAT was introduced as a workaround for address depletion. It will restore the end to end connectivity which will permit IPSec and Peer-to-Peer applications. This is a real benefit in terms of performances and new features for many Voice or Conferencing applications for instance where we will not have to communicate through a server like Skype.

NAT and Transition

But many people still resist against this change because they Read the rest of this entry »

1 Comment

Secure the IPv6 Network Access with SEcure Neighbor Discovery (SEND, rfc3971 and CGA, rfc3972)

Tuesday, August 30th, 2011


IPv6 Nodes on the same link use NDP (rfc4861) to discover each other’s presence and link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors.  Both hosts and routers use NDP.  Its functions include Neighbor Discovery (ND), Router Discovery (RD), Address Autoconfiguration, Address Resolution, Neighbor Unreachability Detection (NUD), Duplicate Address Detection (DAD), and Redirection.

If not secured, NDP is vulnerable to various attacks. SEND specifies security mechanisms for NDP.  Unlike those in the original NDP specifications, these mechanisms do not use IPsec.

Read the rest of this entry »

No Comments

People say that IPv6 is safer and faster than IPv4. The reality can be very different. Why?

Sunday, August 28th, 2011

1) IPSec

People say that IPv6 is more secure than IPv4 because IPSec is mandatory with IPv6.

First, the use of IPSec is not mandatory. The IPv6 node requirements are changing, and one of those changes is reducing IPsec from a MUST to a SHOULD, see <>.

But that still does not mean that every IPv6-capable router and IPv6-capable switch implements IPsec.  High end core routers don’t implement IPsec.  IPSec may not be found on some cheap CPEs as well.

IPSec makes sense between CPE routers interconnecting remote sites through a public network, whether this public network is providing a level 1 (i.e. SDH),  a level 2 (i.e. ATM) or a level 3 (MPLS-VPN, IPv4 or IPv6) service.

IPSec also makes sense between hosts but for lots of reasons, hosts use mostly ssh, TLS, or other non-IPsec security mechanisms.

2) Transition to IPv6: tunnels, translation, dual-stack

2.1) Tunnels

– Currently IPv6 is mostly provided thanks to transitions methods. This means that your IPv6 traffic may get through an IPv6 in IPv4 tunnel to reach its destination. This extra encapsulation process is not free regarding performances (bandwidth, delay).

– IPv6 in IPv4 Tunnels are easy targets for attacks by…
Read the rest of this entry »

No Comments